new secrets management system

2025-07-05 15:00:14 +00:00 · 2022-10-16 01:32:39 +00:00
parent e2c351098b
commit 69a54b99c8
8 changed files with 188 additions and 43 deletions
--- a/apps/encrypt-secret.nix
+++ b/apps/encrypt-secret.nix
@ -0,0 +1,19 @@
+{ pkgs, ... }: {
+
+  # nix run github:nmasur/dotfiles#encrypt-secret > private/mysecret.age
+
+  type = "app";
+
+  program = builtins.toString (pkgs.writeShellScript "encrypt-secret" ''
+    printf "\nEnter the secret data to encrypt for all hosts...\n\n" 1>&2
+    read -p "Secret: " secret
+    printf "\nEncrypting...\n\n" 1>&2
+    tmpfile=$(mktemp)
+    echo "''${secret}" > ''${tmpfile}
+    ${pkgs.age}/bin/age --encrypt --armor --recipients-file ${
+      builtins.toString ../hosts/public-keys
+    } $tmpfile
+    rm $tmpfile
+  '');
+
+}
--- a/apps/reencrypt-secrets.nix
+++ b/apps/reencrypt-secrets.nix
@ -0,0 +1,27 @@
+{ pkgs, ... }: {
+
+  # nix run github:nmasur/dotfiles#reencrypt-secrets ./private
+
+  type = "app";
+
+  program = builtins.toString (pkgs.writeShellScript "reencrypt-secrets" ''
+    if [ $# -eq 0 ]; then
+      echo "Must provide directory to reencrypt."
+      exit 1
+    fi
+    encrypted=$1
+    for encryptedfile in ''${1}/*; do
+      tmpfile=$(mktemp)
+      echo "Decrypting ''${encryptedfile}..."
+      ${pkgs.age}/bin/age --decrypt \
+        --identity ~/.ssh/id_ed25519 $encryptedfile > $tmpfile
+      echo "Encrypting ''${encryptedfile}..."
+      ${pkgs.age}/bin/age --encrypt --armor --recipients-file ${
+        builtins.toString ../hosts/public-keys
+      } $tmpfile > $encryptedfile
+      rm $tmpfile
+    done
+    echo "Finished."
+  '');
+
+}