From aae83a73f0cd185f0f0bf248f94d74ee24ebc5cd Mon Sep 17 00:00:00 2001 From: virchau13 Date: Sun, 21 Nov 2021 23:06:34 +0800 Subject: [PATCH] docs: fix more grammar --- README.md | 212 +++++++++++++++++++++++++----------------------------- 1 file changed, 98 insertions(+), 114 deletions(-) diff --git a/README.md b/README.md index c2c333f..bfb3edf 100644 --- a/README.md +++ b/README.md @@ -7,19 +7,21 @@ Atomic, declarative, and reproducible secret provisioning for NixOS based on [so ## How it works Secrets are decrypted from [`sops` files](https://github.com/mozilla/sops#2usage) during -activation time. The secrets are access-controlled by by full declarative configuration of their users, permissions, and groups. -It can use `age`, GPG, or SSH keys for decryption. -In the future, we will also support cloud key management APIs such as AWS -KMS, GCP KMS, Azure Key Vault and Hashicorp Vault. +activation time. The secrets are stored as one secret per file and access-controlled by full declarative configuration of their users, permissions, and groups. +GPG keys or `age` keys can be used for decryption, and compatibility shims are supported to enable the use of SSH RSA or SSH Ed25519 keys. +Sops also supports cloud key management APIs such as AWS +KMS, GCP KMS, Azure Key Vault and Hashicorp Vault. While not +officially supported by sops-nix yet, these can be controlled using +environment variables that can be passed to sops. ## Features - Compatible with all NixOS deployment frameworks: [NixOps](https://github.com/NixOS/nixops), nixos-rebuild, [krops](https://github.com/krebs/krops/), [morph](https://github.com/DBCDK/morph), [nixus](https://github.com/Infinisil/nixus), etc. -- Version-control friendly: Since all files are encrypted they can directly committed to version control without worry. Diffs of the secrets are readable, and [can be shown in cleartext](https://github.com/mozilla/sops#showing-diffs-in-cleartext-in-git). +- Version-control friendly: Since all files are encrypted they can be directly committed to version control without worry. Diffs of the secrets are readable, and [can be shown in cleartext](https://github.com/mozilla/sops#showing-diffs-in-cleartext-in-git). - CI friendly: Since sops files can be added to the Nix store without leaking secrets, a machine definition can be built as a whole from a repository, without needing to rely on external secrets or services. -- Works well in teams: sops-nix comes with `nix-shell` hooks that allows multiple people to quickly import all keys. +- Works well in teams: sops-nix comes with `nix-shell` hooks that allows multiple people to quickly import all GPG keys. The cryptography used in sops is designed to be scalable: Secrets are only encrypted once with a master key - instead of each machine/developer key. + instead of encrypted per machine/developer key. - Atomic upgrades: New secrets are written to a new directory which replaces the old directory atomically. - Rollback support: If sops files are added to the Nix store, old secrets can be rolled back. This is optional. - Fast time-to-deploy: Unlike solutions implemented by NixOps, krops and morph, no extra steps are required to upload secrets. @@ -32,83 +34,24 @@ There is a `configuration.nix` example in the [deployment step](#deploy-example) ## Supported encryption methods -sops-nix supports two basic ways of encryption, GPG and age. +sops-nix supports two basic ways of encryption, GPG and `age`. GPG is based on [GnuPG](https://gnupg.org/) and encrypts against GPG public keys. Private GPG keys may be used to decrypt the secrets on the target machine. The tool [`ssh-to-pgp`](https://github.com/Mic92/ssh-to-pgp) can be used to derive a GPG key from a SSH (host) key in RSA format. -The other method is age which is based on [age](https://github.com/FiloSottile/age). +The other method is `age` which is based on [`age`](https://github.com/FiloSottile/age). The tool ([`ssh-to-age`](https://github.com/Mic92/ssh-to-age)) can convert SSH host or user keys in Ed25519 -format to age keys. +format to `age` keys. ## Usage example
-1. Install nix-sops +1. Install sops-nix Choose one of the following methods: -#### [niv](https://github.com/nmattia/niv) (Current recommendation) - First add it to niv: - -```console -$ niv add Mic92/sops-nix -``` - - Then add the following to your `configuration.nix` in the `imports` list: - -```nix -{ - imports = [ "${(import ./nix/sources.nix).sops-nix}/modules/sops" ]; -} -``` - -#### nix-channel - - As root run: - -```console -$ nix-channel --add https://github.com/Mic92/sops-nix/archive/master.tar.gz sops-nix -$ nix-channel --update -``` - - Then add the following to your `configuration.nix` in the `imports` list: - -```nix -{ - imports = [ ]; -} -``` - -#### fetchTarball - - Add the following to your `configuration.nix`: - -``` nix -{ - imports = [ "${builtins.fetchTarball "https://github.com/Mic92/sops-nix/archive/master.tar.gz"}/modules/sops" ]; -} -``` - - or with pinning: - -```nix -{ - imports = let - # replace this with an actual commit id or tag - commit = "298b235f664f925b433614dc33380f0662adfc3f"; - in [ - "${builtins.fetchTarball { - url = "https://github.com/Mic92/sops-nix/archive/${commit}.tar.gz"; - # replace this with an actual hash - sha256 = "0000000000000000000000000000000000000000000000000000"; - }}/modules/sops" - ]; -} -``` - -#### Flakes +#### Flakes (current recommendation) If you use experimental nix flakes support: @@ -132,6 +75,65 @@ If you use experimental nix flakes support: } ``` +#### [`niv`](https://github.com/nmattia/niv) (recommended if not using flakes) + First add it to niv: + +```console +$ niv add Mic92/sops-nix +``` + + Then add the following to your `configuration.nix` in the `imports` list: + +```nix +{ + imports = [ "${(import ./nix/sources.nix).sops-nix}/modules/sops" ]; +} +``` + +#### `nix-channel` + + As root run: + +```console +$ nix-channel --add https://github.com/Mic92/sops-nix/archive/master.tar.gz sops-nix +$ nix-channel --update +``` + + Then add the following to your `configuration.nix` in the `imports` list: + +```nix +{ + imports = [ ]; +} +``` + +#### `fetchTarball` + + Add the following to your `configuration.nix`: + +``` nix +{ + imports = [ "${builtins.fetchTarball "https://github.com/Mic92/sops-nix/archive/master.tar.gz"}/modules/sops" ]; +} +``` + +or with pinning: + +```nix +{ + imports = let + # replace this with an actual commit id or tag + commit = "298b235f664f925b433614dc33380f0662adfc3f"; + in [ + "${builtins.fetchTarball { + url = "https://github.com/Mic92/sops-nix/archive/${commit}.tar.gz"; + # replace this with an actual hash + sha256 = "0000000000000000000000000000000000000000000000000000"; + }}/modules/sops" + ]; +} +``` +
@@ -161,7 +163,7 @@ $ nix-shell -p gnupg -p ssh-to-pgp --run "ssh-to-pgp -private-key -i $HOME/.ssh/ $ nix-shell -p ssh-to-pgp --run "ssh-to-pgp -i $HOME/.ssh/id_rsa -o $USER.asc" 2504791468b153b8a3963cc97ba53d1919c5dfd4 ``` -(Note that `ssh-to-pgp` currently only supports RSA keys.) +(Note that `ssh-to-pgp` only supports RSA keys; to use Ed25519 keys, use `age`.) If you get the following, ```console ssh-to-pgp: failed to parse private ssh key: ssh: this private key is passphrase protected @@ -174,18 +176,18 @@ $ nix-shell -p gnupg -p ssh-to-pgp --run "ssh-to-pgp -private-key -i /tmp/id_rsa $ rm /tmp/id_rsa ``` -You can also use your existing SSH key as an age key. +You can also use an existing SSH Ed25519 key as an `age` key; to do so, see the following.
- How to find the age public key + How to find the public key of an `age` key -If you generated an age key, the age public key can be found via `age-keygen -y $PATH_TO_KEY`: +If you generated an `age` key, the `age` public key can be found via `age-keygen -y $PATH_TO_KEY`: ```console $ age-keygen -y ~/.config/sops/age/keys.txt age12zlz6lvcdk6eqaewfylg35w0syh58sm7gh53q5vvn7hd7c6nngyseftjxl ``` -Otherwise, you can convert an existing SSH key into an age public key: +Otherwise, you can convert an existing SSH key into an `age` public key: ```console $ nix-shell -p ssh-to-age --run "ssh-to-age < ~/.ssh/id_ed25519.pub" # or @@ -224,7 +226,7 @@ uid [ unknown] root The fingerprint here is `9F89C5F69A10281A835014B09C3DC61F752087EF`.
-Your age public key or GPG fingerprint can written to your [`.sops.yaml`](https://github.com/mozilla/sops#using-sops-YAML-conf-to-select-kms-pgp-for-new-files) in the root of your configuration directory or repository: +Your `age` public key or GPG fingerprint can written to your [`.sops.yaml`](https://github.com/mozilla/sops#using-sops-YAML-conf-to-select-kms-pgp-for-new-files) in the root of your configuration directory or repository: ```yaml # This example uses YAML anchors which allows reuse of multiple keys # without having to repeat yourself. @@ -247,9 +249,9 @@ creation_rules:
3. Get a public key for your target machine -The easiest way to add new machines is using SSH host keys (this requires OpenSSH to be enabled). +The easiest way to add new machines is by using SSH host keys (this requires OpenSSH to be enabled). -If you are using age, the `ssh-to-age` tool can be used to convert any SSH public key to the age format: +If you are using `age`, the `ssh-to-age` tool can be used to convert any SSH Ed25519 public key to the `age` format: ```console $ nix-shell -p ssh-to-age --run 'ssh-keyscan my-server.com | ssh-to-age' age1rgffpespcyjn0d8jglk7km9kfrfhdyev6camd3rck6pn8y47ze4sug23v3 @@ -257,8 +259,7 @@ $ nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to- age1rgffpespcyjn0d8jglk7km9kfrfhdyev6camd3rck6pn8y47ze4sug23v3 ``` -For GPG, since sops does not natively support SSH keys yet, nix-sops supports a conversion tool (`ssh-to-pgp`) -to store them as GPG keys: +For GPG, since sops does not natively support SSH keys yet, sops-nix supports a conversion tool (`ssh-to-pgp`) to store them as GPG keys: ```console $ ssh root@server01 "cat /etc/ssh/ssh_host_rsa_key" | nix-shell -p ssh-to-pgp --run "ssh-to-pgp -o server01.asc" @@ -344,7 +345,7 @@ mkShell { # $ (unset GNUPGHOME; gpg --armor --export-secret-key 0000000000000000000000000000000000000000) | gpg --import #sopsCreateGPGHome = true; # To use a different directory for gpg dirs set sopsGPGHome - #sopsGPGHome = "${toString ./.}/../GnuPG"; + #sopsGPGHome = "${toString ./.}/../gnupg"; nativeBuildInputs = [ (pkgs.callPackage sops-nix {}).sops-import-keys-hook @@ -577,7 +578,7 @@ This logic respects units that prefer to be reloaded or not to be restarted at a ## Symlinks to other directories Some services might expect files in certain locations. -Using the `path` option as symlink to this directory can +Using the `path` option a symlink to this directory can be created: ```nix @@ -617,23 +618,7 @@ As users are not created yet, it's not possible to set an owner for these secret At the moment we support the following file formats: YAML, JSON, and binary. -NOTE: At the moment we do not support nested data structures that -sops support. This might change in the future. - -We support the following YAML: - -```yaml -key: 1 -``` - -but not: - -```yaml -nested: - key: 1 -``` - -nix-sops allows to specify multiple sops files in different file formats: +sops-nix allows specifying multiple sops files in different file formats: ```nix { @@ -641,7 +626,7 @@ nix-sops allows to specify multiple sops files in different file formats: # The default sops file used for all secrets can be controlled using `sops.defaultSopsFile` sops.defaultSopsFile = ./secrets.yaml; # If you use something different from YAML, you can also specify it here: - #sops.defaultSopsFormat = "YAML"; + #sops.defaultSopsFormat = "yaml"; sops.secrets.github_token = { # The sops file can be also overwritten per secret... sopsFile = ./other-secrets.json; @@ -659,11 +644,10 @@ Open a new file with sops ending in `.yaml`: $ sops secrets.yaml ``` -Than put in the following content: +Then, put in the following content: ```yaml github_token: 4a6c73f74928a9c4c4bc47379256b72e598e2bd3 -# multi-line strings in YAML start with an | ssh_key: | -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW @@ -680,9 +664,9 @@ You can include it like this in your `configuration.nix`: { sops.defaultSopsFile = ./secrets.yaml; # YAML is the default - #sops.defaultSopsFormat = "YAML"; + #sops.defaultSopsFormat = "yaml"; sops.secrets.github_token = { - format = "YAML"; + format = "yaml"; # can be also set per secret sopsFile = ./secrets.yaml; }; @@ -697,7 +681,7 @@ Open a new file with sops ending in `.json`: $ sops secrets.json ``` -Than put in the following content: +Then, put in the following content: ``` json { @@ -723,14 +707,14 @@ You can include it like this in your `configuration.nix`: ### Binary -Unlike the other two formats for binaries one file correspond to one secret. This format allows to encrypt an arbitrary binary format that can't be put into -JSON/YAML files. +JSON/YAML files. Unlike the other two formats, for binary files, one file corresponds to one secret. To encrypt an binary file use the following command: ``` console $ sops -e /tmp/krb5.keytab > krb5.keytab +# an example of what this might result in: $ head krb5.keytab { "data": "ENC[AES256_GCM,data:bIsPHrjrl9wxvKMcQzaAbS3RXCI2h8spw2Ee+KYUTsuousUBU6OMIdyY0wqrX3eh/1BUtl8H9EZciCTW29JfEJKfi3ackGufBH+0wp6vLg7r,iv:TlKiOmQUeH3+NEdDUMImg1XuXg/Tv9L6TmPQrraPlCQ=,tag:dVeVvRM567NszsXKK9pZvg==,type:str]", @@ -769,8 +753,8 @@ If you prefer having a separate GPG key, sops-nix also comes with a helper tool, ```console $ nix-shell -p sops-init-gpg-key $ sops-init-gpg-key --hostname server01 --gpghome /tmp/newkey -You can use the following command to save it to a file: -cat > server01.asc < server01.asc <