diff options
author | Franck Cuny <franck@fcuny.net> | 2023-03-10 18:12:25 -0800 |
---|---|---|
committer | Franck Cuny <franck@fcuny.net> | 2023-03-10 18:20:21 -0800 |
commit | 09d4ea8429b93093f120de109134e33cfd279e68 (patch) | |
tree | 1630eeafec054330aa6ffa9b71fd2329b24f70d1 /docs | |
parent | hosts/tahoe: delete unused secrets (diff) | |
download | world-09d4ea8429b93093f120de109134e33cfd279e68.tar.gz |
documentation: clean up
Delete gnome's keyring documentation, I will not be using it anymore, so no need to keep this around. Add documentation about how to manage secrets, and clean up wireguard's documentation.
Diffstat (limited to 'docs')
-rw-r--r-- | docs/gnome-keyring.org | 66 | ||||
-rw-r--r-- | docs/secrets.org | 29 | ||||
-rw-r--r-- | docs/wireguard.org | 2 |
3 files changed, 29 insertions, 68 deletions
diff --git a/docs/gnome-keyring.org b/docs/gnome-keyring.org deleted file mode 100644 index 35480e5..0000000 --- a/docs/gnome-keyring.org +++ /dev/null @@ -1,66 +0,0 @@ -#+TITLE: gnome-keyring-daemon setup - -It seems that there's a lot of hate for the =gnome-keyring-daemon= online, so I might be missing something. But on my end, it seems to simplifies a few things and there are no more prompt when I log into my session about various keys. - -* gnome-keyring-daemon -It looks like we need to install a few packages: -- =gnome-keyring= -- =seahorse= - -There is a [[file:~/workspace/linux-desktop/systemd/gnome-keyring.service][unit]] that ensure it starts when we log in a session. - -Using =seahorse=, we can see which secrets / keys are managed by it. - -Additional documentations: -- [[https://wiki.archlinux.org/title/GNOME/Keyring][arch wiki]] -* PGP -** Unlocking the key -The keyring daemon unlocks the key for us. -** Backup the key -To backup the key, do -#+begin_src sh -gpg --export-secret-keys --armor franck@fcuny.net > ~/documents/backups/gpg-secret-key-backup.asc -#+end_src - -To see the list of keys: -#+begin_src sh :results verbatim raw -gpg --list-secret-keys -#+end_src - -#+RESULTS: -/home/fcuny/.gnupg/pubring.kbx ------------------------------- -sec rsa4096 2021-09-13 [SC] - 23348B57F01D4234B5CFBA0923208AC01EB6EEA1 -uid [ultimate] Franck Cuny <franck@fcuny.net> -ssb rsa4096 2021-09-13 [E] - -To export the trusted keys: -#+begin_src sh -gpg --export-ownertrust > ~/documents/backups/gpg-trusteddb-backup.txt -#+end_src - -** Restore the key -To restore the key from the backup -#+begin_src sh -gpg --import ~/documents/backups/gpg-secret-key-backup.asc -#+end_src - -To restore the trusted db: -#+begin_src sh -gpg --import-ownertrust < ~/documents/backups/gpg-trusteddb-backup.txt -#+end_src - -If you don't import the trusted db you need to set your key as trusted -#+begin_src -gpg --edit-key franck@fcuny.net -gpg> trust -gpg> save -#+end_src -** Configuration for the agent -In =$HOME/.gnupg/gpg-agent.conf= -#+begin_src conf -pinentry-program /usr/bin/pinentry-gnome3 -#+end_src -* SSH -As the keyring daemon manages our ssh key, all we need to do is to export =SSH_AUTH_SOCK= to where the socket started by the daemon is. This is done in [[file:~/workspace/linux-desktop/dotfiles/pam_environment][pam_environment]]. diff --git a/docs/secrets.org b/docs/secrets.org new file mode 100644 index 0000000..5c350e0 --- /dev/null +++ b/docs/secrets.org @@ -0,0 +1,29 @@ +#+TITLE: Secrets + +* secrets +** system +Secrets at the system level are managed by [[https://github.com/ryantm/agenix][agenix]]. The secrets are encrypted with a couple of =age= keys. I do not use ssh keys to encrypt the secrets. Instead, I do the following: +- each system has a key for the user root, and the secrets for that host are encoded with it as a recipient +- on each workstation, my user (=fcuny=) has a key and the secrets for all the hosts are encrypted with it as a recipient +- in addition, I've a backup key stored on a USB device, and I used its public key to encrypt all the secrets with it + +These keys are backed up on an external USB device and in passage. When re-provisioning a host, the keys are restored from the USB device or from passage itself. + +When provisioning a new host, a key for root (and my user if it's a workstation) is created and stored on the USB device and in passage. +*** add a new secret +#+begin_src sh +nix run github:ryantm/agenix -- -i ~/.age/key.txt -e sendsms/sendsms.age +#+end_src +*** re-key secrets +#+begin_src sh +nix run github:ryantm/agenix -- -i ~/.age/key.txt -r +#+end_src +** home-manager +Nothing for now. +** passage +I use [[https://github.com/FiloSottile/passage][passage]] to store passwords locally. The content of the store is pushed to a remote git repository, and I synchronized the store regularly to the USB device. +* misc +** GPG +nop nop nop nop nop +** keyring +I don't need one anymore. diff --git a/docs/wireguard.org b/docs/wireguard.org index 456205f..154c159 100644 --- a/docs/wireguard.org +++ b/docs/wireguard.org @@ -1,8 +1,6 @@ #+TITLE: Configuration for wireguard * Creating the keys -Create a directory with the hostname under =secrets/network/=. - We need a key for the host: #+begin_src sh (umask 0077; wg genkey > peer_A.key) |