about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--docs/gnome-keyring.org66
-rw-r--r--docs/secrets.org29
-rw-r--r--docs/wireguard.org2
3 files changed, 29 insertions, 68 deletions
diff --git a/docs/gnome-keyring.org b/docs/gnome-keyring.org
deleted file mode 100644
index 35480e5..0000000
--- a/docs/gnome-keyring.org
+++ /dev/null
@@ -1,66 +0,0 @@
-#+TITLE: gnome-keyring-daemon setup
-
-It seems that there's a lot of hate for the =gnome-keyring-daemon= online, so I might be missing something. But on my end, it seems to simplifies a few things and there are no more prompt when I log into my session about various keys.
-
-* gnome-keyring-daemon
-It looks like we need to install a few packages:
-- =gnome-keyring=
-- =seahorse=
-
-There is a [[file:~/workspace/linux-desktop/systemd/gnome-keyring.service][unit]] that ensure it starts when we log in a session.
-
-Using =seahorse=, we can see which secrets / keys are managed by it.
-
-Additional documentations:
-- [[https://wiki.archlinux.org/title/GNOME/Keyring][arch wiki]]
-* PGP
-** Unlocking the key
-The keyring daemon unlocks the key for us.
-** Backup the key
-To backup the key, do
-#+begin_src sh
-gpg --export-secret-keys --armor franck@fcuny.net > ~/documents/backups/gpg-secret-key-backup.asc
-#+end_src
-
-To see the list of keys:
-#+begin_src sh :results verbatim raw
-gpg --list-secret-keys
-#+end_src
-
-#+RESULTS:
-/home/fcuny/.gnupg/pubring.kbx
-------------------------------
-sec   rsa4096 2021-09-13 [SC]
-      23348B57F01D4234B5CFBA0923208AC01EB6EEA1
-uid           [ultimate] Franck Cuny <franck@fcuny.net>
-ssb   rsa4096 2021-09-13 [E]
-
-To export the trusted keys:
-#+begin_src sh
-gpg --export-ownertrust > ~/documents/backups/gpg-trusteddb-backup.txt
-#+end_src
-
-** Restore the key
-To restore the key from the backup
-#+begin_src sh
-gpg --import ~/documents/backups/gpg-secret-key-backup.asc
-#+end_src
-
-To restore the trusted db:
-#+begin_src sh
-gpg --import-ownertrust < ~/documents/backups/gpg-trusteddb-backup.txt
-#+end_src
-
-If you don't import the trusted db you need to set your key as trusted
-#+begin_src
-gpg --edit-key franck@fcuny.net
-gpg> trust
-gpg> save
-#+end_src
-** Configuration for the agent
-In =$HOME/.gnupg/gpg-agent.conf=
-#+begin_src conf
-pinentry-program /usr/bin/pinentry-gnome3
-#+end_src
-* SSH
-As the keyring daemon manages our ssh key, all we need to do is to export =SSH_AUTH_SOCK= to where the socket started by the daemon is. This is done in [[file:~/workspace/linux-desktop/dotfiles/pam_environment][pam_environment]].
diff --git a/docs/secrets.org b/docs/secrets.org
new file mode 100644
index 0000000..5c350e0
--- /dev/null
+++ b/docs/secrets.org
@@ -0,0 +1,29 @@
+#+TITLE: Secrets
+
+* secrets
+** system
+Secrets at the system level are managed by [[https://github.com/ryantm/agenix][agenix]]. The secrets are encrypted with a couple of =age= keys. I do not use ssh keys to encrypt the secrets. Instead, I do the following:
+- each system has a key for the user root, and the secrets for that host are encoded with it as a recipient
+- on each workstation, my user (=fcuny=) has a key and the secrets for all the hosts are encrypted with it as a recipient
+- in addition, I've a backup key stored on a USB device, and I used its public key to encrypt all the secrets with it
+
+These keys are backed up on an external USB device and in passage. When re-provisioning a host, the keys are restored from the USB device or from passage itself.
+
+When provisioning a new host, a key for root (and my user if it's a workstation) is created and stored on the USB device and in passage.
+*** add a new secret
+#+begin_src sh
+nix run github:ryantm/agenix -- -i ~/.age/key.txt -e sendsms/sendsms.age
+#+end_src
+*** re-key secrets
+#+begin_src sh
+nix run github:ryantm/agenix -- -i ~/.age/key.txt -r
+#+end_src
+** home-manager
+Nothing for now.
+** passage
+I use [[https://github.com/FiloSottile/passage][passage]] to store passwords locally. The content of the store is pushed to a remote git repository, and I synchronized the store regularly to the USB device.
+* misc
+** GPG
+nop nop nop nop nop
+** keyring
+I don't need one anymore.
diff --git a/docs/wireguard.org b/docs/wireguard.org
index 456205f..154c159 100644
--- a/docs/wireguard.org
+++ b/docs/wireguard.org
@@ -1,8 +1,6 @@
 #+TITLE: Configuration for wireguard
 
 * Creating the keys
-Create a directory with the hostname under =secrets/network/=.
-
 We need a key for the host:
 #+begin_src sh
 (umask 0077; wg genkey > peer_A.key)
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-10-16 14:26:27 +0000