diff --git a/AGENTS.md b/AGENTS.md index 92effa5..c8cc53b 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -122,7 +122,7 @@ New modules: pick the narrowest prefix that's true, then add the import explicit - **muffin**: identity is `/mnt/usb-secrets/usb-secrets-key` (ssh-ed25519 on a physical USB). Wired in `modules/usb-secrets.nix`. - **mreow + yarn**: identity is `/var/lib/agenix/tpm-identity` (an `age-plugin-tpm` handle sealed by the host's TPM 2.0). Wired in `modules/desktop-age-secrets.nix`; yarn persists `/var/lib/agenix` through impermanence. - **Recipients** are declared in `secrets/secrets.nix`. Desktop secrets are encrypted to the admin SSH key + each host's TPM recipient; server secrets stay encrypted to the muffin USB key. -- **Bootstrap a new desktop**: run `doas scripts/bootstrap-desktop-tpm.sh` on the host. It generates a TPM-sealed identity at `/var/lib/agenix/tpm-identity` and prints an `age1tpm1…` recipient. Append it to the `tpm` list in `secrets/secrets.nix`, run `agenix -r` to re-encrypt, commit, `./deploy.sh switch`. +- **Bootstrap a new desktop**: run `doas scripts/bootstrap-desktop-tpm.sh` on the host. It generates a TPM-sealed identity at `/var/lib/agenix/tpm-identity` and prints an `age1tag1…` recipient (legacy `age1tpm1…` recipients still decrypt but `age-plugin-tpm` 1.0+ refuses to encrypt to them; `modules/desktop-age-secrets.nix` symlinks `age-plugin-tag → age-plugin-tpm` so rage's plugin dispatch finds the binary under both prefixes). Append it to the `tpm` list in `secrets/secrets.nix` (label as a Nix `# host` comment, not as a trailing word inside the recipient string — rage's bech32 parser rejects the trailing whitespace), run `agenix -r` to re-encrypt, commit, `./deploy.sh switch`. - **Encrypting a new server secret** uses the SSH public key directly with `age -R`: ```sh age -R <(ssh-keygen -y -f secrets/usb-secrets/usb-secrets-key) \ diff --git a/modules/desktop-age-secrets.nix b/modules/desktop-age-secrets.nix index dec1391..9339853 100644 --- a/modules/desktop-age-secrets.nix +++ b/modules/desktop-age-secrets.nix @@ -4,11 +4,22 @@ ... }: let - # Wrap rage so age-plugin-tpm is on PATH at activation time. - # Both mreow and yarn use age1tpm1… recipients (legacy P-256 encoding), - # which age-plugin-tpm handles under its own name. + # age-plugin-tpm 1.0+ defaults to the new age1tag1… (p256tag) recipient + # encoding and refuses to encrypt to legacy age1tpm1… recipients. rage's + # plugin dispatch maps recipient prefixes to binaries (`age1tag1…` → + # `age-plugin-tag`), but nixpkgs only ships `age-plugin-tpm`. Provide a + # symlink so both prefixes resolve to the same binary. + age-plugin-tpm-with-tag = pkgs.symlinkJoin { + name = "age-plugin-tpm-with-tag"; + paths = [ pkgs.age-plugin-tpm ]; + postBuild = '' + ln -s age-plugin-tpm $out/bin/age-plugin-tag + ''; + }; + + # Wrap rage so the plugin (under both names) is on PATH at activation time. rageWithTpm = pkgs.writeShellScriptBin "rage" '' - export PATH="${pkgs.age-plugin-tpm}/bin:$PATH" + export PATH="${age-plugin-tpm-with-tag}/bin:$PATH" exec ${pkgs.rage}/bin/rage "$@" ''; in diff --git a/secrets/desktop/nix-cache-netrc.age b/secrets/desktop/nix-cache-netrc.age index 6dd5619..e5a26d8 100644 Binary files a/secrets/desktop/nix-cache-netrc.age and b/secrets/desktop/nix-cache-netrc.age differ diff --git a/secrets/desktop/oo7-keyring-password.age b/secrets/desktop/oo7-keyring-password.age index 1347efd..db58f2c 100644 Binary files a/secrets/desktop/oo7-keyring-password.age and b/secrets/desktop/oo7-keyring-password.age differ diff --git a/secrets/desktop/password-hash.age b/secrets/desktop/password-hash.age index fe6965b..19246f8 100644 Binary files a/secrets/desktop/password-hash.age and b/secrets/desktop/password-hash.age differ diff --git a/secrets/desktop/secureboot.tar.age b/secrets/desktop/secureboot.tar.age index ff22171..909cf1c 100644 Binary files a/secrets/desktop/secureboot.tar.age and b/secrets/desktop/secureboot.tar.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 886c5e2..1f9ede2 100644 Binary files a/secrets/secrets.nix and b/secrets/secrets.nix differ