diff --git a/modules/desktop-age-secrets.nix b/modules/desktop-age-secrets.nix index 12dcca9..c54bc76 100644 --- a/modules/desktop-age-secrets.nix +++ b/modules/desktop-age-secrets.nix @@ -4,9 +4,9 @@ ... }: let - # rage cannot invoke age-plugin-tpm unless the plugin binary is on PATH at - # activation time. Wrap rage so the activation scripts (and anything else - # that picks up `age.ageBin`) get age-plugin-tpm for free. + # Wrap rage so age-plugin-tpm is on PATH at activation time. + # Both mreow and yarn use age1tpm1… recipients (legacy P-256 encoding), + # which age-plugin-tpm handles under its own name. rageWithTpm = pkgs.writeShellScriptBin "rage" '' export PATH="${pkgs.age-plugin-tpm}/bin:$PATH" exec ${pkgs.rage}/bin/rage "$@" diff --git a/scripts/bootstrap-desktop-tpm.sh b/scripts/bootstrap-desktop-tpm.sh index 00ee456..818a1d1 100755 --- a/scripts/bootstrap-desktop-tpm.sh +++ b/scripts/bootstrap-desktop-tpm.sh @@ -2,23 +2,16 @@ # Bootstrap the age-plugin-tpm identity for a desktop host (mreow / yarn). # # Produces a TPM-sealed age identity at /var/lib/agenix/tpm-identity and -# prints the legacy `age1tpm1…` recipient. The identity file is a TPM -# handle, not key material — the actual key never leaves the TPM. -# -# --tpm-recipient is required: nixpkgs only ships `age-plugin-tpm`, not the -# `age-plugin-tag` binary that rage looks up when it sees the new p256tag -# `age1tag1…` format. Until a packaged age-plugin-tag lands, every recipient -# stays in the legacy form so encryption works with off-the-shelf nixpkgs. +# prints the recipient string to add to secrets/secrets.nix. # # Usage: # doas scripts/bootstrap-desktop-tpm.sh # # After running: -# 1. Append the printed recipient to `tpm` in secrets/secrets.nix: -# "age1tpm1… " -# 2. `agenix -r` (from a shell with age-plugin-tpm on PATH) to re-encrypt -# every desktop secret with the new recipient list. -# 3. Commit + `./deploy.sh switch`. +# 1. Append the printed recipient to the `tpm` list in secrets/secrets.nix. +# 2. Re-encrypt: nix-shell -p age-plugin-tpm rage --run \ +# 'agenix -r -i ~/.ssh/id_ed25519' +# 3. Commit + ./deploy.sh switch. set -euo pipefail @@ -36,23 +29,16 @@ if [[ -f "$id_file" ]]; then echo "existing identity found at $id_file — preserving" else echo "generating TPM-sealed age identity..." - nix run nixpkgs#age-plugin-tpm -- --generate --tpm-recipient --output "$id_file" + nix-shell -p age-plugin-tpm --run "age-plugin-tpm --generate -o $id_file" chmod 0400 "$id_file" chown root:root "$id_file" fi -# Always derive the legacy age1tpm1… recipient, even if the identity file -# was generated with the newer p256tag comment (Recipient line starts with -# age1tag1…). `--convert --tpm-recipient` uses the same TPM object and just -# serializes the public key point in the old format. -recipient=$(nix run nixpkgs#age-plugin-tpm -- --convert --tpm-recipient < "$id_file" 2>/dev/null | grep -o 'age1tpm1[0-9a-z]*' | head -n1) +# Read the recipient directly from the identity file header — no TPM +# round-trip needed, no nix run, no set -e hazards. +recipient=$(grep '^# Recipient:' "$id_file" | awk '{print $3}') if [[ -z "$recipient" ]]; then - # fallback to parsing the header comment (only works when the identity was - # already generated with --tpm-recipient). - recipient=$(grep '^# Recipient:' "$id_file" | awk '{print $3}') -fi -if [[ -z "$recipient" ]]; then - echo "failed to derive recipient for $id_file" >&2 + echo "failed to read recipient from $id_file" >&2 exit 1 fi @@ -62,7 +48,7 @@ recipient for $host: "$recipient $host" next steps (run on a workstation with git-crypt unlocked): - 1. edit secrets/secrets.nix and append the line above inside the \`tpm\` list. - 2. nix run nixpkgs#agenix -- -r # re-encrypts every .age file. + 1. edit secrets/secrets.nix and add the line above to the \`tpm\` list. + 2. re-encrypt: nix-shell -p age-plugin-tpm rage --run 'agenix -r -i ~/.ssh/id_ed25519' 3. git commit + ./deploy.sh switch EOF diff --git a/secrets/desktop/nix-cache-netrc.age b/secrets/desktop/nix-cache-netrc.age index 779396e..5b132a9 100644 Binary files a/secrets/desktop/nix-cache-netrc.age and b/secrets/desktop/nix-cache-netrc.age differ diff --git a/secrets/desktop/password-hash.age b/secrets/desktop/password-hash.age index e2ae761..02c397f 100644 Binary files a/secrets/desktop/password-hash.age and b/secrets/desktop/password-hash.age differ diff --git a/secrets/desktop/secureboot.tar.age b/secrets/desktop/secureboot.tar.age index 024d153..fccc83f 100644 Binary files a/secrets/desktop/secureboot.tar.age and b/secrets/desktop/secureboot.tar.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index c1f6823..0f69b11 100644 Binary files a/secrets/secrets.nix and b/secrets/secrets.nix differ