tuxcord.nix/docs/SECRETS.md

Secrets

Secrets are managed with agenix in the agenix/ directory. This allows to declaratively define secrets as well as which keys are allowed to decrypt them.

Usage

The agenix help menu is already very helpful, but here you have a survival guide:

• agenix commands should run relative to the agenix/ direcotry.
• agenix -d allows you to descrypt such file if you possess any of the decryption keys.
• agenix -e decrypts (if present) and opens the file in your editor to re-encrypt when exited.
• agenix -r re-encypts *.age files in the case you ever change its decryption keys.

Secrets

DNS TSIG Keys

The DNS server takes zone updates through nsupdate with symmetric TSIG keys.

These keys can be generated using tsig-keygen <key-name> (historically they were done with dnssec-keygen and HMAC algorithms, but this is no longer supported).

When DNS is enabled for a host, it will look for dns/${fqdn}/${zone}.key secrets.

• The key whose zone matches the ${fqdn} will be allowed to tramit updates for all the domain.
• Keys restrained to a specific ${subdomain} will only be allowed to edit records of such subdomain.
• All keys must be named with the zone they affect, final dot included, so that (e.g. tuxcord.net/javalsai.tuxcord.net.key must be generated by tsig-keygen javalsai.tuxcord.net.).