Use agenix

2025-07-29 11:07:44 +00:00 · 2024-01-10 14:38:49 +03:00 · 2024-01-10 14:38:49 +03:00 · 722114295c
commit 722114295c
parent 63a70bd318
16 changed files with 188 additions and 25 deletions
--- a/.gitignore
+++ b/.gitignore
@ -12,9 +12,12 @@

 !lib/

+!secrets/
+
 !.gitignore
 !flake.lock

+!*.age
 !*.md
 !*.nix
 !*.nu
--- a/flake.lock
+++ b/flake.lock
@ -16,6 +16,29 @@
        "type": "github"
      }
    },
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1703433843,
+        "narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "417caa847f9383e111d1397039c9d4337d024bf0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "crane": {
      "inputs": {
        "nixpkgs": [
@ -37,6 +60,28 @@
        "type": "github"
      }
    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
    "fenix": {
      "inputs": {
        "nixpkgs": [
@ -179,7 +224,7 @@
    },
    "flake-utils_2": {
      "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1694529238,
@ -227,7 +272,7 @@
    },
    "flake-utils_5": {
      "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_4"
      },
      "locked": {
        "lastModified": 1694529238,
@ -338,6 +383,27 @@
        "type": "github"
      }
    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
    "homeManager": {
      "inputs": {
        "nixpkgs": [
@ -362,7 +428,7 @@
      "inputs": {
        "hyprland-protocols": "hyprland-protocols",
        "nixpkgs": "nixpkgs",
-        "systems": "systems_2",
+        "systems": "systems_3",
        "wlroots": "wlroots",
        "xdph": "xdph"
      },
@ -647,6 +713,7 @@
    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "fenix": "fenix",
        "ghostty": "ghostty",
        "ghosttyModule": "ghosttyModule",
@ -720,6 +787,21 @@
      }
    },
    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_3": {
      "locked": {
        "lastModified": 1689347949,
        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
@ -734,7 +816,7 @@
        "type": "github"
      }
    },
-    "systems_3": {
+    "systems_4": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
--- a/flake.nix
+++ b/flake.nix
@ -31,6 +31,11 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

+    agenix = {
+      url                    = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
    hyprland = {
      url = "github:hyprwm/Hyprland";
    };
@ -85,10 +90,9 @@
  outputs = {
    nixSuper,
    nixpkgs,
+    agenix,
    homeManager,
-    nuScripts,
    fenix,
-    zig,
    site,
    tools,
    themes,
@ -96,12 +100,20 @@
  } @ inputs: let
    importConfiguration = host: let
      hostDefault = import ./hosts/${host} {
-        # Will explode if you try to use user dependant stuff.
-        ulib = (import ./lib lib null) // { merge = lib.recursiveUpdate; };
+        config = {};
+        ulib   = (import ./lib lib null) // {
+          merge = lib.recursiveUpdate;
+        };
      };

      users = {
-        all       = builtins.attrNames hostDefault.users.users ++ [ "root" ];
+        all = let
+          users = builtins.attrNames hostDefault.users.users;
+        in if builtins.elem "root" users then
+          users
+        else
+          users ++ [ "root" ];
+
        graphical = builtins.attrNames (lib.filterAttrs (name: value: builtins.elem "graphical" (value.extraGroups or [])) hostDefault.users.users);
      };

@ -113,16 +125,17 @@
      pkgs  = import nixpkgs { inherit system; };
      upkgs = let
        defaults = lib.genAttrs
-          [ "nixSuper" "hyprland" "hyprpicker" "ghostty" "zls" ]
+          [ "nixSuper" "agenix" "hyprland" "hyprpicker" "ghostty" "zls" ]
          (name: inputs.${name}.packages.${system}.default);

        other = {
-          inherit nuScripts;
-
-          zig = zig.packages.${system}.master;
+          nuScripts = inputs.nuScripts;
+          zig       = inputs.zig.packages.${system}.master;
        };
      in defaults // other;

+      keys = import ./secrets/keys.nix;
+
      theme = themes.custom (themes.raw.gruvbox-dark-hard // {
        cornerRadius = 8;
        borderWidth  = 2;
@ -144,6 +157,8 @@
      });

      defaultConfiguration = {
+        age.identityPaths = builtins.map (user: "/home/${user}/.ssh/id") users.all;
+
        home-manager.users           = lib.genAttrs users.all (user: {});
        home-manager.useGlobalPkgs   = true;
        home-manager.useUserPackages = true;
@ -154,9 +169,13 @@
    in lib.nixosSystem {
      inherit system;

-      specialArgs = { inherit inputs ulib upkgs theme; };
+      specialArgs = { inherit inputs ulib upkgs keys theme; };
      modules     = [
        homeManager.nixosModules.default
+
+        agenix.nixosModules.default
+        ./secrets
+
        site.nixosModules.default

        defaultConfiguration
--- a/hosts/cube/acme.nix
+++ b/hosts/cube/acme.nix
@ -1,11 +1,11 @@
-{ ulib, ... }: with ulib;
+{ config, ulib, ... }: with ulib;

 serverSystemConfiguration {
  security.acme = {
    acceptTerms = true;

    defaults = {
-      credentialsFile = "/home/cube/.credentials/acme";
+      credentialsFile = config.age.secrets.acme.path;
      dnsProvider     = "cloudflare";
      dnsResolver     = "1.1.1.1";
      email           = "rgbsphere@gmail.com";
--- a/hosts/cube/default.nix
+++ b/hosts/cube/default.nix
@ -1,18 +1,19 @@
-{ ulib, ... }: with ulib; merge
+{ config, ulib, keys, ... }: with ulib; merge

-(let
-  rgbKey  = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRSLWxpIMOZIQv9ggDnAwSxmux/TZvuEPgq2HFiH+oI2OE07xYQAiroBVI5HH+aIg1nwpYtArANoD8V9Hrx2XCo2py/fMi9LhJWNMlFVcRLqYrCmrZYhBqZhxXIdY+wXqkSE7kvTKsz84BrhwilfA/bqTgVw2Ro6w0RnTzUhlYx4w10DT3isN09cQJMgvuyWNRlpGpkEGhPwyXythKM2ERoHTfq/XtpiGZQeLr6yoTTd9q4rbvnGGka5IUEz3RrmeXEs13l02IY6dCUFJkRRsK8dvB9zFjQyM08IqdaoHeudZoCOsnl/AiegZ7C5FoYEKIXY86RqxS3TH3nwuxe2fXTNr9gwf2PumM1Yh2WxV4+pHQOksxW8rWgv1nXMT5AG0RrJxr+S0Nn7NBbzCImrprX3mg4vJqT24xcUjUSDYllEMa2ioXGCeff8cwVKK/Ly5fwj0AX1scjiw+b7jD6VvDLA5z+ALwCblxiRMCN0SOMk9/V2Xsg9YIRMHyQwpqu8k= nixos@enka";
-in systemConfiguration {
+(systemConfiguration {
  system.stateVersion = "23.05";

  nixpkgs.hostPlatform = "x86_64-linux";

  time.timeZone = "Europe/Amsterdam";

+  users.users.root.passwordFile = config.age.secrets."cube.password".path;
+
  users.users.rgb = normalUser {
    description = "RGB";
    extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = [ rgbKey ];
+    openssh.authorizedKeys.keys = [ keys.rgbcube ];
+    passwordFile = config.age.secrets."cube.password".path;
  };
 })

--- a/hosts/enka/default.nix
+++ b/hosts/enka/default.nix
@ -1,4 +1,4 @@
-{ ulib, ... }: with ulib; merge
+{ config, ulib, ... }: with ulib; merge

 (systemConfiguration {
  system.stateVersion = "23.05";
@ -7,14 +7,18 @@

  time.timeZone = "Europe/Istanbul";

+  users.users.root.passwordFile = config.age.secrets."enka.said.password".path;
+
  users.users.said = graphicalUser {
    description = "Said";
    extraGroups = [ "wheel" ];
+    passwordFile = config.age.secrets."enka.said.password".path;
    uid         = 1000;
  };

  users.users.orhan = graphicalUser {
    description = "Orhan";
+    passwordFile = builtins.trace (config.age.secrets) config.age.secrets."enka.orhan.password".path;
    uid         = 1001;
  };

--- a/modules/git.nix
+++ b/modules/git.nix
@ -67,7 +67,7 @@ homeConfiguration {

      commit.gpgSign  = true;
      gpg.format      = "ssh";
-      user.signingKey = "~/.ssh/id_rsa";
+      user.signingKey = "~/.ssh/id";
    };
  };
 }
--- a/modules/packages.nix
+++ b/modules/packages.nix
@ -18,6 +18,8 @@
 ]))

 (desktopSystemPackages (with pkgs; [
+  upkgs.agenix
+
  clang_16
  clang-tools_16
  gh
--- a/modules/ssh.nix
+++ b/modules/ssh.nix
@ -8,14 +8,14 @@ desktopHomeConfiguration {
      hostname     = "5.255.78.70";
      user         = "rgb";
      port         = 2222;
-      identityFile = "~/.ssh/id_rsa";
+      identityFile = "~/.ssh/id";
    };

    matchBlocks.robotic = {
      hostname     = "86.105.252.189";
      user         = "rgbcube";
      port         = 2299;
-      identityFile = "~/.ssh/id_rsa";
+      identityFile = "~/.ssh/id";
    };
  };
 }
--- a/secrets/acme.age
+++ b/secrets/acme.age
--- a/secrets/cube.password.age
+++ b/secrets/cube.password.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 +rZ0Tw 9vzFYQdaR8oU5fCX5TpYCcpHxRneInJJmKJxyAox1H8
+dfH3DoCUcXPklFXGcAOjorafQnmzmfNMjF04uh/Tk1Y
+--- st25AwLd+TvV/XNoIaeWxSiNus7VYYjGa1GkR6zJaJA
+ç€‰Ëã&njœ+ÓüËæÄ‚½:¬±È
ó¯À¢'ØjÝøä
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -0,0 +1,9 @@
+{ lib, ulib, ... }: with ulib;
+
+systemConfiguration {
+  age.secrets = lib.genAttrs
+    (builtins.map
+      (lib.removeSuffix ".age")
+      (builtins.attrNames (import ./secrets.nix)))
+    (name: { file = ./${name}.age; });
+}
--- a/secrets/enka.orhan.password.age
+++ b/secrets/enka.orhan.password.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-rsa jPaU3Q
+TYP4U2JrR4wMD/iGf2N69aCAUyTcfhh1ir/Kl2I8cirwyPqRyPf6Zz5bffXdPXDS
+npDHBiY2jWc+UB6Aa93cuzas0FMgzhYgeg4/5Zejr1/ZgQ4yMS3eRNZjp98oRnvM
+nlRbbuRyseNqvahOsDcXk6BLi4G8iF42HnF02lrcRrpIoR5SUI0Jo1trTi8FeZ8l
+yehxJ7Sgi+r/kkrKub5TucbP8UFgPwM35Q9y3Piy+Uj2d7cUr+7OAD/B54wk1QcB
+sLjHudfsOa92OauIy5VJXLy2a8R3Vlf5xC0C2qdyVSbo8ehbrYiyS58C/4IIGP7W
+D6Dccc0MEuAnivoJjDD77Pc7h5AuCeC+iCDwj+Pf2rx7t5RWIspUGO+oV7sah8qe
+dN9CSgqRsXIeqhsY1+1XV/g97Ws6a7+NT5u8caUA8ix5kES66/QV3l4xVEsbeZJ7
+z6J0bHB4PKfkO0kokvU0qYt8TwFeRxo4+vD/boV+RBRn75Uvp4hGriOjj72cSioc
+
+--- d1Wrh6OYon38DuBTf3+evw1gZooi1Jz0jM2tkIuRGM8
+ªXÕÅ¥âjòBµZÞ¹Ñkà|]Snìeøíƒ§hï&7*+Ø¯kG
--- a/secrets/enka.said.password.age
+++ b/secrets/enka.said.password.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-rsa jPaU3Q
+RCj5cbsVH2i08bb6n4oYVurJPjrb3OF5as2iRaJF+GNUj3X73yxLNiMknR/Qw1yz
+hRhPgPf9r2AMAheGiHDkcWBO8hccYDrEzfUl+AYV5K+Ny1FOSgwSid9qCySWiVB9
+sB0TFvwI4tlmjCCfuHwdqhUbiZyUDdjWtvJ3Ye5EyEW4oKIweJjW/r+An7M0AAY
+qAf9f6yqU5hQtaYvdEuptv60OixIMkwgWWQMkIR6j7sjwZ7o65FGnXST1XyDt8Pv
+mxHDJwUGRRbxum+qny8PS/5TRsahUVOXMDbOxlvraw3IjK7uJ2inCaZhhzGtyesj
+3WDkTDtLXxQemTqEUglfhtxkly7axHqS/vfS+4ki5/oZODUHpB3NBuvNpF7Z2Tdb
+tucFz5bH0Lhh4omPBLVs4bEpdDzi3oL10cTnMd/O8rGe9vFrgr19mqqebgdYFYoU
+YwcYxffRBRtbsT8Ea1Vam7VT2rBEwK1U39EfU4ltqCXcavehhHJNRKtl7SCI2TrY
+
+--- HhjLRLEzNSv9CNNpkUB51sk6PP3S0jc2YIqjrQ7xW3g
+ì|áëy€aæ:„6$>u%8¥QPˆ¶Åš«M;œVIûéB¶¯J
--- a/secrets/keys.nix
+++ b/secrets/keys.nix
@ -0,0 +1,4 @@
+{
+  rgbcube  = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRSLWxpIMOZIQv9ggDnAwSxmux/TZvuEPgq2HFiH+oI2OE07xYQAiroBVI5HH+aIg1nwpYtArANoD8V9Hrx2XCo2py/fMi9LhJWNMlFVcRLqYrCmrZYhBqZhxXIdY+wXqkSE7kvTKsz84BrhwilfA/bqTgVw2Ro6w0RnTzUhlYx4w10DT3isN09cQJMgvuyWNRlpGpkEGhPwyXythKM2ERoHTfq/XtpiGZQeLr6yoTTd9q4rbvnGGka5IUEz3RrmeXEs13l02IY6dCUFJkRRsK8dvB9zFjQyM08IqdaoHeudZoCOsnl/AiegZ7C5FoYEKIXY86RqxS3TH3nwuxe2fXTNr9gwf2PumM1Yh2WxV4+pHQOksxW8rWgv1nXMT5AG0RrJxr+S0Nn7NBbzCImrprX3mg4vJqT24xcUjUSDYllEMa2ioXGCeff8cwVKK/Ly5fwj0AX1scjiw+b7jD6VvDLA5z+ALwCblxiRMCN0SOMk9/V2Xsg9YIRMHyQwpqu8k= nixos@enka";
+  cube     = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINMkCJeHcD0SIOZ4HkyF6rqUmbvlKhSha3HWMZ0hbIjp rgb@cube";
+}
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,8 @@
+let
+  keys = import ./keys.nix;
+in {
+  "acme.age".publicKeys                = [ keys.cube ];
+  "cube.password.age".publicKeys       = [ keys.cube ];
+  "enka.said.password.age".publicKeys  = [ keys.rgbcube ];
+  "enka.orhan.password.age".publicKeys = [ keys.rgbcube ];
+}