From 722114295cec9070c4f45f3e4a02018ae644de79 Mon Sep 17 00:00:00 2001 From: RGBCube Date: Wed, 10 Jan 2024 14:38:49 +0300 Subject: [PATCH] Use agenix --- .gitignore | 3 ++ flake.lock | 90 ++++++++++++++++++++++++++++++-- flake.nix | 39 ++++++++++---- hosts/cube/acme.nix | 4 +- hosts/cube/default.nix | 11 ++-- hosts/enka/default.nix | 6 ++- modules/git.nix | 2 +- modules/packages.nix | 2 + modules/ssh.nix | 4 +- secrets/acme.age | Bin 0 -> 359 bytes secrets/cube.password.age | 5 ++ secrets/default.nix | 9 ++++ secrets/enka.orhan.password.age | 13 +++++ secrets/enka.said.password.age | 13 +++++ secrets/keys.nix | 4 ++ secrets/secrets.nix | 8 +++ 16 files changed, 188 insertions(+), 25 deletions(-) create mode 100644 secrets/acme.age create mode 100644 secrets/cube.password.age create mode 100644 secrets/default.nix create mode 100644 secrets/enka.orhan.password.age create mode 100644 secrets/enka.said.password.age create mode 100644 secrets/keys.nix create mode 100644 secrets/secrets.nix diff --git a/.gitignore b/.gitignore index 68932b3..0924889 100644 --- a/.gitignore +++ b/.gitignore @@ -12,9 +12,12 @@ !lib/ +!secrets/ + !.gitignore !flake.lock +!*.age !*.md !*.nix !*.nu diff --git a/flake.lock b/flake.lock index aa3bc0e..3b32bfd 100644 --- a/flake.lock +++ b/flake.lock @@ -16,6 +16,29 @@ "type": "github" } }, + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems" + }, + "locked": { + "lastModified": 1703433843, + "narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=", + "owner": "ryantm", + "repo": "agenix", + "rev": "417caa847f9383e111d1397039c9d4337d024bf0", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "crane": { "inputs": { "nixpkgs": [ @@ -37,6 +60,28 @@ "type": "github" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "fenix": { "inputs": { "nixpkgs": [ @@ -179,7 +224,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1694529238, @@ -227,7 +272,7 @@ }, "flake-utils_5": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1694529238, @@ -338,6 +383,27 @@ "type": "github" } }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "homeManager": { "inputs": { "nixpkgs": [ @@ -362,7 +428,7 @@ "inputs": { "hyprland-protocols": "hyprland-protocols", "nixpkgs": "nixpkgs", - "systems": "systems_2", + "systems": "systems_3", "wlroots": "wlroots", "xdph": "xdph" }, @@ -647,6 +713,7 @@ }, "root": { "inputs": { + "agenix": "agenix", "fenix": "fenix", "ghostty": "ghostty", "ghosttyModule": "ghosttyModule", @@ -720,6 +787,21 @@ } }, "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_3": { "locked": { "lastModified": 1689347949, "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", @@ -734,7 +816,7 @@ "type": "github" } }, - "systems_3": { + "systems_4": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", diff --git a/flake.nix b/flake.nix index b804ce9..48b6fae 100644 --- a/flake.nix +++ b/flake.nix @@ -31,6 +31,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + hyprland = { url = "github:hyprwm/Hyprland"; }; @@ -85,10 +90,9 @@ outputs = { nixSuper, nixpkgs, + agenix, homeManager, - nuScripts, fenix, - zig, site, tools, themes, @@ -96,12 +100,20 @@ } @ inputs: let importConfiguration = host: let hostDefault = import ./hosts/${host} { - # Will explode if you try to use user dependant stuff. - ulib = (import ./lib lib null) // { merge = lib.recursiveUpdate; }; + config = {}; + ulib = (import ./lib lib null) // { + merge = lib.recursiveUpdate; + }; }; users = { - all = builtins.attrNames hostDefault.users.users ++ [ "root" ]; + all = let + users = builtins.attrNames hostDefault.users.users; + in if builtins.elem "root" users then + users + else + users ++ [ "root" ]; + graphical = builtins.attrNames (lib.filterAttrs (name: value: builtins.elem "graphical" (value.extraGroups or [])) hostDefault.users.users); }; @@ -113,16 +125,17 @@ pkgs = import nixpkgs { inherit system; }; upkgs = let defaults = lib.genAttrs - [ "nixSuper" "hyprland" "hyprpicker" "ghostty" "zls" ] + [ "nixSuper" "agenix" "hyprland" "hyprpicker" "ghostty" "zls" ] (name: inputs.${name}.packages.${system}.default); other = { - inherit nuScripts; - - zig = zig.packages.${system}.master; + nuScripts = inputs.nuScripts; + zig = inputs.zig.packages.${system}.master; }; in defaults // other; + keys = import ./secrets/keys.nix; + theme = themes.custom (themes.raw.gruvbox-dark-hard // { cornerRadius = 8; borderWidth = 2; @@ -144,6 +157,8 @@ }); defaultConfiguration = { + age.identityPaths = builtins.map (user: "/home/${user}/.ssh/id") users.all; + home-manager.users = lib.genAttrs users.all (user: {}); home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; @@ -154,9 +169,13 @@ in lib.nixosSystem { inherit system; - specialArgs = { inherit inputs ulib upkgs theme; }; + specialArgs = { inherit inputs ulib upkgs keys theme; }; modules = [ homeManager.nixosModules.default + + agenix.nixosModules.default + ./secrets + site.nixosModules.default defaultConfiguration diff --git a/hosts/cube/acme.nix b/hosts/cube/acme.nix index 9117a76..dea0df1 100644 --- a/hosts/cube/acme.nix +++ b/hosts/cube/acme.nix @@ -1,11 +1,11 @@ -{ ulib, ... }: with ulib; +{ config, ulib, ... }: with ulib; serverSystemConfiguration { security.acme = { acceptTerms = true; defaults = { - credentialsFile = "/home/cube/.credentials/acme"; + credentialsFile = config.age.secrets.acme.path; dnsProvider = "cloudflare"; dnsResolver = "1.1.1.1"; email = "rgbsphere@gmail.com"; diff --git a/hosts/cube/default.nix b/hosts/cube/default.nix index b8ebb82..82ea7d8 100644 --- a/hosts/cube/default.nix +++ b/hosts/cube/default.nix @@ -1,18 +1,19 @@ -{ ulib, ... }: with ulib; merge +{ config, ulib, keys, ... }: with ulib; merge -(let - rgbKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRSLWxpIMOZIQv9ggDnAwSxmux/TZvuEPgq2HFiH+oI2OE07xYQAiroBVI5HH+aIg1nwpYtArANoD8V9Hrx2XCo2py/fMi9LhJWNMlFVcRLqYrCmrZYhBqZhxXIdY+wXqkSE7kvTKsz84BrhwilfA/bqTgVw2Ro6w0RnTzUhlYx4w10DT3isN09cQJMgvuyWNRlpGpkEGhPwyXythKM2ERoHTfq/XtpiGZQeLr6yoTTd9q4rbvnGGka5IUEz3RrmeXEs13l02IY6dCUFJkRRsK8dvB9zFjQyM08IqdaoHeudZoCOsnl/AiegZ7C5FoYEKIXY86RqxS3TH3nwuxe2fXTNr9gwf2PumM1Yh2WxV4+pHQOksxW8rWgv1nXMT5AG0RrJxr+S0Nn7NBbzCImrprX3mg4vJqT24xcUjUSDYllEMa2ioXGCeff8cwVKK/Ly5fwj0AX1scjiw+b7jD6VvDLA5z+ALwCblxiRMCN0SOMk9/V2Xsg9YIRMHyQwpqu8k= nixos@enka"; -in systemConfiguration { +(systemConfiguration { system.stateVersion = "23.05"; nixpkgs.hostPlatform = "x86_64-linux"; time.timeZone = "Europe/Amsterdam"; + users.users.root.passwordFile = config.age.secrets."cube.password".path; + users.users.rgb = normalUser { description = "RGB"; extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ rgbKey ]; + openssh.authorizedKeys.keys = [ keys.rgbcube ]; + passwordFile = config.age.secrets."cube.password".path; }; }) diff --git a/hosts/enka/default.nix b/hosts/enka/default.nix index 4c33563..0350962 100644 --- a/hosts/enka/default.nix +++ b/hosts/enka/default.nix @@ -1,4 +1,4 @@ -{ ulib, ... }: with ulib; merge +{ config, ulib, ... }: with ulib; merge (systemConfiguration { system.stateVersion = "23.05"; @@ -7,14 +7,18 @@ time.timeZone = "Europe/Istanbul"; + users.users.root.passwordFile = config.age.secrets."enka.said.password".path; + users.users.said = graphicalUser { description = "Said"; extraGroups = [ "wheel" ]; + passwordFile = config.age.secrets."enka.said.password".path; uid = 1000; }; users.users.orhan = graphicalUser { description = "Orhan"; + passwordFile = builtins.trace (config.age.secrets) config.age.secrets."enka.orhan.password".path; uid = 1001; }; diff --git a/modules/git.nix b/modules/git.nix index 189da5d..11379e7 100644 --- a/modules/git.nix +++ b/modules/git.nix @@ -67,7 +67,7 @@ homeConfiguration { commit.gpgSign = true; gpg.format = "ssh"; - user.signingKey = "~/.ssh/id_rsa"; + user.signingKey = "~/.ssh/id"; }; }; } diff --git a/modules/packages.nix b/modules/packages.nix index e68a72e..07f9f21 100644 --- a/modules/packages.nix +++ b/modules/packages.nix @@ -18,6 +18,8 @@ ])) (desktopSystemPackages (with pkgs; [ + upkgs.agenix + clang_16 clang-tools_16 gh diff --git a/modules/ssh.nix b/modules/ssh.nix index f67a6db..4f49c2f 100644 --- a/modules/ssh.nix +++ b/modules/ssh.nix @@ -8,14 +8,14 @@ desktopHomeConfiguration { hostname = "5.255.78.70"; user = "rgb"; port = 2222; - identityFile = "~/.ssh/id_rsa"; + identityFile = "~/.ssh/id"; }; matchBlocks.robotic = { hostname = "86.105.252.189"; user = "rgbcube"; port = 2299; - identityFile = "~/.ssh/id_rsa"; + identityFile = "~/.ssh/id"; }; }; } diff --git a/secrets/acme.age b/secrets/acme.age new file mode 100644 index 0000000000000000000000000000000000000000..87e8405496b6a62c0b3f96d47a6dce5dc300627e GIT binary patch literal 359 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUFE{ZY;DOX6ZH1;b@ z4K&ZL2v4ufFs^Vl^GOLza;+?m2q=mu^m25ubT#r$OAInK&gSxpN-NT?H1@S{ukbP-$U-j*j1+zSkyWYxR6usYKweYa{-m9yaXL+ryIpp1-!s>E^ zf5pR@9d;_4yuO@2(z~Yb>5rd>H%@Ze|M=@)y?~FptS0Xgj&BIwwb{}B<)lM4b@}Do z=kL8MnX*_@fppiL%Xb9WM8jrR7=n^N?X^(e&;3Itc8*nrWBsdx-{*dfBpQn NTc2KTTYQpjB>;?2n9=|M literal 0 HcmV?d00001 diff --git a/secrets/cube.password.age b/secrets/cube.password.age new file mode 100644 index 0000000..820a4c5 --- /dev/null +++ b/secrets/cube.password.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 +rZ0Tw 9vzFYQdaR8oU5fCX5TpYCcpHxRneInJJmKJxyAox1H8 +dfH3DoCUcXPklFXGcAOjorafQnmzmfNMjF04uh/Tk1Y +--- st25AwLd+TvV/XNoIaeWxSiNus7VYYjGa1GkR6zJaJA +瀉Ëã&njœ+ÓüËæÄ‚½:¬±È ó¯À¢'ØjÝøä \ No newline at end of file diff --git a/secrets/default.nix b/secrets/default.nix new file mode 100644 index 0000000..7eb4129 --- /dev/null +++ b/secrets/default.nix @@ -0,0 +1,9 @@ +{ lib, ulib, ... }: with ulib; + +systemConfiguration { + age.secrets = lib.genAttrs + (builtins.map + (lib.removeSuffix ".age") + (builtins.attrNames (import ./secrets.nix))) + (name: { file = ./${name}.age; }); +} diff --git a/secrets/enka.orhan.password.age b/secrets/enka.orhan.password.age new file mode 100644 index 0000000..cf6c16a --- /dev/null +++ b/secrets/enka.orhan.password.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-rsa jPaU3Q +TYP4U2JrR4wMD/iGf2N69aCAUyTcfhh1ir/Kl2I8cirwyPqRyPf6Zz5bffXdPXDS +npDHBiY2jWc+UB6Aa93cuzas0FMgzhYgeg4/5Zejr1/ZgQ4yMS3eRNZjp98oRnvM +nlRbbuRyseNqvahOsDcXk6BLi4G8iF42HnF02lrcRrpIoR5SUI0Jo1trTi8FeZ8l +yehxJ7Sgi+r/kkrKub5TucbP8UFgPwM35Q9y3Piy+Uj2d7cUr+7OAD/B54wk1QcB +sLjHudfsOa92OauIy5VJXLy2a8R3Vlf5xC0C2qdyVSbo8ehbrYiyS58C/4IIGP7W +D6Dccc0MEuAnivoJjDD77Pc7h5AuCeC+iCDwj+Pf2rx7t5RWIspUGO+oV7sah8qe +dN9CSgqRsXIeqhsY1+1XV/g97Ws6a7+NT5u8caUA8ix5kES66/QV3l4xVEsbeZJ7 +z6J0bHB4PKfkO0kokvU0qYt8TwFeRxo4+vD/boV+RBRn75Uvp4hGriOjj72cSioc + +--- d1Wrh6OYon38DuBTf3+evw1gZooi1Jz0jM2tkIuRGM8 +ªXÕÅ¥âjòBµZÞ¹Ñkà|]Snìeø탧hï&7*+دkG \ No newline at end of file diff --git a/secrets/enka.said.password.age b/secrets/enka.said.password.age new file mode 100644 index 0000000..cf7bc02 --- /dev/null +++ b/secrets/enka.said.password.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-rsa jPaU3Q +RCj5cbsVH2i08bb6n4oYVurJPjrb3OF5as2iRaJF+GNUj3X73yxLNiMknR/Qw1yz +hRhPgPf9r2AMAheGiHDkcWBO8hccYDrEzfUl+AYV5K+Ny1FOSgwSid9qCySWiVB9 ++sB0TFvwI4tlmjCCfuHwdqhUbiZyUDdjWtvJ3Ye5EyEW4oKIweJjW/r+An7M0AAY +qAf9f6yqU5hQtaYvdEuptv60OixIMkwgWWQMkIR6j7sjwZ7o65FGnXST1XyDt8Pv +mxHDJwUGRRbxum+qny8PS/5TRsahUVOXMDbOxlvraw3IjK7uJ2inCaZhhzGtyesj +3WDkTDtLXxQemTqEUglfhtxkly7axHqS/vfS+4ki5/oZODUHpB3NBuvNpF7Z2Tdb +tucFz5bH0Lhh4omPBLVs4bEpdDzi3oL10cTnMd/O8rGe9vFrgr19mqqebgdYFYoU +YwcYxffRBRtbsT8Ea1Vam7VT2rBEwK1U39EfU4ltqCXcavehhHJNRKtl7SCI2TrY + +--- HhjLRLEzNSv9CNNpkUB51sk6PP3S0jc2YIqjrQ7xW3g +ì|áëy€aæ:„6$>u%8¥QPˆ¶Åš«M;œVIûéB¶¯ J \ No newline at end of file diff --git a/secrets/keys.nix b/secrets/keys.nix new file mode 100644 index 0000000..79fe83a --- /dev/null +++ b/secrets/keys.nix @@ -0,0 +1,4 @@ +{ + rgbcube = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRSLWxpIMOZIQv9ggDnAwSxmux/TZvuEPgq2HFiH+oI2OE07xYQAiroBVI5HH+aIg1nwpYtArANoD8V9Hrx2XCo2py/fMi9LhJWNMlFVcRLqYrCmrZYhBqZhxXIdY+wXqkSE7kvTKsz84BrhwilfA/bqTgVw2Ro6w0RnTzUhlYx4w10DT3isN09cQJMgvuyWNRlpGpkEGhPwyXythKM2ERoHTfq/XtpiGZQeLr6yoTTd9q4rbvnGGka5IUEz3RrmeXEs13l02IY6dCUFJkRRsK8dvB9zFjQyM08IqdaoHeudZoCOsnl/AiegZ7C5FoYEKIXY86RqxS3TH3nwuxe2fXTNr9gwf2PumM1Yh2WxV4+pHQOksxW8rWgv1nXMT5AG0RrJxr+S0Nn7NBbzCImrprX3mg4vJqT24xcUjUSDYllEMa2ioXGCeff8cwVKK/Ly5fwj0AX1scjiw+b7jD6VvDLA5z+ALwCblxiRMCN0SOMk9/V2Xsg9YIRMHyQwpqu8k= nixos@enka"; + cube = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINMkCJeHcD0SIOZ4HkyF6rqUmbvlKhSha3HWMZ0hbIjp rgb@cube"; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..f62abdc --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,8 @@ +let + keys = import ./keys.nix; +in { + "acme.age".publicKeys = [ keys.cube ]; + "cube.password.age".publicKeys = [ keys.cube ]; + "enka.said.password.age".publicKeys = [ keys.rgbcube ]; + "enka.orhan.password.age".publicKeys = [ keys.rgbcube ]; +}