Use agenix

2025-07-29 19:17:45 +00:00 · 2024-01-10 14:38:49 +03:00 · 2024-01-10 14:38:49 +03:00 · 722114295c
commit 722114295c
parent 63a70bd318
16 changed files with 188 additions and 25 deletions
--- a/.gitignore
+++ b/.gitignore
@ -12,9 +12,12 @@
 !lib/
 !secrets/
 !.gitignore
 !flake.lock
 !*.age
 !*.md
 !*.nix
 !*.nu
--- a/flake.lock
+++ b/flake.lock
@ -16,6 +16,29 @@
        "type": "github"
      }
    },
    "agenix": {
      "inputs": {
        "darwin": "darwin",
        "home-manager": "home-manager",
        "nixpkgs": [
          "nixpkgs"
        ],
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1703433843,
        "narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
        "owner": "ryantm",
        "repo": "agenix",
        "rev": "417caa847f9383e111d1397039c9d4337d024bf0",
        "type": "github"
      },
      "original": {
        "owner": "ryantm",
        "repo": "agenix",
        "type": "github"
      }
    },
    "crane": {
      "inputs": {
        "nixpkgs": [
@ -37,6 +60,28 @@
        "type": "github"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1700795494,
        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
        "ref": "master",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "fenix": {
      "inputs": {
        "nixpkgs": [
@ -179,7 +224,7 @@
    },
    "flake-utils_2": {
      "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1694529238,
@ -227,7 +272,7 @@
    },
    "flake-utils_5": {
      "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_4"
      },
      "locked": {
        "lastModified": 1694529238,
@ -338,6 +383,27 @@
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1703113217,
        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "homeManager": {
      "inputs": {
        "nixpkgs": [
@ -362,7 +428,7 @@
      "inputs": {
        "hyprland-protocols": "hyprland-protocols",
        "nixpkgs": "nixpkgs",
-        "systems": "systems_2",
+        "systems": "systems_3",
        "wlroots": "wlroots",
        "xdph": "xdph"
      },
@ -647,6 +713,7 @@
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
        "fenix": "fenix",
        "ghostty": "ghostty",
        "ghosttyModule": "ghosttyModule",
@ -720,6 +787,21 @@
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "systems_3": {
      "locked": {
        "lastModified": 1689347949,
        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
@ -734,7 +816,7 @@
        "type": "github"
      }
    },
-    "systems_3": {
+    "systems_4": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
--- a/flake.nix
+++ b/flake.nix
@ -31,6 +31,11 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    agenix = {
      url                    = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    hyprland = {
      url = "github:hyprwm/Hyprland";
    };
@ -85,10 +90,9 @@
  outputs = {
    nixSuper,
    nixpkgs,
    agenix,
    homeManager,
    nuScripts,
    fenix,
    zig,
    site,
    tools,
    themes,
@ -96,12 +100,20 @@
  } @ inputs: let
    importConfiguration = host: let
      hostDefault = import ./hosts/${host} {
-        # Will explode if you try to use user dependant stuff.
+        config = {};
-        ulib = (import ./lib lib null) // { merge = lib.recursiveUpdate; };
+        ulib   = (import ./lib lib null) // {
          merge = lib.recursiveUpdate;
        };
      };
      users = {
-        all       = builtins.attrNames hostDefault.users.users ++ [ "root" ];
+        all = let
          users = builtins.attrNames hostDefault.users.users;
        in if builtins.elem "root" users then
          users
        else
          users ++ [ "root" ];
        graphical = builtins.attrNames (lib.filterAttrs (name: value: builtins.elem "graphical" (value.extraGroups or [])) hostDefault.users.users);
      };
@ -113,16 +125,17 @@
      pkgs  = import nixpkgs { inherit system; };
      upkgs = let
        defaults = lib.genAttrs
-          [ "nixSuper" "hyprland" "hyprpicker" "ghostty" "zls" ]
+          [ "nixSuper" "agenix" "hyprland" "hyprpicker" "ghostty" "zls" ]
          (name: inputs.${name}.packages.${system}.default);
        other = {
-          inherit nuScripts;
+          nuScripts = inputs.nuScripts;
-
+          zig       = inputs.zig.packages.${system}.master;
          zig = zig.packages.${system}.master;
        };
      in defaults // other;
      keys = import ./secrets/keys.nix;
      theme = themes.custom (themes.raw.gruvbox-dark-hard // {
        cornerRadius = 8;
        borderWidth  = 2;
@ -144,6 +157,8 @@
      });
      defaultConfiguration = {
        age.identityPaths = builtins.map (user: "/home/${user}/.ssh/id") users.all;
        home-manager.users           = lib.genAttrs users.all (user: {});
        home-manager.useGlobalPkgs   = true;
        home-manager.useUserPackages = true;
@ -154,9 +169,13 @@
    in lib.nixosSystem {
      inherit system;
-      specialArgs = { inherit inputs ulib upkgs theme; };
+      specialArgs = { inherit inputs ulib upkgs keys theme; };
      modules     = [
        homeManager.nixosModules.default
        agenix.nixosModules.default
        ./secrets
        site.nixosModules.default
        defaultConfiguration
--- a/hosts/cube/acme.nix
+++ b/hosts/cube/acme.nix
@ -1,11 +1,11 @@
-{ ulib, ... }: with ulib;
+{ config, ulib, ... }: with ulib;
 serverSystemConfiguration {
  security.acme = {
    acceptTerms = true;
    defaults = {
-      credentialsFile = "/home/cube/.credentials/acme";
+      credentialsFile = config.age.secrets.acme.path;
      dnsProvider     = "cloudflare";
      dnsResolver     = "1.1.1.1";
      email           = "rgbsphere@gmail.com";
--- a/hosts/cube/default.nix
+++ b/hosts/cube/default.nix
@ -1,18 +1,19 @@
-{ ulib, ... }: with ulib; merge
+{ config, ulib, keys, ... }: with ulib; merge
-(let
+(systemConfiguration {
  rgbKey  = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRSLWxpIMOZIQv9ggDnAwSxmux/TZvuEPgq2HFiH+oI2OE07xYQAiroBVI5HH+aIg1nwpYtArANoD8V9Hrx2XCo2py/fMi9LhJWNMlFVcRLqYrCmrZYhBqZhxXIdY+wXqkSE7kvTKsz84BrhwilfA/bqTgVw2Ro6w0RnTzUhlYx4w10DT3isN09cQJMgvuyWNRlpGpkEGhPwyXythKM2ERoHTfq/XtpiGZQeLr6yoTTd9q4rbvnGGka5IUEz3RrmeXEs13l02IY6dCUFJkRRsK8dvB9zFjQyM08IqdaoHeudZoCOsnl/AiegZ7C5FoYEKIXY86RqxS3TH3nwuxe2fXTNr9gwf2PumM1Yh2WxV4+pHQOksxW8rWgv1nXMT5AG0RrJxr+S0Nn7NBbzCImrprX3mg4vJqT24xcUjUSDYllEMa2ioXGCeff8cwVKK/Ly5fwj0AX1scjiw+b7jD6VvDLA5z+ALwCblxiRMCN0SOMk9/V2Xsg9YIRMHyQwpqu8k= nixos@enka";
 in systemConfiguration {
  system.stateVersion = "23.05";
  nixpkgs.hostPlatform = "x86_64-linux";
  time.timeZone = "Europe/Amsterdam";
  users.users.root.passwordFile = config.age.secrets."cube.password".path;
  users.users.rgb = normalUser {
    description = "RGB";
    extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = [ rgbKey ];
+    openssh.authorizedKeys.keys = [ keys.rgbcube ];
    passwordFile = config.age.secrets."cube.password".path;
  };
 })
--- a/hosts/enka/default.nix
+++ b/hosts/enka/default.nix
@ -1,4 +1,4 @@
-{ ulib, ... }: with ulib; merge
+{ config, ulib, ... }: with ulib; merge
 (systemConfiguration {
  system.stateVersion = "23.05";
@ -7,14 +7,18 @@
  time.timeZone = "Europe/Istanbul";
  users.users.root.passwordFile = config.age.secrets."enka.said.password".path;
  users.users.said = graphicalUser {
    description = "Said";
    extraGroups = [ "wheel" ];
    passwordFile = config.age.secrets."enka.said.password".path;
    uid         = 1000;
  };
  users.users.orhan = graphicalUser {
    description = "Orhan";
    passwordFile = builtins.trace (config.age.secrets) config.age.secrets."enka.orhan.password".path;
    uid         = 1001;
  };
--- a/modules/git.nix
+++ b/modules/git.nix
@ -67,7 +67,7 @@ homeConfiguration {
      commit.gpgSign  = true;
      gpg.format      = "ssh";
-      user.signingKey = "~/.ssh/id_rsa";
+      user.signingKey = "~/.ssh/id";
    };
  };
 }
--- a/modules/packages.nix
+++ b/modules/packages.nix
@ -18,6 +18,8 @@
 ]))
 (desktopSystemPackages (with pkgs; [
  upkgs.agenix
  clang_16
  clang-tools_16
  gh
--- a/modules/ssh.nix
+++ b/modules/ssh.nix
@ -8,14 +8,14 @@ desktopHomeConfiguration {
      hostname     = "5.255.78.70";
      user         = "rgb";
      port         = 2222;
-      identityFile = "~/.ssh/id_rsa";
+      identityFile = "~/.ssh/id";
    };
    matchBlocks.robotic = {
      hostname     = "86.105.252.189";
      user         = "rgbcube";
      port         = 2299;
-      identityFile = "~/.ssh/id_rsa";
+      identityFile = "~/.ssh/id";
    };
  };
 }
--- a/secrets/acme.age
+++ b/secrets/acme.age
--- a/secrets/cube.password.age
+++ b/secrets/cube.password.age
@ -0,0 +1,5 @@
 age-encryption.org/v1
 -> ssh-ed25519 +rZ0Tw 9vzFYQdaR8oU5fCX5TpYCcpHxRneInJJmKJxyAox1H8
 dfH3DoCUcXPklFXGcAOjorafQnmzmfNMjF04uh/Tk1Y
 --- st25AwLd+TvV/XNoIaeWxSiNus7VYYjGa1GkR6zJaJA
 ç€‰Ëã&njœ+ÓüËæÄ‚½:¬±È
ó¯À¢'ØjÝøä
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -0,0 +1,9 @@
 { lib, ulib, ... }: with ulib;
 systemConfiguration {
  age.secrets = lib.genAttrs
    (builtins.map
      (lib.removeSuffix ".age")
      (builtins.attrNames (import ./secrets.nix)))
    (name: { file = ./${name}.age; });
 }
--- a/secrets/enka.orhan.password.age
+++ b/secrets/enka.orhan.password.age
@ -0,0 +1,13 @@
 age-encryption.org/v1
 -> ssh-rsa jPaU3Q
 TYP4U2JrR4wMD/iGf2N69aCAUyTcfhh1ir/Kl2I8cirwyPqRyPf6Zz5bffXdPXDS
 npDHBiY2jWc+UB6Aa93cuzas0FMgzhYgeg4/5Zejr1/ZgQ4yMS3eRNZjp98oRnvM
 nlRbbuRyseNqvahOsDcXk6BLi4G8iF42HnF02lrcRrpIoR5SUI0Jo1trTi8FeZ8l
 yehxJ7Sgi+r/kkrKub5TucbP8UFgPwM35Q9y3Piy+Uj2d7cUr+7OAD/B54wk1QcB
 sLjHudfsOa92OauIy5VJXLy2a8R3Vlf5xC0C2qdyVSbo8ehbrYiyS58C/4IIGP7W
 D6Dccc0MEuAnivoJjDD77Pc7h5AuCeC+iCDwj+Pf2rx7t5RWIspUGO+oV7sah8qe
 dN9CSgqRsXIeqhsY1+1XV/g97Ws6a7+NT5u8caUA8ix5kES66/QV3l4xVEsbeZJ7
 z6J0bHB4PKfkO0kokvU0qYt8TwFeRxo4+vD/boV+RBRn75Uvp4hGriOjj72cSioc
 --- d1Wrh6OYon38DuBTf3+evw1gZooi1Jz0jM2tkIuRGM8
 ªXÕÅ¥âjòBµZÞ¹Ñkà|]Snìeøíƒ§hï&7*+Ø¯kG
--- a/secrets/enka.said.password.age
+++ b/secrets/enka.said.password.age
@ -0,0 +1,13 @@
 age-encryption.org/v1
 -> ssh-rsa jPaU3Q
 RCj5cbsVH2i08bb6n4oYVurJPjrb3OF5as2iRaJF+GNUj3X73yxLNiMknR/Qw1yz
 hRhPgPf9r2AMAheGiHDkcWBO8hccYDrEzfUl+AYV5K+Ny1FOSgwSid9qCySWiVB9
 +sB0TFvwI4tlmjCCfuHwdqhUbiZyUDdjWtvJ3Ye5EyEW4oKIweJjW/r+An7M0AAY
 qAf9f6yqU5hQtaYvdEuptv60OixIMkwgWWQMkIR6j7sjwZ7o65FGnXST1XyDt8Pv
 mxHDJwUGRRbxum+qny8PS/5TRsahUVOXMDbOxlvraw3IjK7uJ2inCaZhhzGtyesj
 3WDkTDtLXxQemTqEUglfhtxkly7axHqS/vfS+4ki5/oZODUHpB3NBuvNpF7Z2Tdb
 tucFz5bH0Lhh4omPBLVs4bEpdDzi3oL10cTnMd/O8rGe9vFrgr19mqqebgdYFYoU
 YwcYxffRBRtbsT8Ea1Vam7VT2rBEwK1U39EfU4ltqCXcavehhHJNRKtl7SCI2TrY
 --- HhjLRLEzNSv9CNNpkUB51sk6PP3S0jc2YIqjrQ7xW3g
 ì|áëy€aæ:„6$>u%8¥QPˆ¶Åš«M;œVIûéB¶¯J
--- a/secrets/keys.nix
+++ b/secrets/keys.nix
@ -0,0 +1,4 @@
 {
  rgbcube  = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRSLWxpIMOZIQv9ggDnAwSxmux/TZvuEPgq2HFiH+oI2OE07xYQAiroBVI5HH+aIg1nwpYtArANoD8V9Hrx2XCo2py/fMi9LhJWNMlFVcRLqYrCmrZYhBqZhxXIdY+wXqkSE7kvTKsz84BrhwilfA/bqTgVw2Ro6w0RnTzUhlYx4w10DT3isN09cQJMgvuyWNRlpGpkEGhPwyXythKM2ERoHTfq/XtpiGZQeLr6yoTTd9q4rbvnGGka5IUEz3RrmeXEs13l02IY6dCUFJkRRsK8dvB9zFjQyM08IqdaoHeudZoCOsnl/AiegZ7C5FoYEKIXY86RqxS3TH3nwuxe2fXTNr9gwf2PumM1Yh2WxV4+pHQOksxW8rWgv1nXMT5AG0RrJxr+S0Nn7NBbzCImrprX3mg4vJqT24xcUjUSDYllEMa2ioXGCeff8cwVKK/Ly5fwj0AX1scjiw+b7jD6VvDLA5z+ALwCblxiRMCN0SOMk9/V2Xsg9YIRMHyQwpqu8k= nixos@enka";
  cube     = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINMkCJeHcD0SIOZ4HkyF6rqUmbvlKhSha3HWMZ0hbIjp rgb@cube";
 }
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,8 @@
 let
  keys = import ./keys.nix;
 in {
  "acme.age".publicKeys                = [ keys.cube ];
  "cube.password.age".publicKeys       = [ keys.cube ];
  "enka.said.password.age".publicKeys  = [ keys.rgbcube ];
  "enka.orhan.password.age".publicKeys = [ keys.rgbcube ];
 }