From a83c9a4644232b9cd4e29487a533665dede872a9 Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Tue, 18 Jan 2022 11:41:37 +0100
Subject: [PATCH] secrets: move hashed passwords to agenix

---
 base/users.nix                                    |   4 ++--
 modules/secrets/secrets.nix                       |   3 +++
 modules/secrets/users/alarsyo-hashed-password.age | Bin 0 -> 694 bytes
 modules/secrets/users/root-hashed-password.age    | Bin 0 -> 619 bytes
 4 files changed, 5 insertions(+), 2 deletions(-)
 create mode 100644 modules/secrets/users/alarsyo-hashed-password.age
 create mode 100644 modules/secrets/users/root-hashed-password.age

diff --git a/base/users.nix b/base/users.nix
index 263163f..2af640f 100644
--- a/base/users.nix
+++ b/base/users.nix
@@ -5,10 +5,10 @@ in
 {
   users.mutableUsers = false;
   users.users.root = {
-    hashedPassword = secrets.shadow-hashed-password-root;
+    passwordFile = config.age.secrets."users/root-hashed-password".path;
   };
   users.users.alarsyo = {
-    hashedPassword = secrets.shadow-hashed-password-alarsyo;
+    passwordFile = config.age.secrets."users/alarsyo-hashed-password".path;
     isNormalUser = true;
     extraGroups = [
       "media"
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index 5998d31..0a0d1cd 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -13,4 +13,7 @@ in
 {
   "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ];
   "restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ];
+
+  "users/root-hashed-password.age".publicKeys = machines;
+  "users/alarsyo-hashed-password.age".publicKeys = machines ++ [ alarsyo ];
 }
diff --git a/modules/secrets/users/alarsyo-hashed-password.age b/modules/secrets/users/alarsyo-hashed-password.age
new file mode 100644
index 0000000000000000000000000000000000000000..9d80aa72837e8960690453faa7b6615c69c3c397
GIT binary patch
literal 694
zcmZ9_O>5Ht007Wk1eb$2=RuH3271t$wM~<@xrphS<~wcLG)?1}q)nQpNs~5dnx!|H
zb13eh3>gT!c@RB_>@=7M6%S(<4?~$BH$8|RcW@{1y7vd3W*U&;w*0t1v^;m-^UcI4
z1wc2zAm~7b4x?xa18vx(x)CS`qGd7?iph07BNgFLSx#_lpX)@i7qhWaVR1EXjL2%&
z1iU0I4-+kuXy|_E4P3p9kO9M>N(_$?KbKY+tjEzIX*7_Nn<|E~fP-!Y5!||C78O>c
z+h|SiHBh;=0Otldsp7IdLrE1x-8Wip1XOj+W<;W`aDm%1DuUhdlW?<HOJI!42PCGc
zcqq*k`r(j1xs5YKm=i&D+&8L&E}7LVSoLJ3>6ipXWRhc!6G9<ySRp8<CAk`rJb<x*
z9=m+p%XZj4lFMZVqf*-+j+tUD+krVXZ%3v-Xf^#g;^fw-^P+8n<<R05ScfJAJ;H2D
zt`dF3%i;OR!fhn1I|UKRCn7J2OE{1qD`kU?3mC)LyjzW0c`dFu#covN;CypbE?ICd
z%Zz$nKKQ>W{Oy}r0Wy6<3k=Z2$oa}5D1azQDL|Ib1mn1YmXbEwG64vJKz5iCC5*5!
z+#S(axrAv$WX|CoD!nYJhQ<XVWhw${I3f*nR;B&>cdbj$H!f0dXZO<Uj1xRqdVg=_
z&bg^o>+zq14etD&^CfukduIQrN?zM}`83t0yxr}BxPJU>Hu+=oTkX-|yS0Tglb@~}
zeV>;nXI{NISe$k<6MsKnZ!$kW{CaXcb@uCp-HFXpr!Oa7?`-*#EVVWYrymZsx0bH1
M&|Aa9TWtB`Kh(tYNB{r;

literal 0
HcmV?d00001

diff --git a/modules/secrets/users/root-hashed-password.age b/modules/secrets/users/root-hashed-password.age
new file mode 100644
index 0000000000000000000000000000000000000000..b0ef183c39e301610cb269a98de8f0305c4535d5
GIT binary patch
literal 619
zcmZ9_OKZ~r007`2dRPPnoz8<o5Sh#o(=<u5dKffmvovd(rH?cXy4fUc(xgrEY}&Ak
z7ujWVc<}DQ2M!%L4^!{~Uc3mx4x1pzbSPfDh$j)m>%KqmHS{Lbv{i5D1nr)Ex##I{
z9|52l(Dx0fsU>k7NrSQwip31bkxi38?V(%u^fKG-wWOh+OR0HtpjNq-Q!3>vVmRN4
zT}A**x71;sD#KNXdX*#8Hj<IhmICu6t*MNSu?a=Ocx*O9Ck}3LDi=-*VBe?&zDEtp
z<qVgA4UF;20k0{MWfX}PUsJF-p^o)Asy*uiXkhvFu%LPbGoMF_tmaq5s>mkfsbX@N
zlhh8MPj>@drfRu^TfN2!mJU{?<D}JQ`Yg@6oaE?!!D4JbOeRci-t4$Mon|SQ#{Jk-
z0ZlU!LT!*%dZ?XZOhPFNbhd$rC?2td5m!vi3Q#f=l-cP2R=_4gWs$WY-D@`dCMaJ~
z;q+nz;&eAhfwHsUgN>!SPyo7cgisOB60B5Ef&m)Jg8<LdIUVVFnoJE-qUZt;1c3n&
z&Sgov?`6`c<1k`rYCv}6h^R{?FKUoMx7Y8)XqKzt7%(!i{cGpM=Qql@G;;%Ac`|u;
zx%~|O`tzK+wNI>$UEGjw-QO8IbIjfMpMHc6Exz8nW1k=4u!rwg?>&0?om{&le*nCA
zsbw;^x44bnFT0yR{{FtO0vm5xQNK0`-rPF5JpOJ|K1y9byRr88)ZG`vk-b0Llj67M
T>#s)FPYa(OTwNHQqK^Lqp<CO*

literal 0
HcmV?d00001