secrets: setup agenix

2022-01-17 21:56:41 +01:00 · 2022-01-17 21:56:41 +01:00 · c4fe135612
parent d7bf5fdbf4
commit c4fe135612
7 changed files with 100 additions and 12 deletions
--- a/base/programs.nix
+++ b/base/programs.nix
@ -53,6 +53,8 @@

      # nix pkgs lookup
      nix-index
+
+      agenix
    ;

    inherit (pkgs.llvmPackages_11)
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,23 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1641576265,
+        "narHash": "sha256-G4W39k5hdu2kS13pi/RhyTOySAo7rmrs7yMUZRH0OZI=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "08b9c96878b2f9974fc8bde048273265ad632357",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "emacs-overlay": {
      "locked": {
        "lastModified": 1642358862,
@ -71,18 +89,15 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1642104392,
-        "narHash": "sha256-m71b7MgMh9FDv4MnI5sg9MiBVW6DhE1zq+d/KlLWSC8=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "5aaed40d22f0d9376330b6fa413223435ad6fee5",
-        "type": "github"
+        "lastModified": 1618628710,
+        "narHash": "sha256-9xIoU+BrCpjs5nfWcd/GlU7XCVdnNKJPffoNTxgGfhs=",
+        "path": "/nix/store/z1rf17q0fxj935cmplzys4gg6nxj1as0-source",
+        "rev": "7919518f0235106d050c77837df5e338fb94de5d",
+        "type": "path"
      },
      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
+        "id": "nixpkgs",
+        "type": "indirect"
      }
    },
    "nixpkgs-unstable-small": {
@ -101,13 +116,30 @@
        "type": "github"
      }
    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1642104392,
+        "narHash": "sha256-m71b7MgMh9FDv4MnI5sg9MiBVW6DhE1zq+d/KlLWSC8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "5aaed40d22f0d9376330b6fa413223435ad6fee5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "emacs-overlay": "emacs-overlay",
        "flake-utils": "flake-utils",
        "home-manager": "home-manager",
        "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
        "nixpkgs-unstable-small": "nixpkgs-unstable-small"
      }
    }
--- a/flake.nix
+++ b/flake.nix
@ -15,6 +15,12 @@
      ref = "nixos-unstable-small";
    };

+    agenix = {
+      type = "github";
+      owner = "ryantm";
+      repo = "agenix";
+    };
+
    emacs-overlay = {
      type = "github";
      owner = "nix-community";
@ -45,7 +51,7 @@
    };
  };

-  outputs = { self, nixpkgs, home-manager, ... } @inputs: {
+  outputs = { self, nixpkgs, home-manager, agenix, ... } @inputs: {
    nixosModules = {
      home = {
        home-manager.useGlobalPkgs = true;
@ -74,9 +80,13 @@
              inherit system;
              config.allowUnfree = true;
            };
+
          })
+
+          agenix.overlay
        ] ++ builtins.attrValues self.overlays;
        sharedModules = [
+          agenix.nixosModules.age
          home-manager.nixosModule
          { nixpkgs.overlays = shared_overlays; }
        ] ++ (nixpkgs.lib.attrValues self.nixosModules);
--- a/hosts/zephyrus/default.nix
+++ b/hosts/zephyrus/default.nix
@ -53,6 +53,11 @@ in
      };
    };
    fwupd.enable = true;
+    openssh = {
+      enable = true;
+      permitRootLogin = "no";
+      passwordAuthentication = false;
+    };
  };
  my.gui.enable = true;

--- a/modules/default.nix
+++ b/modules/default.nix
@ -2,6 +2,7 @@
 {
  imports = [
    ./sddm.nix
+    ./secrets
    ./wakeonwlan.nix
  ];
 }
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@ -0,0 +1,24 @@
+{ config, lib, options, ... }:
+
+{
+  config.age = {
+    secrets =
+      let
+        toName = lib.removeSuffix ".age";
+        userExists = u: builtins.hasAttr u config.users.users;
+        # Only set the user if it exists, to avoid warnings
+        userIfExists = u: if userExists u then u else "root";
+        toSecret = name: { owner ? "root", ... }: {
+          file = ./. + "/${name}";
+          owner = lib.mkDefault (userIfExists owner);
+        };
+        convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v);
+        secrets = import ./secrets.nix;
+      in
+      lib.mapAttrs' convertSecrets secrets;
+
+    identityPaths = options.age.identityPaths.default ++ [
+      "/home/alarsyo/.ssh/id_ed25519"
+    ];
+  };
+}
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@ -0,0 +1,14 @@
+let
+  alarsyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3rrF3VSWI4n4cpguvlmLAaU3uftuX4AVV/39S/8GO9 alarsyo@thinkpad";
+  users = [ alarsyo ];
+
+  boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal";
+  poseidon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYhZYMbWQG9TSQ2qze8GgFo2XrZzgu/GuSOGwenByJo root@poseidon";
+  zephyrus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILU4JfIADH9MXUnVe+3ezYK9WXsqy/jJcm1zFkmL4aSU root@zephyrus";
+
+  machines = [ boreal poseidon zephyrus ];
+
+  all = users ++ machines;
+in
+{
+}