secrets: setup agenix

This commit is contained in:
Antoine Martin 2022-01-17 21:56:41 +01:00
parent d7bf5fdbf4
commit c4fe135612
7 changed files with 100 additions and 12 deletions

View file

@ -53,6 +53,8 @@
# nix pkgs lookup # nix pkgs lookup
nix-index nix-index
agenix
; ;
inherit (pkgs.llvmPackages_11) inherit (pkgs.llvmPackages_11)

View file

@ -1,5 +1,23 @@
{ {
"nodes": { "nodes": {
"agenix": {
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1641576265,
"narHash": "sha256-G4W39k5hdu2kS13pi/RhyTOySAo7rmrs7yMUZRH0OZI=",
"owner": "ryantm",
"repo": "agenix",
"rev": "08b9c96878b2f9974fc8bde048273265ad632357",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"emacs-overlay": { "emacs-overlay": {
"locked": { "locked": {
"lastModified": 1642358862, "lastModified": 1642358862,
@ -71,18 +89,15 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1642104392, "lastModified": 1618628710,
"narHash": "sha256-m71b7MgMh9FDv4MnI5sg9MiBVW6DhE1zq+d/KlLWSC8=", "narHash": "sha256-9xIoU+BrCpjs5nfWcd/GlU7XCVdnNKJPffoNTxgGfhs=",
"owner": "NixOS", "path": "/nix/store/z1rf17q0fxj935cmplzys4gg6nxj1as0-source",
"repo": "nixpkgs", "rev": "7919518f0235106d050c77837df5e338fb94de5d",
"rev": "5aaed40d22f0d9376330b6fa413223435ad6fee5", "type": "path"
"type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "id": "nixpkgs",
"ref": "nixos-unstable", "type": "indirect"
"repo": "nixpkgs",
"type": "github"
} }
}, },
"nixpkgs-unstable-small": { "nixpkgs-unstable-small": {
@ -101,13 +116,30 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_2": {
"locked": {
"lastModified": 1642104392,
"narHash": "sha256-m71b7MgMh9FDv4MnI5sg9MiBVW6DhE1zq+d/KlLWSC8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5aaed40d22f0d9376330b6fa413223435ad6fee5",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix",
"emacs-overlay": "emacs-overlay", "emacs-overlay": "emacs-overlay",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"home-manager": "home-manager", "home-manager": "home-manager",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs_2",
"nixpkgs-unstable-small": "nixpkgs-unstable-small" "nixpkgs-unstable-small": "nixpkgs-unstable-small"
} }
} }

View file

@ -15,6 +15,12 @@
ref = "nixos-unstable-small"; ref = "nixos-unstable-small";
}; };
agenix = {
type = "github";
owner = "ryantm";
repo = "agenix";
};
emacs-overlay = { emacs-overlay = {
type = "github"; type = "github";
owner = "nix-community"; owner = "nix-community";
@ -45,7 +51,7 @@
}; };
}; };
outputs = { self, nixpkgs, home-manager, ... } @inputs: { outputs = { self, nixpkgs, home-manager, agenix, ... } @inputs: {
nixosModules = { nixosModules = {
home = { home = {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
@ -74,9 +80,13 @@
inherit system; inherit system;
config.allowUnfree = true; config.allowUnfree = true;
}; };
}) })
agenix.overlay
] ++ builtins.attrValues self.overlays; ] ++ builtins.attrValues self.overlays;
sharedModules = [ sharedModules = [
agenix.nixosModules.age
home-manager.nixosModule home-manager.nixosModule
{ nixpkgs.overlays = shared_overlays; } { nixpkgs.overlays = shared_overlays; }
] ++ (nixpkgs.lib.attrValues self.nixosModules); ] ++ (nixpkgs.lib.attrValues self.nixosModules);

View file

@ -53,6 +53,11 @@ in
}; };
}; };
fwupd.enable = true; fwupd.enable = true;
openssh = {
enable = true;
permitRootLogin = "no";
passwordAuthentication = false;
};
}; };
my.gui.enable = true; my.gui.enable = true;

View file

@ -2,6 +2,7 @@
{ {
imports = [ imports = [
./sddm.nix ./sddm.nix
./secrets
./wakeonwlan.nix ./wakeonwlan.nix
]; ];
} }

View file

@ -0,0 +1,24 @@
{ config, lib, options, ... }:
{
config.age = {
secrets =
let
toName = lib.removeSuffix ".age";
userExists = u: builtins.hasAttr u config.users.users;
# Only set the user if it exists, to avoid warnings
userIfExists = u: if userExists u then u else "root";
toSecret = name: { owner ? "root", ... }: {
file = ./. + "/${name}";
owner = lib.mkDefault (userIfExists owner);
};
convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v);
secrets = import ./secrets.nix;
in
lib.mapAttrs' convertSecrets secrets;
identityPaths = options.age.identityPaths.default ++ [
"/home/alarsyo/.ssh/id_ed25519"
];
};
}

View file

@ -0,0 +1,14 @@
let
alarsyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3rrF3VSWI4n4cpguvlmLAaU3uftuX4AVV/39S/8GO9 alarsyo@thinkpad";
users = [ alarsyo ];
boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal";
poseidon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYhZYMbWQG9TSQ2qze8GgFo2XrZzgu/GuSOGwenByJo root@poseidon";
zephyrus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILU4JfIADH9MXUnVe+3ezYK9WXsqy/jJcm1zFkmL4aSU root@zephyrus";
machines = [ boreal poseidon zephyrus ];
all = users ++ machines;
in
{
}