From e5d6210912c9f0a0a155a4233ac0b966122088f1 Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Tue, 18 Jan 2022 11:20:25 +0100
Subject: [PATCH 1/2] zephyrus: don't depend on git-crypt secrets at all

---
 hosts/zephyrus/default.nix | 3 ---
 services/restic-backup.nix | 1 -
 zephyrus.nix               | 3 ---
 3 files changed, 7 deletions(-)

diff --git a/hosts/zephyrus/default.nix b/hosts/zephyrus/default.nix
index 0236f1d..ef8f38a 100644
--- a/hosts/zephyrus/default.nix
+++ b/hosts/zephyrus/default.nix
@@ -3,9 +3,6 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
 { config, lib, pkgs, ... }:
-let
-  secrets = config.my.secrets;
-in
 {
   imports =
     [ # Include the results of the hardware scan.
diff --git a/services/restic-backup.nix b/services/restic-backup.nix
index 8d57f5c..66e531c 100644
--- a/services/restic-backup.nix
+++ b/services/restic-backup.nix
@@ -11,7 +11,6 @@ let
   ;
 
   cfg = config.my.services.restic-backup;
-  secrets = config.my.secrets;
   excludeArg = "--exclude-file=" + (pkgs.writeText "excludes.txt" (concatStringsSep "\n" cfg.exclude));
   makePruneOpts = pruneOpts:
     attrsets.mapAttrsToList (name: value: "--keep-${name} ${toString value}") pruneOpts;
diff --git a/zephyrus.nix b/zephyrus.nix
index e355eb3..ed011ae 100644
--- a/zephyrus.nix
+++ b/zephyrus.nix
@@ -10,9 +10,6 @@
     # Service definitions
     ./services
 
-    # Configuration secrets
-    ./secrets
-
     # Host-specific config
     ./hosts/zephyrus
   ];

From a83c9a4644232b9cd4e29487a533665dede872a9 Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Tue, 18 Jan 2022 11:41:37 +0100
Subject: [PATCH 2/2] secrets: move hashed passwords to agenix

---
 base/users.nix                                    |   4 ++--
 modules/secrets/secrets.nix                       |   3 +++
 modules/secrets/users/alarsyo-hashed-password.age | Bin 0 -> 694 bytes
 modules/secrets/users/root-hashed-password.age    | Bin 0 -> 619 bytes
 4 files changed, 5 insertions(+), 2 deletions(-)
 create mode 100644 modules/secrets/users/alarsyo-hashed-password.age
 create mode 100644 modules/secrets/users/root-hashed-password.age

diff --git a/base/users.nix b/base/users.nix
index 263163f..2af640f 100644
--- a/base/users.nix
+++ b/base/users.nix
@@ -5,10 +5,10 @@ in
 {
   users.mutableUsers = false;
   users.users.root = {
-    hashedPassword = secrets.shadow-hashed-password-root;
+    passwordFile = config.age.secrets."users/root-hashed-password".path;
   };
   users.users.alarsyo = {
-    hashedPassword = secrets.shadow-hashed-password-alarsyo;
+    passwordFile = config.age.secrets."users/alarsyo-hashed-password".path;
     isNormalUser = true;
     extraGroups = [
       "media"
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index 5998d31..0a0d1cd 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -13,4 +13,7 @@ in
 {
   "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ];
   "restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ];
+
+  "users/root-hashed-password.age".publicKeys = machines;
+  "users/alarsyo-hashed-password.age".publicKeys = machines ++ [ alarsyo ];
 }
diff --git a/modules/secrets/users/alarsyo-hashed-password.age b/modules/secrets/users/alarsyo-hashed-password.age
new file mode 100644
index 0000000000000000000000000000000000000000..9d80aa72837e8960690453faa7b6615c69c3c397
GIT binary patch
literal 694
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7HcI!%Dpv?A4$MsV
z3Nf_|3r{f%aWg87sL=QEF7U}HugtIXu8ausc8scwEOQUeO6STq@C+-_PfmA@OereO
zFU(5`FmW&T@-mI6G^#QwvM`SFvds1IEOk$fG(op5DzG%n&ru;S$iy!%JSW{P!aLA2
z%``M6H_|jL+1bdV&>|!#&pS6Y!q6o!r6@HyubeA5B{AD8&^0Z>r#LS+HOMbJqsYK0
zDJfLn(ksum*xfQQ%CR&=+ohni#1q}NDl^woi$H~_s)E$u!Yp_5#7v{8{IH0moOD+Y
zS2KeuA0NL`zv3Kkzv2Mnkg(u#cV8|`@8XooJm1P(^9=6-6AKHo!ZQD~qLL~vw@~v8
zBcCXz?DF)Y!sMhPZC7;LBEx+Hv(ps<N;7?&y>mQW{Zh&;vophjT?<U|EgYT7Gaa){
zO2czp0!^Is%kvE!LmavE-Gc&By(?WTy}Yu0^McEhof0d9a@?}YLw$^#lF9=7GmUc1
zy~=X)or*!WMfk=$nEUCb7o{c^rz)gdy6XkSDEKLux_d-$nfsa*S5-!u`Ws}MCZ}`h
z>gp<Zmly_ySh{9gI_8ymS_b%ACYG3J=lJG$7*~Wur6&3m2YRGO_?f2W1bT91w1%AN
zY{`^cIYrvzkm4!hUay?uuDBy@&5c5Wt(lYFUY+72aw_L`@#;6SXTAozYwcPy+c3=|
zfA1ETz}{a=6%C%wxEnh0*5P(%KF;f^U+?LKamsGkcQr;h&y3;c4V@&fXUASm`z0uF
oM`AC-3|0;m{Y|^(6>)ldw3n3%_Y`iK7pK|mIj`haw0FQo0Mx|uNB{r;

literal 0
HcmV?d00001

diff --git a/modules/secrets/users/root-hashed-password.age b/modules/secrets/users/root-hashed-password.age
new file mode 100644
index 0000000000000000000000000000000000000000..b0ef183c39e301610cb269a98de8f0305c4535d5
GIT binary patch
literal 619
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTS3M>utb5!tkO3gAi
z&Z{hpEJ_dd%FIuTs4R9hOZLpFNDlQ)D+mhm3<)a@$f+vy2;|Bt49f8;2=(v{F^>%O
zHBZhobc`@gOVamua!X0}$TRUWNQyA=H*t4#GeEbk%FMOYB2b|$Bc!Cb$hjgo*wNQO
zKf}bMIJm?=C8<0+!_Pd;KRn6AJ229u%-1>7y_n0mB)d4T(kHpd+#|r#(9bKSI3z4I
z%*!B3+s~-dH6l63-_tU;Bt6PG+!fun$Z+4l>~w_?iz=h+Oph`zH~&K4h=TNDpKOo3
z;!-1ntdxMPoI-y$OE2d_H`C&(tYof~lnjHw@CwVMeB(Sbk1X>fzd$#aM8hy+({eBK
zjH-|<lk5^>C&!XtuX2!WJ|=3VN%3CUy6Hu!iN&c3QC7+Nmht5Zrf#{e&I(Zlam5OW
zHIacnT)Fz?hR)^wUglmAK1n4N#-&jeC8nNkuIYyPMJZ9vm1bdKg<QJ2x(X%crQR-1
zd1Xb8mc|7I9$`V+6;3%(<>rwQK}F?>P9?edWjR&GF23QWCR_|^mp@+@x_=-^Ji@Ng
zw0E5*OGoAw{m1WQlXpBZ?-Nm9AJxC?x`+f{;gjM`H+7lf_dlGLr^MiEvf^yt(p7t(
zJ5A7vy1-RbRg;$GF=>bI`WugKY<~Iot4gna#$m6p^jJ-WwjIJ9;wLsoaXTl-te>z}
fbm1;@)`!0@Ylc1Bxq2VxYO%mO%VXj=wVn9^p<CO*

literal 0
HcmV?d00001