flake: use agenix

2021-09-20 15:09:44 +07:00 · 2021-09-20 15:09:44 +07:00 · eee9b5df5b
commit eee9b5df5b
parent 4fbeaab7eb
10 changed files with 81 additions and 19 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,25 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1631896269,
+        "narHash": "sha256-DAyCxJ8JacayOzGgGSfzrn7ghtsfL/EsCyk1NEUaAR8=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "daf1d773989ac5d949aeef03fce0fe27e583dbca",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "better-status-indicators": {
      "flake": false,
      "locked": {
@ -426,6 +446,7 @@
    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "better-status-indicators": "better-status-indicators",
        "channel-typing": "channel-typing",
        "discord-tokyonight": "discord-tokyonight",
@ -443,7 +464,6 @@
        "pure": "pure",
        "radialstatus": "radialstatus",
        "rolecolor-everywhere": "rolecolor-everywhere",
-        "secrets": "secrets",
        "spotify-adblock": "spotify-adblock",
        "theme-toggler": "theme-toggler",
        "tokyonight": "tokyonight",
@ -457,21 +477,6 @@
        "zsh-history-substring-search": "zsh-history-substring-search"
      }
    },
-    "secrets": {
-      "locked": {
-        "lastModified": 1626423937,
-        "narHash": "sha256-ar4JcAS4q6PL2YiTXcFAsiLpvVZLc7/2r4TS6pI3Aww=",
-        "owner": "LavaDesu",
-        "repo": "flakes-secrets",
-        "rev": "73ec1e3c23216c1a42fb9a00dbf443d90af68f45",
-        "type": "github"
-      },
-      "original": {
-        "owner": "LavaDesu",
-        "repo": "flakes-secrets",
-        "type": "github"
-      }
-    },
    "spotify-adblock": {
      "flake": false,
      "locked": {
--- a/flake.nix
+++ b/flake.nix
@ -3,8 +3,9 @@
    nixpkgs.url = "github:NixOS/nixpkgs";
    home-manager.url = "github:nix-community/home-manager";
    neovim-nightly.url = "github:nix-community/neovim-nightly-overlay";
-    secrets.url = "github:LavaDesu/flakes-secrets";
+    agenix.url = "github:ryantm/agenix";

+    agenix.inputs.nixpkgs.follows = "nixpkgs";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    neovim-nightly.inputs.nixpkgs.follows = "nixpkgs";

@ -43,7 +44,7 @@
    zelk = { url = "github:schnensch0/zelk"; flake = false; };
  };

-  outputs = { self, nixpkgs, home-manager, secrets, ... } @ inputs:
+  outputs = { self, agenix, nixpkgs, home-manager, ... } @ inputs:
    let
      lib = nixpkgs.lib;

@ -100,7 +101,7 @@
          system = arch;
          modules = [
            home-manager.nixosModules.home-manager
-            secrets.nixosModules.${name}
+            agenix.nixosModules.age
            (./hosts + "/${name}")
          ];
          specialArgs = { inherit inputs modules overlays enableGUI; };
--- a/hosts/apricot/default.nix
+++ b/hosts/apricot/default.nix
@ -1,7 +1,12 @@
 { config, modules, overlays, pkgs, ... }: {
  networking.hostName = "apricot";
  system.stateVersion = "21.05";
+  time.timeZone = "Asia/Phnom_Penh";

+  age.secrets = {
+    passwd.file = ../../secrets/passwd.age;
+    wpa_conf.file = ../../secrets/wpa_conf.age;
+  };
  imports = with modules.system; [
    base
    input
--- a/hosts/apricot/networking.nix
+++ b/hosts/apricot/networking.nix
@ -1,4 +1,5 @@
 { config, ... }: {
+  environment.etc."wpa_supplicant.conf".source = config.age.secrets.wpa_conf.path;
  networking = {
    wireless = {
      enable = true;
--- a/hosts/winter/default.nix
+++ b/hosts/winter/default.nix
@ -1,7 +1,12 @@
 { config, modules, overlays, pkgs, ... }: {
  networking.hostName = "winter";
  system.stateVersion = "20.09";
+  time.timeZone = "Asia/Phnom_Penh";

+  age.secrets = {
+    passwd.file = ../../secrets/passwd.age;
+    wpa_conf.file = ../../secrets/wpa_conf.age;
+  };
  imports = with modules.system; [
    audio
    base
--- a/hosts/winter/networking.nix
+++ b/hosts/winter/networking.nix
@ -1,4 +1,5 @@
 { config, ... }: {
+  environment.etc."wpa_supplicant.conf".source = config.age.secrets.wpa_conf.path;
  networking = {
    wireless = {
      enable = true;
--- a/secrets.nix
+++ b/secrets.nix
@ -0,0 +1,12 @@
+let
+  apricot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGGS0M4BOLiVUM/qdUpcg9Y4aTeyDfyQl89uhXwFORjn";
+  fondue = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIkKZYsYWnI+MgecBjOwf7aL5jtiT0ymCDme3pzucTei";
+  winter = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA5wfPCcpkNR3ubr7cBV0UwVCDo/sMmV0aI/JOJTIxQj";
+
+  rin-apricot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINxzygMMJ/hmPRUeQu/eMmEhAKfFSFIEVstDIerPzxgZ";
+  rin-fondue = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbPamP5bovUsrBNYnjOk4SN2TaQZAVlJ+4JldK2cL5M";
+  rin-winter = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPru5eTBvHJ4ZmrrzPRHCGM09wQP/ZHSaKYalDuBVO15";
+in {
+  "secrets/passwd.age".publicKeys = [ apricot fondue winter rin-apricot rin-fondue rin-winter ];
+  "secrets/wpa_conf.age".publicKeys = [ apricot winter rin-apricot rin-winter ];
+}
--- a/secrets/passwd.age
+++ b/secrets/passwd.age
@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 U9FXlg pyO5bXIo3QmlwLGThUQOJpxkNHMWRw7zCN7MZRHT2XI
+t6CvDsUoxDK7VieD1JGGoPIAdgNy88gHQTElEbq+Aw
+-> ssh-ed25519 W08TTA JGyCrmpEH/04XqVK3cZjZQxW8FdgTHGdeSjDRHBFTy8
+DO352HTh9LhjLROJt4Ezx5tCEjuA8O7Y2yOtSnzqJFY
+-> ssh-ed25519 pumkzw bwVqGKi9z0tZU//9eETsW3QtU1eKw1fUGueGpPPwEE0
+MPa3afK3Imz5DQ0OC+VRoN7NTkTfxW4PdYtUQpZKYFU
+-> ssh-ed25519 CUCjXQ imjGGo/eW0k/5Nqx54GSdxyPUd/rrKiCSbe5IVBqpGY
+kbznCkFsJ1cQtaSOpcO87XymQVUh0trjf+hnPrZn4wM
+-> ssh-ed25519 1f0c9Q gs51wLCgicapbWMXe762vHXzKZEL4uBEwyoMMgjYEDo
+jQcqFfXZdNyUXKdQYd6NGpB2UG6kspSqES0U7YVl8bs
+-> ssh-ed25519 l9dSQg jFs43ABxAmfFnbHXaDf7cI5LSZl7eG45vRvmDRcGn2I
+xi0ssuW/X+GbhEAjTlMqsRZuF860ClW5OW7em8q4gCU
+-> ddi&.U1,-grease l-[{g`4' 8[A; E*S _#Pt
+f6BrJn0
+--- 94Qsnx1vfwhCQBcX1UBinqiQkcTHwAsoaT8Fc0g6bxw
+*hŠ)ë¼uÞ-ÝØ¬<>4(uIãm5¬ÔßI½Í¼„7Ûs?;äŽr˜	õ:ñ–a‘£év{FJbýs‹tPŽ„óìlñäÀï?aq”Õ‚Nû7ËAô<41>sØ² –éˆI;+ÿc€(¯<>OÍ*3Lðr.GåÏ:fö|ñœ
--- a/secrets/wpa_conf.age
+++ b/secrets/wpa_conf.age
@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> ssh-ed25519 U9FXlg E0hhgFA/zsRWQJlrPEcoa3EB5+PsCAqCR1zCnezkFjU
+C17s+kvncsFSdYG4MPG/mBuBwyjQihI0psdBG5TZRkU
+-> ssh-ed25519 pumkzw 6lB6ssEW3qI/urBGKNiVvwn2mwNlqjAoteHjzWhSdic
+5H9O9ogZSo5MZxvotcVpH2iTsSl82RoA1mEOqfPJhs8
+-> ssh-ed25519 CUCjXQ M1pJrjSYKt79yozkZg5QnWoVXm/Ycux2CjK9KZ2c3Gg
+kIZU/NI0lZK7VqP6LXeBCm1I1QvwPUcrrqRhouE1qXY
+-> ssh-ed25519 l9dSQg kdr5ycMPLZHm3gnQXlRGePkmnWMAtQCVL/eeqQNZW3M
+so1UTAIF4xYYC8BGseA+cY7yz49xeqROBoCrnyaa5fQ
+-> at-grease pZp\ \
+wFowXoNmbvDQFM/9r4Ju5rPlrj4nP8k4NEtKbUOZovebox75dWododrjol14pk7x
+2YgYznE9r6HsyqN/6wXroQ
+--- m1BL/gjAKZlbd2fLwT46xse7I9SzL5hgBIxnoIZmMu4
+oLZ80¬Å“"Á®;ã«‡gœ(Æ¡"5FšÇ‹aŠ6`GÊSfÍ.·´hYâç¬ª§K9‚›Jó=<3D>³· Ö0Ü†.€¬]qšØGoÄnpË•«ý—Îû3Žo>†
ÅS°¼•yR¡ÔpÍ¦z.K<>ËÅF¹F<C2B9>ep
--- a/users/rin.nix
+++ b/users/rin.nix
@ -4,6 +4,7 @@
    extraGroups = [ "adbusers" "audio" "video" "wheel" ];
    shell = pkgs.zsh;
    uid = 1001;
+    passwordFile = config.age.secrets.passwd.path;
  };
  home-manager.users.rin = { config, enableGUI, lib, pkgs, ... }: {
    home = {