From 4183ccb8937bbe515cd40ea8bacfcea160ce585f Mon Sep 17 00:00:00 2001 From: Henri Dohmen Date: Mon, 14 Jul 2025 22:57:12 +0200 Subject: [PATCH] agenix --- common/default.nix | 3 +- common/users.nix | 14 +++++--- flake.lock | 64 +++++++++++++++++++++++++++++++++-- flake.nix | 14 ++++++-- host/c2/default.nix | 4 +++ host/roam/backup.nix | 41 ++++++++++++++++++++++ host/roam/default.nix | 5 +++ host/roam/git.nix | 2 +- host/roam/services.nix | 24 ------------- host/solo/default.nix | 4 +++ secrets.nix | 12 +++++++ secrets/hd-password.age | 10 ++++++ secrets/roam/rclone-conf.age | Bin 0 -> 2868 bytes var/ssh-keys.nix | 10 +++--- 14 files changed, 169 insertions(+), 38 deletions(-) create mode 100644 host/roam/backup.nix create mode 100644 secrets.nix create mode 100644 secrets/hd-password.age create mode 100644 secrets/roam/rclone-conf.age diff --git a/common/default.nix b/common/default.nix index 57fac8e..8bdfa2b 100644 --- a/common/default.nix +++ b/common/default.nix @@ -1,6 +1,7 @@ -{ var, ... }: +{ var, inputs, ... }: { imports = [ + inputs.agenix.nixosModules.default ../mod ../desktop ./boot.nix diff --git a/common/users.nix b/common/users.nix index 48a8b29..df339df 100644 --- a/common/users.nix +++ b/common/users.nix @@ -1,11 +1,17 @@ { - pkgs, + config, lib, options, + pkgs, + secrets, var, ... }: { + age.secrets.hd-password = { + file = secrets."hd-password.age"; + }; + users = { mutableUsers = false; users."hd" = { @@ -16,12 +22,12 @@ extraGroups = [ "wheel" ]; shell = pkgs.fish; packages = [ ]; - openssh.authorizedKeys.keys = var.ssh-keys.unprivileged; - hashedPassword = "$y$jDT$dhvO.xqs8mopz.sFFul.q/$ud5642o7CnVetU6QEu0ctiVMFh7ngZznDf0wp4cXos8"; + openssh.authorizedKeys.keys = var.ssh-keys.hd; + hashedPasswordFile = config.age.secrets.hd-password.path; }; users.root = { hashedPassword = "!"; - openssh.authorizedKeys.keys = var.ssh-keys.priviliged; + openssh.authorizedKeys.keys = var.ssh-keys.root; }; }; } diff --git a/flake.lock b/flake.lock index de0a509..ded27f0 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,28 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": [], + "home-manager": "home-manager", + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems" + }, + "locked": { + "lastModified": 1750173260, + "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=", + "owner": "ryantm", + "repo": "agenix", + "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "colmena": { "inputs": { "flake-compat": "flake-compat", @@ -55,7 +78,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -72,6 +95,27 @@ } }, "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -182,9 +226,10 @@ }, "root": { "inputs": { + "agenix": "agenix", "colmena": "colmena", "flake-utils": "flake-utils_2", - "home-manager": "home-manager", + "home-manager": "home-manager_2", "nixos-config-hidden": "nixos-config-hidden", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_2" @@ -220,6 +265,21 @@ "repo": "default", "type": "github" } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 763b553..9c2d307 100644 --- a/flake.nix +++ b/flake.nix @@ -12,11 +12,17 @@ inputs.nixpkgs.follows = "nixpkgs"; }; flake-utils.url = "github:numtide/flake-utils"; + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.darwin.follows = ""; + }; }; outputs = { self, + agenix, colmena, flake-utils, home-manager, @@ -31,6 +37,7 @@ specialArgs = rec { inherit inputs lib'; var = (lib'.walk-dir ./var)._map (f: import f { inherit lib var; }); + secrets = lib'.walk-dir ./secrets; }; overlays = _: { nixpkgs.overlays = [ colmena.overlay ]; @@ -91,8 +98,11 @@ pkgs = import nixpkgs { inherit system; }; in { - devShells.withColmena = pkgs.mkShell { - buildInputs = [ colmena.packages.${system}.colmena ]; + devShells.default = pkgs.mkShell { + buildInputs = [ + colmena.packages.${system}.colmena + agenix.packages.${system}.default + ]; }; formatter = pkgs.nixfmt-tree; } diff --git a/host/c2/default.nix b/host/c2/default.nix index 28a2e68..2e0b2a5 100644 --- a/host/c2/default.nix +++ b/host/c2/default.nix @@ -2,6 +2,10 @@ { networking.hostName = "c2"; + age.identityPaths = [ + "/root/.ssh/id_ed25519" + ]; + imports = with inputs.nixos-hardware.nixosModules; [ ./hardware-configuration.nix common-cpu-intel diff --git a/host/roam/backup.nix b/host/roam/backup.nix new file mode 100644 index 0000000..22a7191 --- /dev/null +++ b/host/roam/backup.nix @@ -0,0 +1,41 @@ +{ + config, + pkgs, + secrets, + var, + ... +}: +{ + age.secrets.roam-rclone-conf = { + file = secrets.roam."rclone-conf.age"; + mode = "440"; + owner = "root"; + group = "root"; + }; + + systemd = { + timers."backup-rclone" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + Unit = "backup-rclone.service"; + }; + }; + services."backup-rclone" = + let + conf = config.age.secrets.roam-rclone-conf.path; + in + { + script = '' + ${pkgs.rclone}/bin/rclone --config ${conf} copy /home/hd/Documents odc:Documents + ${pkgs.rclone}/bin/rclone --config ${conf} copy /git odc:git + ''; + path = [ pkgs.rclone ]; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; + }; +} diff --git a/host/roam/default.nix b/host/roam/default.nix index 0cd2475..2e3e990 100644 --- a/host/roam/default.nix +++ b/host/roam/default.nix @@ -2,7 +2,12 @@ { networking.hostName = "roam"; + age.identityPaths = [ + "/root/.ssh/id_ed25519" + ]; + imports = [ + ./backup.nix ./git.nix ./hardware-configuration.nix ./networking.nix diff --git a/host/roam/git.nix b/host/roam/git.nix index c10f3bf..5d56b6a 100644 --- a/host/roam/git.nix +++ b/host/roam/git.nix @@ -8,6 +8,6 @@ createHome = true; group = "git"; shell = "${pkgs.git}/bin/git-shell"; - openssh.authorizedKeys.keys = var.ssh-keys.unprivileged; + openssh.authorizedKeys.keys = var.ssh-keys.hd; }; } diff --git a/host/roam/services.nix b/host/roam/services.nix index b1b7fda..d6ad204 100644 --- a/host/roam/services.nix +++ b/host/roam/services.nix @@ -1,7 +1,5 @@ { var, - config, - pkgs, ... }: { @@ -36,26 +34,4 @@ 443 ]; }; - - systemd = { - timers."backup-rclone" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "daily"; - Persistent = true; - Unit = "backup-rclone.service"; - }; - }; - services."backup-rclone" = { - script = '' - ${pkgs.rclone}/bin/rclone copy /home/hd/Documents odc:Documents - ${pkgs.rclone}/bin/rclone copy /git odc:git - ''; - path = [ pkgs.rclone ]; - serviceConfig = { - Type = "oneshot"; - User = "root"; - }; - }; - }; } diff --git a/host/solo/default.nix b/host/solo/default.nix index 0752652..63db5a0 100644 --- a/host/solo/default.nix +++ b/host/solo/default.nix @@ -2,6 +2,10 @@ { networking.hostName = "solo"; + age.identityPaths = [ + "/root/.ssh/id_ed25519" + ]; + imports = [ ./hardware-configuration.nix ./keyboard.nix diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..a2160e3 --- /dev/null +++ b/secrets.nix @@ -0,0 +1,12 @@ +let + keys = + let + k = (import ./var/ssh-keys.nix { }); + in + k.root; # ++ k.hd; + secrets = [ + "roam/rclone-conf" + "hd-password" + ]; +in +builtins.foldl' (acc: x: acc // { "secrets/${x}.age".publicKeys = keys; }) { } secrets diff --git a/secrets/hd-password.age b/secrets/hd-password.age new file mode 100644 index 0000000..a6d79af --- /dev/null +++ b/secrets/hd-password.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 ydxpSQ M0sDsl0um+whNdnXrl5RMp8BAXdVe1n8K41L6HXizG4 +hIV5u4+ZPujJsNwet9UC2wnAFgpFe+b4BGtsNhah/34 +-> ssh-ed25519 gbs8eg lNj3bYYZXf28MzvjOJ052zOg7xOROf3MjUWR35ZJfWw +Pxqa+IqRVAhoJdV/Muzt74rfoYBxE4YLh7y8KWwHaG0 +-> ssh-ed25519 FTMbvw 7deJR8NLmOWT/RKUa+JbdZ7KYcLNqYxuYS9y/eOYoE8 +haM8XoJVYTUVEEEuMbCdQxuOeZZT8ILtaGWG/uRDo+0 +--- MKr7VcEMTYpu+gNelWf7vIZvU/TpyH/N61shLABcitA +Ϻa̓UJm!yaُΌnxE8Kw * Z%MV:ò A֚K;& +~G;jyJ[6zK/4Ҳ? \ No newline at end of file diff --git a/secrets/roam/rclone-conf.age b/secrets/roam/rclone-conf.age new file mode 100644 index 0000000000000000000000000000000000000000..2c67c317942c7fcceb417616231a75a3214d5d05 GIT binary patch literal 2868 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTyOsOac4pc}F%JR-B zbqX*F3oUbX&vnVR40kpQFR!d92=oZ|HONah&CJa5FY`~ zZ?Ehs)5x?!C$sP%C%4i7KTi**Ku503iUPAV?a(0i^ps4GiY%v$vgC|J^RS5UUK4@p15nl zTUR#iGjY;a`L`h&QCWhO$v~oKXuWfsJ*AB>FV{lw79;!%IjBm zbL$q@i1(igI7RMlUFl#f=Dziykd@c%$7gz0?m2l*cWUA6`65daELEJer<^_2-; zqG#9^+#)_-{2hv$0*t;7_Qx^7}d6=BvU8M2u z%csRp|8T0#auBos5qSARM!=TO-CT#$HKg-$Q)8u5cLg$MEPQscWTT+UqLfSf+B#NO zzNz0n!>;a^L%QRJ$+8MYF8}slp7V9v()9bPw+ya@3)=N-Uf9UlYj5iR;Qw=r-%3&o zbzh6WX7UQR>AJT^=0_~c_71ZcSF>OIoi^X>)D~zqnli@CUZ25mWGCBHM)xxxsx>G4 zJF`_PulSNwDbGW3RGt58f#YeBh+HUei77HBLW`A+J zv_Zu2`0<4T?hp7RA9FMFTwni2_twujw>_*T2O2L5xv_rhfxYe7>URVA1dm4Xc)1^% zv^`_uU-vf`J^c8}M3+knY}fMEYSZnBe4OvRGXHdg2)A0_Vhgs;=!)A%;pzv zLW}*JcWilFU4QK6X3wS4ex)Cp4z^xwJnW0+T^E7<6Wx~vZWHU3c{^#HUcj9f1y`$FvwctQjIcPj#fnq^jaYVPe(Wbd z2Mw)PM&I9T&+X1*{B(ig%(wO)q4n#2C0tWdF8<8NBG+yDYfV=Pf5zO&A3udeB%Ik8 za^SDSM+^5-=L6c0*4^G_eIxqP?9Ip4FtD^uj$FfIvi{PPAK%rNb#rMY%$cP8nmg08 zlEuw8Uq^A~^0`;D{=Q7u^x@_8<>fDe_xNs;p5Nj6M{?g)sZR@{tyR=Ew!G`y{7~<& z{*=w3r_E0*F-uJ2VLffS&}Qqo+PHj+BkPVl>)SI!r%kbM`$3&HDV<--!}K>!*!{~u zd}sZaJ04H7LRA`b83)&3if<`yz<`?AzLm-5>M2JK}0ejn6xC=LIB8XxX~{?YXm6(?s1}CoMdgwzqm>3&V?u zaudY`JKBtsluim#y6<-A zrgx0k72eCoESLj5SL|7Jz)xn?qP5e#*L;{O{IqRv*n~ZTX~(Y#>M%y0yR0plCO?0c z@Fu}k>(3Y0D;@Uz?eBchWs!&n?r<^rqA6wUiRQ%;!r)e_j#HDF18fzst+^g7f zc;&}`v7z(Jr&@V0)$dz%#-QoZdVffAzh!S$;r~XJ@Q;r6cr2iowV!z<-K^#a)p*JOtP0! zgdX?s-Oh8n+hbeZxl-GmwQfq_b3gSPIyq;$HQr3#b3tn2tK~nm*w((-eYdwj`&Iky znAg{nUteOLxY#d#k zu~SD+e6ZszS6u88b2xOpvg(Fy+vonO&iTk0yjxLVr+v$|M*A8ajyx96w_0^|V((UD z9=;qj`TD0shYe{lUsh`g{J$tt`^jZWn}+$P7|Fnz7rM#1^M%&+-?_nm!fP&{Myc%7 zz}aVHww&i#vE!w0UdgE=AN=ap8sz>lJ~jLF!lum7^$s$dW_(z=l5g3BH(SaU)ZLWN zTKYqEcSq~G5{XZ}2LF2hJDIOIcVnMVNBe@`^P>}1TU38N7n5Yuy6u+4pJ)0vn3v4n zwIe7+GV#z}@rNfLzPlTea!q{lj=6G9%kN!%zeFTiIq=!scgL&J&Ll9ta{?}e@F^}i1XU^}uErwTKdHVJ6B*`qvvx(?`sjZx8#oTIC z!NVdj%{}Jy&f9NGPqk#d%`=I)ptaSVfBk`Fxtd}!c|Q{WZYdEwwpj5(_`{!XKV>NW zuvZB-PaFLSGZpmCJ+0wsvLU?bLk!QMU0aXsbGFo)D03=k zZRWEh6W5jHm