agenix

2025-07-14 22:57:12 +02:00 · 2025-07-14 22:57:12 +02:00 · 4183ccb893
commit 4183ccb893
parent a018670eae
14 changed files with 169 additions and 38 deletions
--- a/common/default.nix
+++ b/common/default.nix
@ -1,6 +1,7 @@
-{ var, ... }:
+{ var, inputs, ... }:
 {
  imports = [
    inputs.agenix.nixosModules.default
    ../mod
    ../desktop
    ./boot.nix
--- a/common/users.nix
+++ b/common/users.nix
@ -1,11 +1,17 @@
 {
-  pkgs,
+  config,
  lib,
  options,
  pkgs,
  secrets,
  var,
  ...
 }:
 {
  age.secrets.hd-password = {
    file = secrets."hd-password.age";
  };
  users = {
    mutableUsers = false;
    users."hd" = {
@ -16,12 +22,12 @@
      extraGroups = [ "wheel" ];
      shell = pkgs.fish;
      packages = [ ];
-      openssh.authorizedKeys.keys = var.ssh-keys.unprivileged;
+      openssh.authorizedKeys.keys = var.ssh-keys.hd;
-      hashedPassword = "$y$jDT$dhvO.xqs8mopz.sFFul.q/$ud5642o7CnVetU6QEu0ctiVMFh7ngZznDf0wp4cXos8";
+      hashedPasswordFile = config.age.secrets.hd-password.path;
    };
    users.root = {
      hashedPassword = "!";
-      openssh.authorizedKeys.keys = var.ssh-keys.priviliged;
+      openssh.authorizedKeys.keys = var.ssh-keys.root;
    };
  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,28 @@
 {
  "nodes": {
    "agenix": {
      "inputs": {
        "darwin": [],
        "home-manager": "home-manager",
        "nixpkgs": [
          "nixpkgs"
        ],
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1750173260,
        "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
        "owner": "ryantm",
        "repo": "agenix",
        "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
        "type": "github"
      },
      "original": {
        "owner": "ryantm",
        "repo": "agenix",
        "type": "github"
      }
    },
    "colmena": {
      "inputs": {
        "flake-compat": "flake-compat",
@ -55,7 +78,7 @@
    },
    "flake-utils_2": {
      "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1731533236,
@ -72,6 +95,27 @@
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1745494811,
        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
@ -182,9 +226,10 @@
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
        "colmena": "colmena",
        "flake-utils": "flake-utils_2",
-        "home-manager": "home-manager",
+        "home-manager": "home-manager_2",
        "nixos-config-hidden": "nixos-config-hidden",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs_2"
@ -220,6 +265,21 @@
        "repo": "default",
        "type": "github"
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -12,11 +12,17 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    flake-utils.url = "github:numtide/flake-utils";
    agenix = {
      url = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.darwin.follows = "";
    };
  };
  outputs =
    {
      self,
      agenix,
      colmena,
      flake-utils,
      home-manager,
@ -31,6 +37,7 @@
      specialArgs = rec {
        inherit inputs lib';
        var = (lib'.walk-dir ./var)._map (f: import f { inherit lib var; });
        secrets = lib'.walk-dir ./secrets;
      };
      overlays = _: {
        nixpkgs.overlays = [ colmena.overlay ];
@ -91,8 +98,11 @@
        pkgs = import nixpkgs { inherit system; };
      in
      {
-        devShells.withColmena = pkgs.mkShell {
+        devShells.default = pkgs.mkShell {
-          buildInputs = [ colmena.packages.${system}.colmena ];
+          buildInputs = [
            colmena.packages.${system}.colmena
            agenix.packages.${system}.default
          ];
        };
        formatter = pkgs.nixfmt-tree;
      }
--- a/host/c2/default.nix
+++ b/host/c2/default.nix
@ -2,6 +2,10 @@
 {
  networking.hostName = "c2";
  age.identityPaths = [
    "/root/.ssh/id_ed25519"
  ];
  imports = with inputs.nixos-hardware.nixosModules; [
    ./hardware-configuration.nix
    common-cpu-intel
--- a/host/roam/backup.nix
+++ b/host/roam/backup.nix
@ -0,0 +1,41 @@
 {
  config,
  pkgs,
  secrets,
  var,
  ...
 }:
 {
  age.secrets.roam-rclone-conf = {
    file = secrets.roam."rclone-conf.age";
    mode = "440";
    owner = "root";
    group = "root";
  };
  systemd = {
    timers."backup-rclone" = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnCalendar = "daily";
        Persistent = true;
        Unit = "backup-rclone.service";
      };
    };
    services."backup-rclone" =
      let
        conf = config.age.secrets.roam-rclone-conf.path;
      in
      {
        script = ''
          ${pkgs.rclone}/bin/rclone --config ${conf} copy /home/hd/Documents odc:Documents
          ${pkgs.rclone}/bin/rclone --config ${conf} copy /git odc:git
        '';
        path = [ pkgs.rclone ];
        serviceConfig = {
          Type = "oneshot";
          User = "root";
        };
      };
  };
 }
--- a/host/roam/default.nix
+++ b/host/roam/default.nix
@ -2,7 +2,12 @@
 {
  networking.hostName = "roam";
  age.identityPaths = [
    "/root/.ssh/id_ed25519"
  ];
  imports = [
    ./backup.nix
    ./git.nix
    ./hardware-configuration.nix
    ./networking.nix
--- a/host/roam/git.nix
+++ b/host/roam/git.nix
@ -8,6 +8,6 @@
    createHome = true;
    group = "git";
    shell = "${pkgs.git}/bin/git-shell";
-    openssh.authorizedKeys.keys = var.ssh-keys.unprivileged;
+    openssh.authorizedKeys.keys = var.ssh-keys.hd;
  };
 }
--- a/host/roam/services.nix
+++ b/host/roam/services.nix
@ -1,7 +1,5 @@
 {
  var,
  config,
  pkgs,
  ...
 }:
 {
@ -36,26 +34,4 @@
      443
    ];
  };
  systemd = {
    timers."backup-rclone" = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnCalendar = "daily";
        Persistent = true;
        Unit = "backup-rclone.service";
      };
    };
    services."backup-rclone" = {
      script = ''
        ${pkgs.rclone}/bin/rclone copy /home/hd/Documents odc:Documents
        ${pkgs.rclone}/bin/rclone copy /git odc:git
      '';
      path = [ pkgs.rclone ];
      serviceConfig = {
        Type = "oneshot";
        User = "root";
      };
    };
  };
 }
--- a/host/solo/default.nix
+++ b/host/solo/default.nix
@ -2,6 +2,10 @@
 {
  networking.hostName = "solo";
  age.identityPaths = [
    "/root/.ssh/id_ed25519"
  ];
  imports = [
    ./hardware-configuration.nix
    ./keyboard.nix
--- a/secrets.nix
+++ b/secrets.nix
@ -0,0 +1,12 @@
 let
  keys =
    let
      k = (import ./var/ssh-keys.nix { });
    in
    k.root; # ++ k.hd;
  secrets = [
    "roam/rclone-conf"
    "hd-password"
  ];
 in
 builtins.foldl' (acc: x: acc // { "secrets/${x}.age".publicKeys = keys; }) { } secrets
--- a/secrets/hd-password.age
+++ b/secrets/hd-password.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> ssh-ed25519 ydxpSQ M0sDsl0um+whNdnXrl5RMp8BAXdVe1n8K41L6HXizG4
 hIV5u4+ZPujJsNwet9UC2wnAFgpFe+b4BGtsNhah/34
 -> ssh-ed25519 gbs8eg lNj3bYYZXf28MzvjOJ052zOg7xOROf3MjUWR35ZJfWw
 Pxqa+IqRVAhoJdV/Muzt74rfoYBxE4YLh7y8KWwHaG0
 -> ssh-ed25519 FTMbvw 7deJR8NLmOWT/RKUa+JbdZ7KYcLNqYxuYS9y/eOYoE8
 haM8XoJVYTUVEEEuMbCdQxuOeZZT8ILtaGWG/uRDo+0
 --- MKr7VcEMTYpu+gNelWf7vIZvU/TpyH/N61shLABcitA
  Ïº›aÐÍƒUJm!yëa÷Ù<C3B7>ÎŒnxŒ<78>E8ù·KwŸŒ*	Z%MV:‚Ã²¬™¥’ A•ÖšK<C5A1>;ñÔï&™ì
 ¾~GÞÂ;ÑéjyõJ[ø<>6à´zKñ›×/4Ò²·?<3F>¦ñ
--- a/secrets/roam/rclone-conf.age
+++ b/secrets/roam/rclone-conf.age
--- a/var/ssh-keys.nix
+++ b/var/ssh-keys.nix
@ -1,14 +1,16 @@
 _: rec {
  # this is only used for forcing password entry on colmena apply
-  priviliged-by-host = {
+  root-by-host = {
    "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsl8pLaGeCL3kacGWf8pzoLQr501ga/2OzvI2wWbTZJ";
    "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAZaswaiA+oQ9NviADYFf7BJQHNlmdxQuocIdoJmv3o";
    "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID++uLcQOx/to3sEo5Nk97CenGf0Y6/dMsBbLouVTgIQ";
  };
-  priviliged = builtins.attrValues priviliged-by-host;
+  root = builtins.attrValues root-by-host;
-  unprivileged-by-host = {
+  hd-by-host = {
    "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY";
    "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB";
    "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEDlh8hY01wwmNtfa1eK3mVBIcytdh4n/kV05gP9z1Lc";
  };
-  unprivileged = builtins.attrValues unprivileged-by-host;
+  hd = builtins.attrValues hd-by-host;
 }