hd/cfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

agenix

Browse source
This commit is contained in:
Henri Dohmen 2025-07-14 22:57:12 +02:00
parent a018670eae
commit 4183ccb893
Signed by: hd
GPG key ID: AB79213B044674AE
14 changed files with 169 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

3
common/default.nix
View file

@ -1,6 +1,7 @@
{ var, ... }:
{ var, inputs, ... }:
{
imports = [
inputs.agenix.nixosModules.default
../mod
../desktop
./boot.nix

14
common/users.nix
View file

@ -1,11 +1,17 @@
{
pkgs,
config,
lib,
options,
pkgs,
secrets,
var,
...
}:
{
age.secrets.hd-password = {
file = secrets."hd-password.age";
};
users = {
mutableUsers = false;
users."hd" = {
@ -16,12 +22,12 @@
extraGroups = [ "wheel" ];
shell = pkgs.fish;
packages = [ ];
openssh.authorizedKeys.keys = var.ssh-keys.unprivileged;
hashedPassword = "$y$jDT$dhvO.xqs8mopz.sFFul.q/$ud5642o7CnVetU6QEu0ctiVMFh7ngZznDf0wp4cXos8";
openssh.authorizedKeys.keys = var.ssh-keys.hd;
hashedPasswordFile = config.age.secrets.hd-password.path;
};
users.root = {
hashedPassword = "!";
openssh.authorizedKeys.keys = var.ssh-keys.priviliged;
openssh.authorizedKeys.keys = var.ssh-keys.root;
};
};
}

64
flake.lock generated
View file

@ -1,5 +1,28 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": [],
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1750173260,
"narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
"owner": "ryantm",
"repo": "agenix",
"rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"colmena": {
"inputs": {
"flake-compat": "flake-compat",
@ -55,7 +78,7 @@
},
"flake-utils_2": {
"inputs": {
"systems": "systems"
"systems": "systems_2"
},
"locked": {
"lastModified": 1731533236,
@ -72,6 +95,27 @@
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1745494811,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
@ -182,9 +226,10 @@
},
"root": {
"inputs": {
"agenix": "agenix",
"colmena": "colmena",
"flake-utils": "flake-utils_2",
"home-manager": "home-manager",
"home-manager": "home-manager_2",
"nixos-config-hidden": "nixos-config-hidden",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2"
@ -220,6 +265,21 @@
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",

14
flake.nix
View file

@ -12,11 +12,17 @@
inputs.nixpkgs.follows = "nixpkgs";
};
flake-utils.url = "github:numtide/flake-utils";
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
inputs.darwin.follows = "";
};
};
outputs =
{
self,
agenix,
colmena,
flake-utils,
home-manager,
@ -31,6 +37,7 @@
specialArgs = rec {
inherit inputs lib';
var = (lib'.walk-dir ./var)._map (f: import f { inherit lib var; });
secrets = lib'.walk-dir ./secrets;
};
overlays = _: {
nixpkgs.overlays = [ colmena.overlay ];
@ -91,8 +98,11 @@
pkgs = import nixpkgs { inherit system; };
in
{
devShells.withColmena = pkgs.mkShell {
buildInputs = [ colmena.packages.${system}.colmena ];
devShells.default = pkgs.mkShell {
buildInputs = [
colmena.packages.${system}.colmena
agenix.packages.${system}.default
];
};
formatter = pkgs.nixfmt-tree;
}

4
host/c2/default.nix
View file

@ -2,6 +2,10 @@
{
networking.hostName = "c2";
age.identityPaths = [
"/root/.ssh/id_ed25519"
];
imports = with inputs.nixos-hardware.nixosModules; [
./hardware-configuration.nix
common-cpu-intel

41
host/roam/backup.nix Normal file
View file

@ -0,0 +1,41 @@
{
config,
pkgs,
secrets,
var,
...
}:
{
age.secrets.roam-rclone-conf = {
file = secrets.roam."rclone-conf.age";
mode = "440";
owner = "root";
group = "root";
};
systemd = {
timers."backup-rclone" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
Unit = "backup-rclone.service";
};
};
services."backup-rclone" =
let
conf = config.age.secrets.roam-rclone-conf.path;
in
{
script = ''
${pkgs.rclone}/bin/rclone --config ${conf} copy /home/hd/Documents odc:Documents
${pkgs.rclone}/bin/rclone --config ${conf} copy /git odc:git
'';
path = [ pkgs.rclone ];
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
};
}

5
host/roam/default.nix
View file

@ -2,7 +2,12 @@
{
networking.hostName = "roam";
age.identityPaths = [
"/root/.ssh/id_ed25519"
];
imports = [
./backup.nix
./git.nix
./hardware-configuration.nix
./networking.nix

2
host/roam/git.nix
View file

@ -8,6 +8,6 @@
createHome = true;
group = "git";
shell = "${pkgs.git}/bin/git-shell";
openssh.authorizedKeys.keys = var.ssh-keys.unprivileged;
openssh.authorizedKeys.keys = var.ssh-keys.hd;
};
}

24
host/roam/services.nix
View file

@ -1,7 +1,5 @@
{
var,
config,
pkgs,
...
}:
{
@ -36,26 +34,4 @@
443
];
};
systemd = {
timers."backup-rclone" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
Unit = "backup-rclone.service";
};
};
services."backup-rclone" = {
script = ''
${pkgs.rclone}/bin/rclone copy /home/hd/Documents odc:Documents
${pkgs.rclone}/bin/rclone copy /git odc:git
'';
path = [ pkgs.rclone ];
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
};
}

4
host/solo/default.nix
View file

@ -2,6 +2,10 @@
{
networking.hostName = "solo";
age.identityPaths = [
"/root/.ssh/id_ed25519"
];
imports = [
./hardware-configuration.nix
./keyboard.nix

12
secrets.nix Normal file
View file

@ -0,0 +1,12 @@
let
keys =
let
k = (import ./var/ssh-keys.nix { });
in
k.root; # ++ k.hd;
secrets = [
"roam/rclone-conf"
"hd-password"
];
in
builtins.foldl' (acc: x: acc // { "secrets/${x}.age".publicKeys = keys; }) { } secrets

10
secrets/hd-password.age Normal file
View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 ydxpSQ M0sDsl0um+whNdnXrl5RMp8BAXdVe1n8K41L6HXizG4
hIV5u4+ZPujJsNwet9UC2wnAFgpFe+b4BGtsNhah/34
-> ssh-ed25519 gbs8eg lNj3bYYZXf28MzvjOJ052zOg7xOROf3MjUWR35ZJfWw
Pxqa+IqRVAhoJdV/Muzt74rfoYBxE4YLh7y8KWwHaG0
-> ssh-ed25519 FTMbvw 7deJR8NLmOWT/RKUa+JbdZ7KYcLNqYxuYS9y/eOYoE8
haM8XoJVYTUVEEEuMbCdQxuOeZZT8ILtaGWG/uRDo+0
--- MKr7VcEMTYpu+gNelWf7vIZvU/TpyH/N61shLABcitA
 Ïº̓UJm!yëa÷Ù<C3B7>ÎŒnxŒ<78>E8ù·KwŸŒ * Z%MV:‚ò¬™¥ A•ÖšK<C5A1>;ñÔï& ì
¾~GÞÂ;ÑéjyõJ[ø<>´zKñ×/4Ò²·?<3F>¦ñ

BIN
secrets/roam/rclone-conf.age Normal file
View file

Binary file not shown.

10
var/ssh-keys.nix
View file

@ -1,14 +1,16 @@
_: rec {
# this is only used for forcing password entry on colmena apply
priviliged-by-host = {
root-by-host = {
"solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsl8pLaGeCL3kacGWf8pzoLQr501ga/2OzvI2wWbTZJ";
"c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAZaswaiA+oQ9NviADYFf7BJQHNlmdxQuocIdoJmv3o";
"roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID++uLcQOx/to3sEo5Nk97CenGf0Y6/dMsBbLouVTgIQ";
};
priviliged = builtins.attrValues priviliged-by-host;
root = builtins.attrValues root-by-host;
unprivileged-by-host = {
hd-by-host = {
"solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY";
"c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB";
"roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEDlh8hY01wwmNtfa1eK3mVBIcytdh4n/kV05gP9z1Lc";
};
unprivileged = builtins.attrValues unprivileged-by-host;
hd = builtins.attrValues hd-by-host;
}