diff --git a/home/private_dot_ssh/config b/home/private_dot_ssh/config index 4e69cc6c..627802f2 100644 --- a/home/private_dot_ssh/config +++ b/home/private_dot_ssh/config @@ -1,3 +1,3 @@ Host github.com AddKeysToAgent yes - IdentityFile ~/.ssh/keys/github_personal + IdentityFile /run/agenix/git/github_personal diff --git a/home/private_dot_ssh/keys/.placeholder b/home/private_dot_ssh/keys/.placeholder deleted file mode 100644 index e69de29b..00000000 diff --git a/provision/age-secrets/git/github_personal.age b/provision/age-secrets/git/github_personal.age new file mode 100644 index 00000000..6f50d08a Binary files /dev/null and b/provision/age-secrets/git/github_personal.age differ diff --git a/provision/age-secrets/secrets.nix b/provision/age-secrets/secrets.nix new file mode 100644 index 00000000..c816a817 --- /dev/null +++ b/provision/age-secrets/secrets.nix @@ -0,0 +1,10 @@ +let + kestrel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2iE16XVkriD0x6GhnqmvGDA1qNBibvHVIi5xY+c7Iu"; + systems = [ kestrel ]; + + tstarr_kestrel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINr2BUUToMswbAbxZMXarl2pQEomM+jADyZbEK31VGu/"; + users = [ tstarr_kestrel ]; +in +{ + "git/github_personal.age".publicKeys = users ++ systems; +} diff --git a/provision/flake.lock b/provision/flake.lock index ae2e2416..62494f70 100644 --- a/provision/flake.lock +++ b/provision/flake.lock @@ -1,6 +1,70 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1720546205, + "narHash": "sha256-boCXsjYVxDviyzoEyAk624600f3ZBo/DKtUdvMTpbGY=", + "owner": "ryantm", + "repo": "agenix", + "rev": "de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -55,8 +119,8 @@ "hyprlang": "hyprlang", "hyprutils": "hyprutils", "hyprwayland-scanner": "hyprwayland-scanner", - "nixpkgs": "nixpkgs", - "systems": "systems", + "nixpkgs": "nixpkgs_2", + "systems": "systems_2", "xdph": "xdph" }, "locked": { @@ -218,11 +282,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1719075281, - "narHash": "sha256-CyyxvOwFf12I91PBWz43iGT1kjsf5oi6ax7CrvaMyAo=", + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a71e967ef3694799d0c418c98332f7ff4cc5f6af", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", "type": "github" }, "original": { @@ -249,6 +313,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1719075281, + "narHash": "sha256-CyyxvOwFf12I91PBWz43iGT1kjsf5oi6ax7CrvaMyAo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a71e967ef3694799d0c418c98332f7ff4cc5f6af", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1720031269, "narHash": "sha256-rwz8NJZV+387rnWpTYcXaRNvzUSnnF9aHONoJIYmiUQ=", @@ -264,7 +344,7 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1719468428, "narHash": "sha256-vN5xJAZ4UGREEglh3lfbbkIj+MPEYMuqewMn4atZFaQ=", @@ -282,17 +362,18 @@ }, "root": { "inputs": { - "home-manager": "home-manager", + "agenix": "agenix", + "home-manager": "home-manager_2", "hyprland": "hyprland", "hyprland-contrib": "hyprland-contrib", "jovian-nixos": "jovian-nixos", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "sops-nix": "sops-nix" } }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "nixpkgs-stable": "nixpkgs-stable" }, "locked": { @@ -310,6 +391,21 @@ } }, "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { "locked": { "lastModified": 1689347949, "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", diff --git a/provision/flake.nix b/provision/flake.nix index b3ee1741..cfb36b44 100644 --- a/provision/flake.nix +++ b/provision/flake.nix @@ -12,6 +12,7 @@ flake = false; }; sops-nix.url = "github:Mic92/sops-nix"; + agenix.url = "github:ryantm/agenix"; hyprland.url = "github:hyprwm/Hyprland"; hyprland-contrib = { url = "github:hyprwm/contrib"; @@ -19,7 +20,7 @@ }; }; - outputs = inputs @ { self, nixpkgs, home-manager, jovian-nixos, sops-nix, hyprland, ... }: + outputs = inputs @ { self, nixpkgs, home-manager, jovian-nixos, sops-nix, agenix,hyprland, ... }: let system = "x86_64-linux"; pkgs = import nixpkgs { @@ -37,6 +38,7 @@ ./hosts/kestrel/configuration.nix ./hosts/kestrel/hardware.nix sops-nix.nixosModules.sops + agenix.nixosModules.default home-manager.nixosModules.home-manager { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; @@ -59,6 +61,7 @@ ./hosts/shivan/configuration.nix ./hosts/shivan/hardware.nix sops-nix.nixosModules.sops + agenix.nixosModules.default home-manager.nixosModules.home-manager { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; @@ -81,6 +84,7 @@ ./hosts/torus/configuration.nix ./hosts/torus/hardware.nix sops-nix.nixosModules.sops + agenix.nixosModules.default home-manager.nixosModules.home-manager { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; @@ -103,6 +107,7 @@ ./hosts/bulwark/configuration.nix ./hosts/bulwark/hardware.nix sops-nix.nixosModules.sops + agenix.nixosModules.default home-manager.nixosModules.home-manager { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; diff --git a/provision/modules/system/secrets.nix b/provision/modules/system/secrets.nix index f9a3b1ab..73dc0490 100644 --- a/provision/modules/system/secrets.nix +++ b/provision/modules/system/secrets.nix @@ -1,11 +1,20 @@ -{ config, lib, pkgs, user, ... }: +{ config, lib, pkgs, user, inputs, ... }: let cfg = config.modules.system.secrets; in { options.modules.system.secrets.enable = lib.mkEnableOption "secrets"; config = lib.mkIf cfg.enable { + + environment.systemPackages = [ + inputs.agenix.packages.x86_64-linux.default + ]; - + age.secrets."git/github_personal" = { + file = ../../age-secrets/git/github_personal.age; + owner = "${user}"; + group = "users"; + }; + sops = let ncHost = (if config.networking.hostName == "torus" then "nextcloud" else "${user}"); in {