christoph/flake-nixinator
1
Fork 0
Code Activity

Modules/Agenix: Change to system module

Browse Source
This commit is contained in:
Christoph Urlacher
2025-07-09 03:28:52 +02:00
parent f47feb8193
commit 4f6a4dea3e
15 changed files with 34 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
home/christoph/default.nix
View File

@ -300,6 +300,25 @@
file = lib.mkMerge [
{
".ssh/id_ed25519.pub".text = "${publicKeys.${username}.ssh}";
# The user will be able to decrypt .age files using agenix.
# On each user/machine, this should generate a corresponding secrets.nix
"${config.paths.nixflake}/system/modules/agenix/secrets.nix".text = let
mkSecret = key: name: "\"${name}.age\".publicKeys = [\"${key}\"];";
in ''
# NOTE: This file will contain keys depending on the host/by which user it was built on.
{
${lib.optionalString
# If this user defined any secrets...
(builtins.hasAttr "${username}" nixosConfig.modules.agenix.secrets)
# ...we will add them to the current secrets.nix,
# s.t. agenix can be used to encrypt the secret.
(builtins.concatStringsSep "\n"
(builtins.map
(mkSecret publicKeys.${username}.ssh)
nixosConfig.modules.agenix.secrets.${username}))}
}
'';
}
(lib.mkIf nixosConfig.modules.desktopportal.termfilechooser.enable {
".config/xdg-desktop-portal-termfilechooser/config".text = ''

3
home/christoph/nixinator/default.nix
View File

@ -4,7 +4,6 @@
nixosConfig,
config,
lib,
username,
...
}: {
imports = [
@ -13,8 +12,6 @@
config = {
modules = {
# agenix.secrets.${username} = [];
hyprland = {
kb-layout = "us";
kb-variant = "altgr-intl";

9
home/christoph/servenix/default.nix
View File

@ -11,15 +11,6 @@
];
config = {
modules = {
agenix.secrets.${username} = [
"heidi-discord-token"
"kopia-password"
"kopia-server-username"
"kopia-server-password"
];
};
home.packages = with pkgs; [
docker-compose
];

50
home/modules/agenix/default.nix
View File

@ -1,50 +0,0 @@
{
config,
nixosConfig,
lib,
mylib,
pkgs,
username,
publicKeys,
...
}: let
inherit (config.modules) agenix;
in {
options.modules.agenix = import ./options.nix {inherit lib mylib;};
config = {
# The user will be able to decrypt .age files using agenix.
# On each user/machine, this should generate a corresponding secrets.nix
home.file."${config.paths.nixflake}/home/modules/agenix/secrets.nix".text = let
mkSecret = key: name: "\"${name}.age\".publicKeys = [\"${key}\"];";
in ''
# NOTE: This file will contain keys depending on the host/by which user it was built on.
{
${lib.optionalString
# If this user defined any secrets...
(builtins.hasAttr "${username}" agenix.secrets)
# ...we will add them to the current secrets.nix,
# s.t. agenix can be used to encrypt the secret.
(builtins.concatStringsSep "\n"
(builtins.map
(mkSecret publicKeys.${username}.ssh)
agenix.secrets.${username}))}
}
'';
age.secrets = let
mkSecretIfExists = name:
# If this user has already encrypted the secret...
if builtins.pathExists ./${name}.age
# ...we will register it with age...
then {${name}.file = ./${name}.age;}
# ...otherwise we link to a bogus file.
else {${name}.file = ./void.age;};
in
lib.mkIf
# If this user defined any secrets...
(builtins.hasAttr "${username}" agenix.secrets)
# ...we will register all secrets files that have already been generated.
(lib.mkMerge (builtins.map mkSecretIfExists agenix.secrets.${username}));
};
}

5
home/modules/agenix/heidi-discord-token.age
View File

@ -1,5 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 PW+5DQ 2vardSYoPFvDEw4TiKSXntAJmChcVu9X+nD1+rCac1c
mbx9xEy0vkQvl6HqLcFTk3qrsUpDAUuKD6GnJGa9elc
--- vKkGWdp/anMV2VzwJEEHeWNUjv/SkzjYOIljRK6ExbI
<EFBFBD>Ҥ<11><>v <0B><>LH<4C><48>l<EFBFBD>|<7C>><3E><><EFBFBD>Mcso<73>{j<>S<EFBFBD><53><EFBFBD>_<EFBFBD><5F>'<27>Ќ<EFBFBD>WlÅ<6C>_i<5F>M<15>Y<EFBFBD><59><EFBFBD><EFBFBD><EFBFBD><EFBFBD>VV<><56>s<EFBFBD>,D%<25>-&+<2B><><EFBFBD><EFBFBD>i<EFBFBD><69>T<EFBFBD>P"<16>g

6
home/modules/agenix/kopia-password.age
View File

@ -1,6 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 PW+5DQ Wm5RTSiZ/ndp6l6q2T43wrHiMnyP/FqDzUsl29TYoQc
ti4Pc/+g+6618wOQAb+28bNt87A8f3gRFzCaMlNKpP4
--- aRzLWmbnb7MqPVDSTYLqCIDHqaj0fu3JVp4ES93xZ9I
B6<42><<3C>
I<>mj<6D><6A><EFBFBD><EFBFBD><1B>L<EFBFBD><06>N<EFBFBD><4E><EFBFBD><EFBFBD>-e<>![<5B>'y_<79>aI<61><49>

6
home/modules/agenix/kopia-server-password.age
View File

@ -1,6 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 PW+5DQ ZeBpvImtTWyKOxlCh573CNitT2z1OX2PgHAzLB/RTzg
jx7n2REzbCJ9zr2TQHSvEz7lUZap5J2mjHNx710L49w
--- kdRUEg3IOfjUfAgPEMj7MdiGftxVptPeC/Mbh5qWf8c
<EFBFBD><EFBFBD>
<EFBFBD><03>#N'<27>(:a<><61>a<EFBFBD>]<5D><>g<EFBFBD>Po<50><6F><EFBFBD><EFBFBD><EFBFBD>[<5B><>=n<>

5
home/modules/agenix/kopia-server-username.age
View File

@ -1,5 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 PW+5DQ V2ejrKdFVeO7nNqkRqa3nSnz8MKlHyZcQ+T1NRfntSw
t79YI5ZFtW0k6IZRB5VMjy7st+WlhONTFyVF/tvPaKk
--- Cz4XV8J+oM6q6bVq6uXXUUvW/BqBL0agNzmobzcu2Kc
<EFBFBD><EFBFBD>{*$<24>c<EFBFBD><63>̨&Z<>uthF<68><11><><EFBFBD><EFBFBD>[<5B>T<EFBFBD>%?<3F><><EFBFBD>?|*<2A>`<60>^O<>

33
home/modules/agenix/options.nix
View File

@ -1,33 +0,0 @@
{
lib,
mylib,
...
}: let
mkSecret = file:
lib.mkOption {
type = lib.types.path;
default = file;
};
in {
secrets = lib.mkOption {
type = lib.types.attrs;
description = "The secret files managed by agenix (and their associated keys)";
example = ''
{
christoph = [
"heidi-discord-token"
"kopia-password"
"kopia-server-username"
"kopia-server-password"
];
}
'';
default = {};
};
heidi-discord-token = mkSecret ./heidi-discord-token.age;
kopia-user-password = mkSecret ./kopia-user-password.age;
kopia-server-user = mkSecret ./kopia-server-user.age;
kopia-server-password = mkSecret ./kopia-server-password.age;
}

1
home/modules/agenix/void.age
View File

@ -1 +0,0 @@
This secret has not been generated.

1
home/modules/default.nix
View File

@ -3,7 +3,6 @@
# Obsolete modules are kept in "1_deprecated" for reference.
# My own HM modules
./agenix
./beets
./chromium
./color