Modules: Deprecate agenix module (replace with sops-nix)

flake.lock

@@ -1,50 +1,5 @@
 {
   "nodes": {
-    "agenix": {
-      "inputs": {
-        "darwin": "darwin",
-        "home-manager": "home-manager",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1750173260,
-        "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
-        "owner": "ryantm",
-        "repo": "agenix",
-        "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ryantm",
-        "repo": "agenix",
-        "type": "github"
-      }
-    },
-    "darwin": {
-      "inputs": {
-        "nixpkgs": [
-          "agenix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1744478979,
-        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
-        "owner": "lnl7",
-        "repo": "nix-darwin",
-        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "lnl7",
-        "ref": "master",
-        "repo": "nix-darwin",
-        "type": "github"
-      }
-    },
     "devshell": {
       "inputs": {
         "nixpkgs": "nixpkgs"
@@ -173,7 +128,7 @@
     },
     "flake-utils": {
       "inputs": {
-        "systems": "systems_2"
+        "systems": "systems"
       },
       "locked": {
         "lastModified": 1726560853,
@@ -191,7 +146,7 @@
     },
     "flake-utils_2": {
       "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_2"
       },
       "locked": {
         "lastModified": 1731533236,
@@ -260,27 +215,6 @@
       }
     },
     "home-manager": {
-      "inputs": {
-        "nixpkgs": [
-          "agenix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1745494811,
-        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "type": "github"
-      }
-    },
-    "home-manager_2": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
@@ -480,7 +414,7 @@
           "nixpkgs"
         ],
         "nuschtosSearch": "nuschtosSearch",
-        "systems": "systems_4"
+        "systems": "systems_3"
       },
       "locked": {
         "lastModified": 1751492444,
@@ -592,10 +526,9 @@
     },
     "root": {
       "inputs": {
-        "agenix": "agenix",
         "devshell": "devshell",
         "hardware": "hardware",
-        "home-manager": "home-manager_2",
+        "home-manager": "home-manager",
         "nix-alien": "nix-alien",
         "nix-flatpak": "nix-flatpak",
         "nix-topology": "nix-topology",
@@ -670,21 +603,6 @@
         "repo": "default",
         "type": "github"
       }
-    },
-    "systems_4": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
     }
   },
   "root": "root",

flake.nix

@@ -17,8 +17,8 @@
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
 
     # Manage secrets with agenix
-    agenix.url = "github:ryantm/agenix";
-    agenix.inputs.nixpkgs.follows = "nixpkgs";
+    # agenix.url = "github:ryantm/agenix";
+    # agenix.inputs.nixpkgs.follows = "nixpkgs";
 
     # Manage secrets with sops
     sops-nix.url = "github:Mic92/sops-nix";
@@ -149,7 +149,7 @@
     # Extra NixOS system modules for all hosts.
     # HM modules are passed through home/modules/default.nix instead.
     commonModules = [
-      inputs.agenix.nixosModules.default
+      # inputs.agenix.nixosModules.default
       inputs.sops-nix.nixosModules.sops
 
       # TODO: inputs.nix-topology.nixosModules.default

home/christoph/default.nix

@@ -300,25 +300,6 @@
     file = lib.mkMerge [
       {
         ".ssh/id_ed25519.pub".text = "${publicKeys.${username}.ssh}";
-
-        # The user will be able to decrypt .age files using agenix.
-        # On each user/machine, this should generate a corresponding secrets.nix
-        "${config.paths.nixflake}/system/modules/agenix/secrets.nix".text = let
-          mkSecret = key: name: "\"${name}.age\".publicKeys = [\"${key}\"];";
-        in ''
-          # NOTE: This file will contain keys depending on the host/by which user it was built on.
-          {
-            ${lib.optionalString
-            # If this user defined any secrets...
-            (builtins.hasAttr "${username}" nixosConfig.modules.agenix.secrets)
-            # ...we will add them to the current secrets.nix,
-            # s.t. agenix can be used to encrypt/access them.
-            (builtins.concatStringsSep "\n"
-              (builtins.map
-                (mkSecret publicKeys.${username}.ssh)
-                nixosConfig.modules.agenix.secrets.${username}))}
-          }
-        '';
       }
       (lib.mkIf nixosConfig.modules.desktopportal.termfilechooser.enable {
         ".config/xdg-desktop-portal-termfilechooser/config".text = ''
@@ -551,9 +532,7 @@
     keychain = {
       enable = true;
       enableFishIntegration = config.modules.fish.enable;
-      enableNushellIntegration = false;
       enableXsessionIntegration = !headless;
-      # agents = ["ssh"]; # Deprecated
       keys = ["id_ed25519"];
     };
 

home/modules/default.nix

@@ -26,7 +26,7 @@
     # HM modules imported from the flake inputs
     inputs.nix-flatpak.homeManagerModules.nix-flatpak
     inputs.nixvim.homeManagerModules.nixvim
-    inputs.agenix.homeManagerModules.default
+    # inputs.agenix.homeManagerModules.default
     # inputs.ags.homeManagerModules.default
     # inputs.spicetify-nix.homeManagerModules.default
   ];

system/default.nix

@@ -25,10 +25,6 @@ with mylib.networking; {
   ];
 
   modules = {
-    agenix.secrets.${username} = [
-      "dockerhub-password"
-    ];
-
     bootloader = {
       enable = true;
 
@@ -254,7 +250,7 @@ with mylib.networking; {
     usbmuxd
 
     # Secrets handling
-    inputs.agenix.packages.${system}.default
+    # inputs.agenix.packages.${system}.default
   ];
 
   # It is preferred to use the module (if it exists) over environment.systemPackages,

system/modules/1_deprecated/agenix/default.nix

@@ -0,0 +1,52 @@
+{
+  config,
+  lib,
+  mylib,
+  pkgs,
+  username,
+  publicKeys,
+  ...
+}: let
+  inherit (config.modules) agenix;
+in {
+  options.modules.agenix = import ./options.nix {inherit lib mylib;};
+
+  config = {
+    # NOTE: Add below snippet to home/christoph/default.nix to generate the secrets.nix file
+
+    # The user will be able to decrypt .age files using agenix.
+    # On each user/machine, this should generate a corresponding secrets.nix
+    # "${config.paths.nixflake}/system/modules/agenix/secrets.nix".text = let
+    #   mkSecret = key: name: "\"${name}.age\".publicKeys = [\"${key}\"];";
+    # in ''
+    #   # This file will contain keys depending on the host/by which user it was built on.
+    #   {
+    #     ${lib.optionalString
+    #     # If this user defined any secrets...
+    #     (builtins.hasAttr "${username}" nixosConfig.modules.agenix.secrets)
+    #     # ...we will add them to the current secrets.nix,
+    #     # s.t. agenix can be used to encrypt/access them.
+    #     (builtins.concatStringsSep "\n"
+    #       (builtins.map
+    #         (mkSecret publicKeys.${username}.ssh)
+    #         nixosConfig.modules.agenix.secrets.${username}))}
+    #   }
+    # '';
+
+    # Register generated secrets to the age system module
+    age.secrets = let
+      mkSecretIfExists = name:
+      # If this user has already encrypted the secret...
+        if builtins.pathExists ./${name}.age
+        # ...we will register it with age...
+        then {${name}.file = ./${name}.age;}
+        # ...otherwise we link to a bogus file.
+        else {${name}.file = ./void.age;};
+    in
+      lib.mkIf
+      # If this user defined any secrets...
+      (builtins.hasAttr "${username}" agenix.secrets)
+      # ...we will register all secrets files that have already been generated.
+      (lib.mkMerge (builtins.map mkSecretIfExists agenix.secrets.${username}));
+  };
+}

system/modules/agenix/default.nix

@@ -1,33 +0,0 @@
-{
-  config,
-  lib,
-  mylib,
-  pkgs,
-  username,
-  publicKeys,
-  ...
-}: let
-  inherit (config.modules) agenix;
-in {
-  options.modules.agenix = import ./options.nix {inherit lib mylib;};
-
-  config = {
-    # NOTE: See the generated secrets.nix file in home/christoph/default.nix
-
-    # Register generated secrets to the age system module
-    age.secrets = let
-      mkSecretIfExists = name:
-      # If this user has already encrypted the secret...
-        if builtins.pathExists ./${name}.age
-        # ...we will register it with age...
-        then {${name}.file = ./${name}.age;}
-        # ...otherwise we link to a bogus file.
-        else {${name}.file = ./void.age;};
-    in
-      lib.mkIf
-      # If this user defined any secrets...
-      (builtins.hasAttr "${username}" agenix.secrets)
-      # ...we will register all secrets files that have already been generated.
-      (lib.mkMerge (builtins.map mkSecretIfExists agenix.secrets.${username}));
-  };
-}

system/modules/agenix/dockerhub-password.age

@@ -1,5 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 PW+5DQ z6Fm40D2nCJvvFsQdj9V4zcvVBpjFAvLZh17cEtLEx8
-hIyc+AUuEiIv6TobnNawdyEswAAQ4kQeh5n0yaVT/mY
---- Yhxh9hnsPfHYcmmrpQm5Up0VzRh2ndoF3R3W+7ojW58
-b<><1D><><14>?<02><><EFBFBD> ̙Wc<57><63><EFBFBD><EFBFBD><EFBFBD><EFBFBD>R<EFBFBD><52><<3C>@<40>y<EFBFBD><79><EFBFBD><EFBFBD>1z%<25>4EWu<57>7	<09><<3C><><EFBFBD>'<27><>Cg9!<21>`cv

system/modules/agenix/heidi-discord-token.age

@@ -1,5 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 PW+5DQ 2vardSYoPFvDEw4TiKSXntAJmChcVu9X+nD1+rCac1c
-mbx9xEy0vkQvl6HqLcFTk3qrsUpDAUuKD6GnJGa9elc
---- vKkGWdp/anMV2VzwJEEHeWNUjv/SkzjYOIljRK6ExbI
-<EFBFBD>Ҥ<11><>v<0B><>LH<4C><48>l<EFBFBD>|<7C>><3E><><EFBFBD>Mcso<73>{j<>S<EFBFBD><53><EFBFBD>_<EFBFBD><5F>'<27>Ќ<EFBFBD>WlÅ<6C>_i<5F>
M<15>Y<EFBFBD><59><EFBFBD><EFBFBD><EFBFBD><EFBFBD>VV<><56>s<EFBFBD>,D%<25>-&+<2B><><EFBFBD><EFBFBD>i<EFBFBD><69>T<EFBFBD>P"<16>g

system/modules/agenix/kopia-password.age

@@ -1,6 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 PW+5DQ Wm5RTSiZ/ndp6l6q2T43wrHiMnyP/FqDzUsl29TYoQc
-ti4Pc/+g+6618wOQAb+28bNt87A8f3gRFzCaMlNKpP4
---- aRzLWmbnb7MqPVDSTYLqCIDHqaj0fu3JVp4ES93xZ9I
-B6<42><<3C>
-I<>mj<6D><6A><EFBFBD><EFBFBD><1B>L<EFBFBD><06>N<EFBFBD><4E><EFBFBD><EFBFBD>-e<>![<5B>'y_<79>aI<61><49>

system/modules/agenix/kopia-server-password.age

@@ -1,6 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 PW+5DQ ZeBpvImtTWyKOxlCh573CNitT2z1OX2PgHAzLB/RTzg
-jx7n2REzbCJ9zr2TQHSvEz7lUZap5J2mjHNx710L49w
---- kdRUEg3IOfjUfAgPEMj7MdiGftxVptPeC/Mbh5qWf8c
-<EFBFBD><EFBFBD>
-<EFBFBD><03>#N'<27>(:a<><61>a<EFBFBD>]<5D><>g<EFBFBD>Po<50><6F><EFBFBD><EFBFBD><EFBFBD>[<5B><>=n<>

system/modules/agenix/kopia-server-username.age

@@ -1,5 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 PW+5DQ V2ejrKdFVeO7nNqkRqa3nSnz8MKlHyZcQ+T1NRfntSw
-t79YI5ZFtW0k6IZRB5VMjy7st+WlhONTFyVF/tvPaKk
---- Cz4XV8J+oM6q6bVq6uXXUUvW/BqBL0agNzmobzcu2Kc
-<EFBFBD><EFBFBD>{*$<24>c<EFBFBD><63>̨&Z<>uthF<68><11><><EFBFBD><EFBFBD>[<5B>T<EFBFBD>%?<3F><><EFBFBD>?|*<2A>`<60>^O<>

system/modules/default.nix

@@ -1,6 +1,5 @@
 {...}: {
   imports = [
-    ./agenix
     ./bootloader
     ./desktopportal
     ./docker

system/nixinator/default.nix

@@ -12,8 +12,6 @@
   ];
 
   modules = {
-    # agenix.secrets.${username} = [];
-
     network = {
       useNetworkManager = true;
 

system/servenix/default.nix

@@ -36,13 +36,6 @@
   ];
 
   modules = {
-    agenix.secrets.${username} = [
-      "heidi-discord-token"
-      "kopia-password"
-      "kopia-server-username"
-      "kopia-server-password"
-    ];
-
     network = {
       useNetworkManager = false;