From 8fcddf1f37ce76d32f02d65206cd7db256dd72c8 Mon Sep 17 00:00:00 2001 From: Christoph Urlacher Date: Wed, 9 Jul 2025 15:29:33 +0200 Subject: [PATCH] Modules: Deprecate agenix module (replace with sops-nix) --- flake.lock | 90 +------------------ flake.nix | 6 +- home/christoph/default.nix | 21 ----- home/modules/default.nix | 2 +- system/default.nix | 6 +- .../modules/1_deprecated/agenix/default.nix | 52 +++++++++++ .../{ => 1_deprecated}/agenix/options.nix | 0 .../{ => 1_deprecated}/agenix/void.age | 0 system/modules/agenix/default.nix | 33 ------- system/modules/agenix/dockerhub-password.age | 5 -- system/modules/agenix/heidi-discord-token.age | 5 -- system/modules/agenix/kopia-password.age | 6 -- .../modules/agenix/kopia-server-password.age | 6 -- .../modules/agenix/kopia-server-username.age | 5 -- system/modules/default.nix | 1 - system/nixinator/default.nix | 2 - system/servenix/default.nix | 7 -- 17 files changed, 61 insertions(+), 186 deletions(-) create mode 100644 system/modules/1_deprecated/agenix/default.nix rename system/modules/{ => 1_deprecated}/agenix/options.nix (100%) rename system/modules/{ => 1_deprecated}/agenix/void.age (100%) delete mode 100644 system/modules/agenix/default.nix delete mode 100644 system/modules/agenix/dockerhub-password.age delete mode 100644 system/modules/agenix/heidi-discord-token.age delete mode 100644 system/modules/agenix/kopia-password.age delete mode 100644 system/modules/agenix/kopia-server-password.age delete mode 100644 system/modules/agenix/kopia-server-username.age diff --git a/flake.lock b/flake.lock index 6fd2cae9..aa9fd8a4 100644 --- a/flake.lock +++ b/flake.lock @@ -1,50 +1,5 @@ { "nodes": { - "agenix": { - "inputs": { - "darwin": "darwin", - "home-manager": "home-manager", - "nixpkgs": [ - "nixpkgs" - ], - "systems": "systems" - }, - "locked": { - "lastModified": 1750173260, - "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=", - "owner": "ryantm", - "repo": "agenix", - "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, - "darwin": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1744478979, - "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "43975d782b418ebf4969e9ccba82466728c2851b", - "type": "github" - }, - "original": { - "owner": "lnl7", - "ref": "master", - "repo": "nix-darwin", - "type": "github" - } - }, "devshell": { "inputs": { "nixpkgs": "nixpkgs" @@ -173,7 +128,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems_2" + "systems": "systems" }, "locked": { "lastModified": 1726560853, @@ -191,7 +146,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_3" + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -260,27 +215,6 @@ } }, "home-manager": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1745494811, - "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -480,7 +414,7 @@ "nixpkgs" ], "nuschtosSearch": "nuschtosSearch", - "systems": "systems_4" + "systems": "systems_3" }, "locked": { "lastModified": 1751492444, @@ -592,10 +526,9 @@ }, "root": { "inputs": { - "agenix": "agenix", "devshell": "devshell", "hardware": "hardware", - "home-manager": "home-manager_2", + "home-manager": "home-manager", "nix-alien": "nix-alien", "nix-flatpak": "nix-flatpak", "nix-topology": "nix-topology", @@ -670,21 +603,6 @@ "repo": "default", "type": "github" } - }, - "systems_4": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 1d7fe4fb..ae0cd814 100644 --- a/flake.nix +++ b/flake.nix @@ -17,8 +17,8 @@ home-manager.inputs.nixpkgs.follows = "nixpkgs"; # Manage secrets with agenix - agenix.url = "github:ryantm/agenix"; - agenix.inputs.nixpkgs.follows = "nixpkgs"; + # agenix.url = "github:ryantm/agenix"; + # agenix.inputs.nixpkgs.follows = "nixpkgs"; # Manage secrets with sops sops-nix.url = "github:Mic92/sops-nix"; @@ -149,7 +149,7 @@ # Extra NixOS system modules for all hosts. # HM modules are passed through home/modules/default.nix instead. commonModules = [ - inputs.agenix.nixosModules.default + # inputs.agenix.nixosModules.default inputs.sops-nix.nixosModules.sops # TODO: inputs.nix-topology.nixosModules.default diff --git a/home/christoph/default.nix b/home/christoph/default.nix index 5158d749..0edfaf0f 100644 --- a/home/christoph/default.nix +++ b/home/christoph/default.nix @@ -300,25 +300,6 @@ file = lib.mkMerge [ { ".ssh/id_ed25519.pub".text = "${publicKeys.${username}.ssh}"; - - # The user will be able to decrypt .age files using agenix. - # On each user/machine, this should generate a corresponding secrets.nix - "${config.paths.nixflake}/system/modules/agenix/secrets.nix".text = let - mkSecret = key: name: "\"${name}.age\".publicKeys = [\"${key}\"];"; - in '' - # NOTE: This file will contain keys depending on the host/by which user it was built on. - { - ${lib.optionalString - # If this user defined any secrets... - (builtins.hasAttr "${username}" nixosConfig.modules.agenix.secrets) - # ...we will add them to the current secrets.nix, - # s.t. agenix can be used to encrypt/access them. - (builtins.concatStringsSep "\n" - (builtins.map - (mkSecret publicKeys.${username}.ssh) - nixosConfig.modules.agenix.secrets.${username}))} - } - ''; } (lib.mkIf nixosConfig.modules.desktopportal.termfilechooser.enable { ".config/xdg-desktop-portal-termfilechooser/config".text = '' @@ -551,9 +532,7 @@ keychain = { enable = true; enableFishIntegration = config.modules.fish.enable; - enableNushellIntegration = false; enableXsessionIntegration = !headless; - # agents = ["ssh"]; # Deprecated keys = ["id_ed25519"]; }; diff --git a/home/modules/default.nix b/home/modules/default.nix index 3e8f0701..71425278 100644 --- a/home/modules/default.nix +++ b/home/modules/default.nix @@ -26,7 +26,7 @@ # HM modules imported from the flake inputs inputs.nix-flatpak.homeManagerModules.nix-flatpak inputs.nixvim.homeManagerModules.nixvim - inputs.agenix.homeManagerModules.default + # inputs.agenix.homeManagerModules.default # inputs.ags.homeManagerModules.default # inputs.spicetify-nix.homeManagerModules.default ]; diff --git a/system/default.nix b/system/default.nix index 2ae1507d..9fda37ce 100644 --- a/system/default.nix +++ b/system/default.nix @@ -25,10 +25,6 @@ with mylib.networking; { ]; modules = { - agenix.secrets.${username} = [ - "dockerhub-password" - ]; - bootloader = { enable = true; @@ -254,7 +250,7 @@ with mylib.networking; { usbmuxd # Secrets handling - inputs.agenix.packages.${system}.default + # inputs.agenix.packages.${system}.default ]; # It is preferred to use the module (if it exists) over environment.systemPackages, diff --git a/system/modules/1_deprecated/agenix/default.nix b/system/modules/1_deprecated/agenix/default.nix new file mode 100644 index 00000000..d2d547b6 --- /dev/null +++ b/system/modules/1_deprecated/agenix/default.nix @@ -0,0 +1,52 @@ +{ + config, + lib, + mylib, + pkgs, + username, + publicKeys, + ... +}: let + inherit (config.modules) agenix; +in { + options.modules.agenix = import ./options.nix {inherit lib mylib;}; + + config = { + # NOTE: Add below snippet to home/christoph/default.nix to generate the secrets.nix file + + # The user will be able to decrypt .age files using agenix. + # On each user/machine, this should generate a corresponding secrets.nix + # "${config.paths.nixflake}/system/modules/agenix/secrets.nix".text = let + # mkSecret = key: name: "\"${name}.age\".publicKeys = [\"${key}\"];"; + # in '' + # # This file will contain keys depending on the host/by which user it was built on. + # { + # ${lib.optionalString + # # If this user defined any secrets... + # (builtins.hasAttr "${username}" nixosConfig.modules.agenix.secrets) + # # ...we will add them to the current secrets.nix, + # # s.t. agenix can be used to encrypt/access them. + # (builtins.concatStringsSep "\n" + # (builtins.map + # (mkSecret publicKeys.${username}.ssh) + # nixosConfig.modules.agenix.secrets.${username}))} + # } + # ''; + + # Register generated secrets to the age system module + age.secrets = let + mkSecretIfExists = name: + # If this user has already encrypted the secret... + if builtins.pathExists ./${name}.age + # ...we will register it with age... + then {${name}.file = ./${name}.age;} + # ...otherwise we link to a bogus file. + else {${name}.file = ./void.age;}; + in + lib.mkIf + # If this user defined any secrets... + (builtins.hasAttr "${username}" agenix.secrets) + # ...we will register all secrets files that have already been generated. + (lib.mkMerge (builtins.map mkSecretIfExists agenix.secrets.${username})); + }; +} diff --git a/system/modules/agenix/options.nix b/system/modules/1_deprecated/agenix/options.nix similarity index 100% rename from system/modules/agenix/options.nix rename to system/modules/1_deprecated/agenix/options.nix diff --git a/system/modules/agenix/void.age b/system/modules/1_deprecated/agenix/void.age similarity index 100% rename from system/modules/agenix/void.age rename to system/modules/1_deprecated/agenix/void.age diff --git a/system/modules/agenix/default.nix b/system/modules/agenix/default.nix deleted file mode 100644 index 091b7162..00000000 --- a/system/modules/agenix/default.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ - config, - lib, - mylib, - pkgs, - username, - publicKeys, - ... -}: let - inherit (config.modules) agenix; -in { - options.modules.agenix = import ./options.nix {inherit lib mylib;}; - - config = { - # NOTE: See the generated secrets.nix file in home/christoph/default.nix - - # Register generated secrets to the age system module - age.secrets = let - mkSecretIfExists = name: - # If this user has already encrypted the secret... - if builtins.pathExists ./${name}.age - # ...we will register it with age... - then {${name}.file = ./${name}.age;} - # ...otherwise we link to a bogus file. - else {${name}.file = ./void.age;}; - in - lib.mkIf - # If this user defined any secrets... - (builtins.hasAttr "${username}" agenix.secrets) - # ...we will register all secrets files that have already been generated. - (lib.mkMerge (builtins.map mkSecretIfExists agenix.secrets.${username})); - }; -} diff --git a/system/modules/agenix/dockerhub-password.age b/system/modules/agenix/dockerhub-password.age deleted file mode 100644 index 05a9b85a..00000000 --- a/system/modules/agenix/dockerhub-password.age +++ /dev/null @@ -1,5 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 PW+5DQ z6Fm40D2nCJvvFsQdj9V4zcvVBpjFAvLZh17cEtLEx8 -hIyc+AUuEiIv6TobnNawdyEswAAQ4kQeh5n0yaVT/mY ---- Yhxh9hnsPfHYcmmrpQm5Up0VzRh2ndoF3R3W+7ojW58 -b? ̙WcR<@y1z%4EWu7 <'Cg9!`cv \ No newline at end of file diff --git a/system/modules/agenix/heidi-discord-token.age b/system/modules/agenix/heidi-discord-token.age deleted file mode 100644 index 9c7bcc81..00000000 --- a/system/modules/agenix/heidi-discord-token.age +++ /dev/null @@ -1,5 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 PW+5DQ 2vardSYoPFvDEw4TiKSXntAJmChcVu9X+nD1+rCac1c -mbx9xEy0vkQvl6HqLcFTk3qrsUpDAUuKD6GnJGa9elc ---- vKkGWdp/anMV2VzwJEEHeWNUjv/SkzjYOIljRK6ExbI -Ҥv LHl|>Mcso{jS_'ЌWlÅ_iMYVVs,D%-&+iTP"g \ No newline at end of file diff --git a/system/modules/agenix/kopia-password.age b/system/modules/agenix/kopia-password.age deleted file mode 100644 index c5f29ca1..00000000 --- a/system/modules/agenix/kopia-password.age +++ /dev/null @@ -1,6 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 PW+5DQ Wm5RTSiZ/ndp6l6q2T43wrHiMnyP/FqDzUsl29TYoQc -ti4Pc/+g+6618wOQAb+28bNt87A8f3gRFzCaMlNKpP4 ---- aRzLWmbnb7MqPVDSTYLqCIDHqaj0fu3JVp4ES93xZ9I -B6< -ImjLN-e!['y_aI \ No newline at end of file diff --git a/system/modules/agenix/kopia-server-password.age b/system/modules/agenix/kopia-server-password.age deleted file mode 100644 index 22b1b0c3..00000000 --- a/system/modules/agenix/kopia-server-password.age +++ /dev/null @@ -1,6 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 PW+5DQ ZeBpvImtTWyKOxlCh573CNitT2z1OX2PgHAzLB/RTzg -jx7n2REzbCJ9zr2TQHSvEz7lUZap5J2mjHNx710L49w ---- kdRUEg3IOfjUfAgPEMj7MdiGftxVptPeC/Mbh5qWf8c - -#N'(:aa]gPo[=n \ No newline at end of file diff --git a/system/modules/agenix/kopia-server-username.age b/system/modules/agenix/kopia-server-username.age deleted file mode 100644 index ee755223..00000000 --- a/system/modules/agenix/kopia-server-username.age +++ /dev/null @@ -1,5 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 PW+5DQ V2ejrKdFVeO7nNqkRqa3nSnz8MKlHyZcQ+T1NRfntSw -t79YI5ZFtW0k6IZRB5VMjy7st+WlhONTFyVF/tvPaKk ---- Cz4XV8J+oM6q6bVq6uXXUUvW/BqBL0agNzmobzcu2Kc -{*$c̨&ZuthF[T%??|*`^O \ No newline at end of file diff --git a/system/modules/default.nix b/system/modules/default.nix index 5251282f..45c26ddc 100644 --- a/system/modules/default.nix +++ b/system/modules/default.nix @@ -1,6 +1,5 @@ {...}: { imports = [ - ./agenix ./bootloader ./desktopportal ./docker diff --git a/system/nixinator/default.nix b/system/nixinator/default.nix index b1d7f5a9..39f86761 100644 --- a/system/nixinator/default.nix +++ b/system/nixinator/default.nix @@ -12,8 +12,6 @@ ]; modules = { - # agenix.secrets.${username} = []; - network = { useNetworkManager = true; diff --git a/system/servenix/default.nix b/system/servenix/default.nix index 092e95e0..8314eb43 100644 --- a/system/servenix/default.nix +++ b/system/servenix/default.nix @@ -36,13 +36,6 @@ ]; modules = { - agenix.secrets.${username} = [ - "heidi-discord-token" - "kopia-password" - "kopia-server-username" - "kopia-server-password" - ]; - network = { useNetworkManager = false;