diff --git a/flake.nix b/flake.nix index 1d7fe4fb..ae0cd814 100644 --- a/flake.nix +++ b/flake.nix @@ -17,8 +17,8 @@ home-manager.inputs.nixpkgs.follows = "nixpkgs"; # Manage secrets with agenix - agenix.url = "github:ryantm/agenix"; - agenix.inputs.nixpkgs.follows = "nixpkgs"; + # agenix.url = "github:ryantm/agenix"; + # agenix.inputs.nixpkgs.follows = "nixpkgs"; # Manage secrets with sops sops-nix.url = "github:Mic92/sops-nix"; @@ -149,7 +149,7 @@ # Extra NixOS system modules for all hosts. # HM modules are passed through home/modules/default.nix instead. commonModules = [ - inputs.agenix.nixosModules.default + # inputs.agenix.nixosModules.default inputs.sops-nix.nixosModules.sops # TODO: inputs.nix-topology.nixosModules.default diff --git a/home/christoph/default.nix b/home/christoph/default.nix index 5158d749..0edfaf0f 100644 --- a/home/christoph/default.nix +++ b/home/christoph/default.nix @@ -300,25 +300,6 @@ file = lib.mkMerge [ { ".ssh/id_ed25519.pub".text = "${publicKeys.${username}.ssh}"; - - # The user will be able to decrypt .age files using agenix. - # On each user/machine, this should generate a corresponding secrets.nix - "${config.paths.nixflake}/system/modules/agenix/secrets.nix".text = let - mkSecret = key: name: "\"${name}.age\".publicKeys = [\"${key}\"];"; - in '' - # NOTE: This file will contain keys depending on the host/by which user it was built on. - { - ${lib.optionalString - # If this user defined any secrets... - (builtins.hasAttr "${username}" nixosConfig.modules.agenix.secrets) - # ...we will add them to the current secrets.nix, - # s.t. agenix can be used to encrypt/access them. - (builtins.concatStringsSep "\n" - (builtins.map - (mkSecret publicKeys.${username}.ssh) - nixosConfig.modules.agenix.secrets.${username}))} - } - ''; } (lib.mkIf nixosConfig.modules.desktopportal.termfilechooser.enable { ".config/xdg-desktop-portal-termfilechooser/config".text = '' @@ -551,9 +532,7 @@ keychain = { enable = true; enableFishIntegration = config.modules.fish.enable; - enableNushellIntegration = false; enableXsessionIntegration = !headless; - # agents = ["ssh"]; # Deprecated keys = ["id_ed25519"]; }; diff --git a/home/modules/default.nix b/home/modules/default.nix index 3e8f0701..71425278 100644 --- a/home/modules/default.nix +++ b/home/modules/default.nix @@ -26,7 +26,7 @@ # HM modules imported from the flake inputs inputs.nix-flatpak.homeManagerModules.nix-flatpak inputs.nixvim.homeManagerModules.nixvim - inputs.agenix.homeManagerModules.default + # inputs.agenix.homeManagerModules.default # inputs.ags.homeManagerModules.default # inputs.spicetify-nix.homeManagerModules.default ]; diff --git a/system/default.nix b/system/default.nix index 2ae1507d..9fda37ce 100644 --- a/system/default.nix +++ b/system/default.nix @@ -25,10 +25,6 @@ with mylib.networking; { ]; modules = { - agenix.secrets.${username} = [ - "dockerhub-password" - ]; - bootloader = { enable = true; @@ -254,7 +250,7 @@ with mylib.networking; { usbmuxd # Secrets handling - inputs.agenix.packages.${system}.default + # inputs.agenix.packages.${system}.default ]; # It is preferred to use the module (if it exists) over environment.systemPackages, diff --git a/system/modules/1_deprecated/agenix/default.nix b/system/modules/1_deprecated/agenix/default.nix new file mode 100644 index 00000000..d2d547b6 --- /dev/null +++ b/system/modules/1_deprecated/agenix/default.nix @@ -0,0 +1,52 @@ +{ + config, + lib, + mylib, + pkgs, + username, + publicKeys, + ... +}: let + inherit (config.modules) agenix; +in { + options.modules.agenix = import ./options.nix {inherit lib mylib;}; + + config = { + # NOTE: Add below snippet to home/christoph/default.nix to generate the secrets.nix file + + # The user will be able to decrypt .age files using agenix. + # On each user/machine, this should generate a corresponding secrets.nix + # "${config.paths.nixflake}/system/modules/agenix/secrets.nix".text = let + # mkSecret = key: name: "\"${name}.age\".publicKeys = [\"${key}\"];"; + # in '' + # # This file will contain keys depending on the host/by which user it was built on. + # { + # ${lib.optionalString + # # If this user defined any secrets... + # (builtins.hasAttr "${username}" nixosConfig.modules.agenix.secrets) + # # ...we will add them to the current secrets.nix, + # # s.t. agenix can be used to encrypt/access them. + # (builtins.concatStringsSep "\n" + # (builtins.map + # (mkSecret publicKeys.${username}.ssh) + # nixosConfig.modules.agenix.secrets.${username}))} + # } + # ''; + + # Register generated secrets to the age system module + age.secrets = let + mkSecretIfExists = name: + # If this user has already encrypted the secret... + if builtins.pathExists ./${name}.age + # ...we will register it with age... + then {${name}.file = ./${name}.age;} + # ...otherwise we link to a bogus file. + else {${name}.file = ./void.age;}; + in + lib.mkIf + # If this user defined any secrets... + (builtins.hasAttr "${username}" agenix.secrets) + # ...we will register all secrets files that have already been generated. + (lib.mkMerge (builtins.map mkSecretIfExists agenix.secrets.${username})); + }; +} diff --git a/system/modules/agenix/options.nix b/system/modules/1_deprecated/agenix/options.nix similarity index 100% rename from system/modules/agenix/options.nix rename to system/modules/1_deprecated/agenix/options.nix diff --git a/system/modules/agenix/void.age b/system/modules/1_deprecated/agenix/void.age similarity index 100% rename from system/modules/agenix/void.age rename to system/modules/1_deprecated/agenix/void.age diff --git a/system/modules/agenix/default.nix b/system/modules/agenix/default.nix deleted file mode 100644 index 091b7162..00000000 --- a/system/modules/agenix/default.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ - config, - lib, - mylib, - pkgs, - username, - publicKeys, - ... -}: let - inherit (config.modules) agenix; -in { - options.modules.agenix = import ./options.nix {inherit lib mylib;}; - - config = { - # NOTE: See the generated secrets.nix file in home/christoph/default.nix - - # Register generated secrets to the age system module - age.secrets = let - mkSecretIfExists = name: - # If this user has already encrypted the secret... - if builtins.pathExists ./${name}.age - # ...we will register it with age... - then {${name}.file = ./${name}.age;} - # ...otherwise we link to a bogus file. - else {${name}.file = ./void.age;}; - in - lib.mkIf - # If this user defined any secrets... - (builtins.hasAttr "${username}" agenix.secrets) - # ...we will register all secrets files that have already been generated. - (lib.mkMerge (builtins.map mkSecretIfExists agenix.secrets.${username})); - }; -} diff --git a/system/modules/agenix/dockerhub-password.age b/system/modules/agenix/dockerhub-password.age deleted file mode 100644 index 05a9b85a..00000000 --- a/system/modules/agenix/dockerhub-password.age +++ /dev/null @@ -1,5 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 PW+5DQ z6Fm40D2nCJvvFsQdj9V4zcvVBpjFAvLZh17cEtLEx8 -hIyc+AUuEiIv6TobnNawdyEswAAQ4kQeh5n0yaVT/mY ---- Yhxh9hnsPfHYcmmrpQm5Up0VzRh2ndoF3R3W+7ojW58 -b? ̙WcR<@y1z%4EWu7 <'Cg9!`cv \ No newline at end of file diff --git a/system/modules/agenix/heidi-discord-token.age b/system/modules/agenix/heidi-discord-token.age deleted file mode 100644 index 9c7bcc81..00000000 --- a/system/modules/agenix/heidi-discord-token.age +++ /dev/null @@ -1,5 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 PW+5DQ 2vardSYoPFvDEw4TiKSXntAJmChcVu9X+nD1+rCac1c -mbx9xEy0vkQvl6HqLcFTk3qrsUpDAUuKD6GnJGa9elc ---- vKkGWdp/anMV2VzwJEEHeWNUjv/SkzjYOIljRK6ExbI -Ҥv LHl|>Mcso{jS_'ЌWlÅ_iMYVVs,D%-&+iTP"g \ No newline at end of file diff --git a/system/modules/agenix/kopia-password.age b/system/modules/agenix/kopia-password.age deleted file mode 100644 index c5f29ca1..00000000 --- a/system/modules/agenix/kopia-password.age +++ /dev/null @@ -1,6 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 PW+5DQ Wm5RTSiZ/ndp6l6q2T43wrHiMnyP/FqDzUsl29TYoQc -ti4Pc/+g+6618wOQAb+28bNt87A8f3gRFzCaMlNKpP4 ---- aRzLWmbnb7MqPVDSTYLqCIDHqaj0fu3JVp4ES93xZ9I -B6< -ImjLN-e!['y_aI \ No newline at end of file diff --git a/system/modules/agenix/kopia-server-password.age b/system/modules/agenix/kopia-server-password.age deleted file mode 100644 index 22b1b0c3..00000000 --- a/system/modules/agenix/kopia-server-password.age +++ /dev/null @@ -1,6 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 PW+5DQ ZeBpvImtTWyKOxlCh573CNitT2z1OX2PgHAzLB/RTzg -jx7n2REzbCJ9zr2TQHSvEz7lUZap5J2mjHNx710L49w ---- kdRUEg3IOfjUfAgPEMj7MdiGftxVptPeC/Mbh5qWf8c - -#N'(:aa]gPo[=n \ No newline at end of file diff --git a/system/modules/agenix/kopia-server-username.age b/system/modules/agenix/kopia-server-username.age deleted file mode 100644 index ee755223..00000000 --- a/system/modules/agenix/kopia-server-username.age +++ /dev/null @@ -1,5 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 PW+5DQ V2ejrKdFVeO7nNqkRqa3nSnz8MKlHyZcQ+T1NRfntSw -t79YI5ZFtW0k6IZRB5VMjy7st+WlhONTFyVF/tvPaKk ---- Cz4XV8J+oM6q6bVq6uXXUUvW/BqBL0agNzmobzcu2Kc -{*$c̨&ZuthF[T%??|*`^O \ No newline at end of file diff --git a/system/modules/default.nix b/system/modules/default.nix index 5251282f..45c26ddc 100644 --- a/system/modules/default.nix +++ b/system/modules/default.nix @@ -1,6 +1,5 @@ {...}: { imports = [ - ./agenix ./bootloader ./desktopportal ./docker diff --git a/system/nixinator/default.nix b/system/nixinator/default.nix index b1d7f5a9..39f86761 100644 --- a/system/nixinator/default.nix +++ b/system/nixinator/default.nix @@ -12,8 +12,6 @@ ]; modules = { - # agenix.secrets.${username} = []; - network = { useNetworkManager = true; diff --git a/system/servenix/default.nix b/system/servenix/default.nix index 092e95e0..8314eb43 100644 --- a/system/servenix/default.nix +++ b/system/servenix/default.nix @@ -36,13 +36,6 @@ ]; modules = { - agenix.secrets.${username} = [ - "heidi-discord-token" - "kopia-password" - "kopia-server-username" - "kopia-server-password" - ]; - network = { useNetworkManager = false;