Modules: Deprecate agenix module (replace with sops-nix)

Flake: Add sops-nix
System: Enable gpg
2025-07-09 15:29:33 +02:00 · 2025-07-09 15:13:10 +02:00 · 2025-07-09 15:12:34 +02:00 · 2025-07-09 15:11:58 +02:00
18 changed files with 137 additions and 135 deletions
--- a/config/navi/christoph.cheat
+++ b/config/navi/christoph.cheat
@ -178,6 +178,27 @@ $ file: eza -1
 # Monitor Nvidia GPUs
 watch -d -c -n 0.5 nvidia-smi
 ; ===========================
 ; GPG
 ; ===========================
 % gpg
 # Generate a new GPG key
 gpg --full-generate-key
 % gpg
 # List GPG keys
 gpg <mode> --keyid-format=long
 $ mode: echo -e "--list-keys       \tList public keys\n--list-secret-keys\tList private keys" --- --column 1
 % gpg
 # Delete GPG key
 gpg --delete-secret-and-public-key <key>
 % gpg
 # Export public GPG key
 gpg --export --armor --output <output> <key>
 ; ===========================
 ; CODE
 ; ===========================
--- a/flake.lock
+++ b/flake.lock
@ -602,7 +602,28 @@
        "nixpkgs": "nixpkgs_2",
        "nixvim": "nixvim",
        "nps": "nps",
-        "nur": "nur"
+        "nur": "nur",
        "sops-nix": "sops-nix"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1751606940,
        "narHash": "sha256-KrDPXobG7DFKTOteqdSVeL1bMVitDcy7otpVZWDE6MA=",
        "owner": "Mic92",
        "repo": "sops-nix",
        "rev": "3633fc4acf03f43b260244d94c71e9e14a2f6e0d",
        "type": "github"
      },
      "original": {
        "owner": "Mic92",
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "systems": {
--- a/flake.nix
+++ b/flake.nix
@ -16,9 +16,13 @@
    home-manager.url = "github:nix-community/home-manager";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
-    # Agenix
+    # Manage secrets with agenix
-    agenix.url = "github:ryantm/agenix";
+    # agenix.url = "github:ryantm/agenix";
-    agenix.inputs.nixpkgs.follows = "nixpkgs";
+    # agenix.inputs.nixpkgs.follows = "nixpkgs";
    # Manage secrets with sops
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
    # Nix User Repository (e.g. Firefox addons)
    nur.url = "github:nix-community/NUR";
@ -141,6 +145,15 @@
    publicKeys.christoph = {
      ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAoJac+GdGtzblCMA0lBfMdSR6aQ4YyovrNglCFGIny christoph.urlacher@protonmail.com";
    };
    # Extra NixOS system modules for all hosts.
    # HM modules are passed through home/modules/default.nix instead.
    commonModules = [
      # inputs.agenix.nixosModules.default
      inputs.sops-nix.nixosModules.sops
      # TODO: inputs.nix-topology.nixosModules.default
    ];
  in {
    # Local shell for NixFlake directory
    devShells."${system}".default = import ./shell.nix {inherit pkgs;};
@ -176,47 +189,36 @@
        hostname = "nixinator";
        username = "christoph";
        headless = false;
-
+        extraModules =
-        # Extra NixOS system modules.
+          []
-        # HM modules are passed through home/modules/default.nix
+          ++ commonModules;
        extraModules = [
          # TODO:
          # inputs.nix-topology.nixosModules.default
          inputs.agenix.nixosModules.default
        ];
      };
      nixtop = mylib.nixos.mkNixosConfigWithHomeManagerModule {
        inherit system mylib publicKeys;
        hostname = "nixtop";
        username = "christoph";
        headless = false;
-        extraModules = [
+        extraModules =
-          # TODO:
+          []
-          # inputs.nix-topology.nixosModules.default
+          ++ commonModules;
          inputs.agenix.nixosModules.default
        ];
      };
      servenix = mylib.nixos.mkNixosConfigWithHomeManagerModule {
        inherit system mylib publicKeys;
        hostname = "servenix";
        username = "christoph";
        headless = true;
-        extraModules = [
+        extraModules =
-          # TODO:
+          []
-          # inputs.nix-topology.nixosModules.default
+          ++ commonModules;
          inputs.agenix.nixosModules.default
        ];
      };
      thinknix = mylib.nixos.mkNixosConfigWithHomeManagerModule {
        inherit system mylib publicKeys;
        hostname = "thinknix";
        username = "christoph";
        headless = true;
-        extraModules = [
+        extraModules =
-          # TODO:
+          []
-          # inputs.nix-topology.nixosModules.default
+          ++ commonModules;
          inputs.agenix.nixosModules.default
        ];
      };
      # These configurations don't include HM.
--- a/home/christoph/default.nix
+++ b/home/christoph/default.nix
@ -300,25 +300,6 @@
    file = lib.mkMerge [
      {
        ".ssh/id_ed25519.pub".text = "${publicKeys.${username}.ssh}";
        # The user will be able to decrypt .age files using agenix.
        # On each user/machine, this should generate a corresponding secrets.nix
        "${config.paths.nixflake}/system/modules/agenix/secrets.nix".text = let
          mkSecret = key: name: "\"${name}.age\".publicKeys = [\"${key}\"];";
        in ''
          # NOTE: This file will contain keys depending on the host/by which user it was built on.
          {
            ${lib.optionalString
            # If this user defined any secrets...
            (builtins.hasAttr "${username}" nixosConfig.modules.agenix.secrets)
            # ...we will add them to the current secrets.nix,
            # s.t. agenix can be used to encrypt/access them.
            (builtins.concatStringsSep "\n"
              (builtins.map
                (mkSecret publicKeys.${username}.ssh)
                nixosConfig.modules.agenix.secrets.${username}))}
          }
        '';
      }
      (lib.mkIf nixosConfig.modules.desktopportal.termfilechooser.enable {
        ".config/xdg-desktop-portal-termfilechooser/config".text = ''
@ -551,9 +532,7 @@
    keychain = {
      enable = true;
      enableFishIntegration = config.modules.fish.enable;
      enableNushellIntegration = false;
      enableXsessionIntegration = !headless;
      # agents = ["ssh"]; # Deprecated
      keys = ["id_ed25519"];
    };
--- a/home/modules/default.nix
+++ b/home/modules/default.nix
@ -26,7 +26,7 @@
    # HM modules imported from the flake inputs
    inputs.nix-flatpak.homeManagerModules.nix-flatpak
    inputs.nixvim.homeManagerModules.nixvim
-    inputs.agenix.homeManagerModules.default
+    # inputs.agenix.homeManagerModules.default
    # inputs.ags.homeManagerModules.default
    # inputs.spicetify-nix.homeManagerModules.default
  ];
--- a/system/default.nix
+++ b/system/default.nix
@ -25,10 +25,6 @@ with mylib.networking; {
  ];
  modules = {
    agenix.secrets.${username} = [
      "dockerhub-password"
    ];
    bootloader = {
      enable = true;
@ -254,7 +250,7 @@ with mylib.networking; {
    usbmuxd
    # Secrets handling
-    inputs.agenix.packages.${system}.default
+    # inputs.agenix.packages.${system}.default
  ];
  # It is preferred to use the module (if it exists) over environment.systemPackages,
@ -262,17 +258,22 @@ with mylib.networking; {
  # I would prefer to use HomeManager for some of these but the modules don't exist (yet).
  programs = {
    adb.enable = true;
-    dconf.enable = true;
+    dconf.enable = !headless;
    fish.enable = true;
    firejail.enable = true; # Use to run app in network namespace (e.g. through vpn)
    fuse.userAllowOther = true; # Allow users to mount e.g. samba shares (cifs)
    git.enable = true;
    kdeconnect.enable = !headless; # Use this instead of HM for firewall setup
    neovim.enable = true;
    starship.enable = true;
    # pay-respects.enable = true; # The new fuck
    xwayland.enable = !headless;
    nix-ld.enable = true; # Load dynamically linked executables
    gnupg.agent = {
      enable = true;
      enableBrowserSocket = true;
      enableExtraSocket = true;
      enableSSHSupport = true;
    };
    hyprland = {
      enable = !headless;
      xwayland.enable = true;
@ -286,13 +287,9 @@ with mylib.networking; {
      flake = "/home/christoph/NixFlake";
    };
-    ssh = {
+    ssh.startAgent = false; # Use gnupg
-      startAgent = true;
+    starship.enable = true;
-      # enableAskPassword = true;
+    xwayland.enable = !headless;
      # askPassword = lib.mkForce "${pkgs.kdePackages.ksshaskpass}/bin/ksshaskpass";
    };
    fuse.userAllowOther = true; # Allow users to mount e.g. samba shares (cifs)
  };
  # List services that you want to enable:
--- a/system/modules/1_deprecated/agenix/default.nix
+++ b/system/modules/1_deprecated/agenix/default.nix
@ -0,0 +1,52 @@
 {
  config,
  lib,
  mylib,
  pkgs,
  username,
  publicKeys,
  ...
 }: let
  inherit (config.modules) agenix;
 in {
  options.modules.agenix = import ./options.nix {inherit lib mylib;};
  config = {
    # NOTE: Add below snippet to home/christoph/default.nix to generate the secrets.nix file
    # The user will be able to decrypt .age files using agenix.
    # On each user/machine, this should generate a corresponding secrets.nix
    # "${config.paths.nixflake}/system/modules/agenix/secrets.nix".text = let
    #   mkSecret = key: name: "\"${name}.age\".publicKeys = [\"${key}\"];";
    # in ''
    #   # This file will contain keys depending on the host/by which user it was built on.
    #   {
    #     ${lib.optionalString
    #     # If this user defined any secrets...
    #     (builtins.hasAttr "${username}" nixosConfig.modules.agenix.secrets)
    #     # ...we will add them to the current secrets.nix,
    #     # s.t. agenix can be used to encrypt/access them.
    #     (builtins.concatStringsSep "\n"
    #       (builtins.map
    #         (mkSecret publicKeys.${username}.ssh)
    #         nixosConfig.modules.agenix.secrets.${username}))}
    #   }
    # '';
    # Register generated secrets to the age system module
    age.secrets = let
      mkSecretIfExists = name:
      # If this user has already encrypted the secret...
        if builtins.pathExists ./${name}.age
        # ...we will register it with age...
        then {${name}.file = ./${name}.age;}
        # ...otherwise we link to a bogus file.
        else {${name}.file = ./void.age;};
    in
      lib.mkIf
      # If this user defined any secrets...
      (builtins.hasAttr "${username}" agenix.secrets)
      # ...we will register all secrets files that have already been generated.
      (lib.mkMerge (builtins.map mkSecretIfExists agenix.secrets.${username}));
  };
 }
--- a/system/modules/1_deprecated/agenix/options.nix
+++ b/system/modules/1_deprecated/agenix/options.nix
--- a/system/modules/1_deprecated/agenix/void.age
+++ b/system/modules/1_deprecated/agenix/void.age
--- a/system/modules/agenix/default.nix
+++ b/system/modules/agenix/default.nix
@ -1,33 +0,0 @@
 {
  config,
  lib,
  mylib,
  pkgs,
  username,
  publicKeys,
  ...
 }: let
  inherit (config.modules) agenix;
 in {
  options.modules.agenix = import ./options.nix {inherit lib mylib;};
  config = {
    # NOTE: See the generated secrets.nix file in home/christoph/default.nix
    # Register generated secrets to the age system module
    age.secrets = let
      mkSecretIfExists = name:
      # If this user has already encrypted the secret...
        if builtins.pathExists ./${name}.age
        # ...we will register it with age...
        then {${name}.file = ./${name}.age;}
        # ...otherwise we link to a bogus file.
        else {${name}.file = ./void.age;};
    in
      lib.mkIf
      # If this user defined any secrets...
      (builtins.hasAttr "${username}" agenix.secrets)
      # ...we will register all secrets files that have already been generated.
      (lib.mkMerge (builtins.map mkSecretIfExists agenix.secrets.${username}));
  };
 }
--- a/system/modules/agenix/dockerhub-password.age
+++ b/system/modules/agenix/dockerhub-password.age
@ -1,5 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 PW+5DQ z6Fm40D2nCJvvFsQdj9V4zcvVBpjFAvLZh17cEtLEx8
 hIyc+AUuEiIv6TobnNawdyEswAAQ4kQeh5n0yaVT/mY
 --- Yhxh9hnsPfHYcmmrpQm5Up0VzRh2ndoF3R3W+7ojW58
 b<><1D><><14>?<02><><EFBFBD> ̙Wc<57><63><EFBFBD><EFBFBD><EFBFBD><EFBFBD>R<EFBFBD><52><<3C>@<40>y<EFBFBD><79><EFBFBD><EFBFBD>1z%<25>4EWu<57>7	<09><<3C><><EFBFBD>'<27><>Cg9!<21>`cv
--- a/system/modules/agenix/heidi-discord-token.age
+++ b/system/modules/agenix/heidi-discord-token.age
@ -1,5 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 PW+5DQ 2vardSYoPFvDEw4TiKSXntAJmChcVu9X+nD1+rCac1c
 mbx9xEy0vkQvl6HqLcFTk3qrsUpDAUuKD6GnJGa9elc
 --- vKkGWdp/anMV2VzwJEEHeWNUjv/SkzjYOIljRK6ExbI
 <EFBFBD>Ҥ<11><>v<0B><>LH<4C><48>l<EFBFBD>|<7C>><3E><><EFBFBD>Mcso<73>{j<>S<EFBFBD><53><EFBFBD>_<EFBFBD><5F>'<27>Ќ<EFBFBD>WlÅ<6C>_i<5F>M<15>Y<EFBFBD><59><EFBFBD><EFBFBD><EFBFBD><EFBFBD>VV<><56>s<EFBFBD>,D%<25>-&+<2B><><EFBFBD><EFBFBD>i<EFBFBD><69>T<EFBFBD>P"<16>g
--- a/system/modules/agenix/kopia-password.age
+++ b/system/modules/agenix/kopia-password.age
@ -1,6 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 PW+5DQ Wm5RTSiZ/ndp6l6q2T43wrHiMnyP/FqDzUsl29TYoQc
 ti4Pc/+g+6618wOQAb+28bNt87A8f3gRFzCaMlNKpP4
 --- aRzLWmbnb7MqPVDSTYLqCIDHqaj0fu3JVp4ES93xZ9I
 B6<42><<3C>
 I<>mj<6D><6A><EFBFBD><EFBFBD><1B>L<EFBFBD><06>N<EFBFBD><4E><EFBFBD><EFBFBD>-e<>![<5B>'y_<79>aI<61><49>
--- a/system/modules/agenix/kopia-server-password.age
+++ b/system/modules/agenix/kopia-server-password.age
@ -1,6 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 PW+5DQ ZeBpvImtTWyKOxlCh573CNitT2z1OX2PgHAzLB/RTzg
 jx7n2REzbCJ9zr2TQHSvEz7lUZap5J2mjHNx710L49w
 --- kdRUEg3IOfjUfAgPEMj7MdiGftxVptPeC/Mbh5qWf8c
 <EFBFBD><EFBFBD>
 <EFBFBD><03>#N'<27>(:a<><61>a<EFBFBD>]<5D><>g<EFBFBD>Po<50><6F><EFBFBD><EFBFBD><EFBFBD>[<5B><>=n<>
--- a/system/modules/agenix/kopia-server-username.age
+++ b/system/modules/agenix/kopia-server-username.age
@ -1,5 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 PW+5DQ V2ejrKdFVeO7nNqkRqa3nSnz8MKlHyZcQ+T1NRfntSw
 t79YI5ZFtW0k6IZRB5VMjy7st+WlhONTFyVF/tvPaKk
 --- Cz4XV8J+oM6q6bVq6uXXUUvW/BqBL0agNzmobzcu2Kc
 <EFBFBD><EFBFBD>{*$<24>c<EFBFBD><63>̨&Z<>uthF<68><11><><EFBFBD><EFBFBD>[<5B>T<EFBFBD>%?<3F><><EFBFBD>?|*<2A>`<60>^O<>
--- a/system/modules/default.nix
+++ b/system/modules/default.nix
@ -1,6 +1,5 @@
 {...}: {
  imports = [
    ./agenix
    ./bootloader
    ./desktopportal
    ./docker
--- a/system/nixinator/default.nix
+++ b/system/nixinator/default.nix
@ -12,8 +12,6 @@
  ];
  modules = {
    # agenix.secrets.${username} = [];
    network = {
      useNetworkManager = true;
--- a/system/servenix/default.nix
+++ b/system/servenix/default.nix
@ -36,13 +36,6 @@
  ];
  modules = {
    agenix.secrets.${username} = [
      "heidi-discord-token"
      "kopia-password"
      "kopia-server-username"
      "kopia-server-password"
    ];
    network = {
      useNetworkManager = false;
Author	SHA1	Message	Date
Christoph Urlacher	ebb79be287	Modules: Deprecate agenix module (replace with sops-nix)	2025-07-09 15:29:33 +02:00
Christoph Urlacher	c3912b5d2c	Flake: Add sops-nix	2025-07-09 15:13:10 +02:00
Christoph Urlacher	5573c1175d	System: Enable gpg	2025-07-09 15:12:34 +02:00
Christoph Urlacher	b010fb4166	Config/Navi: Add gpg cheats	2025-07-09 15:11:58 +02:00