christoph/flake-nixinator
1
Fork 0
Code Activity

Compare commits

base: christoph:551e558ddfe714862083d5ff0d06f5535fd23abc
Branches Tags
christoph:master
...
compare: christoph:f5ff0e2b1225dc796a69501ba8f99cb3469d1ae4
Branches Tags
christoph:master

2 Commits
551e558ddf ... f5ff0e2b12

Author SHA1 Message Date
Christoph Urlacher
f5ff0e2b12 Modules/Agenix: Change to system module 2025-07-09 03:28:52 +02:00
Christoph Urlacher
f063be235f Modules/Agenix: Add encrypted secrets 2025-07-09 03:13:54 +02:00
15 changed files with 56 additions and 45 deletions
Expand all files Collapse all files

2
.gitignore vendored
View File

@ -10,4 +10,4 @@ result
config/neovim/store config/neovim/store
home/modules/ags/config/types home/modules/ags/config/types
home/modules/ags/config/tsconfig.json home/modules/ags/config/tsconfig.json
home/modules/agenix/secrets.nix system/modules/agenix/secrets.nix

19
home/christoph/default.nix
View File

@ -300,6 +300,25 @@
file = lib.mkMerge [ file = lib.mkMerge [
{ {
".ssh/id_ed25519.pub".text = "${publicKeys.${username}.ssh}"; ".ssh/id_ed25519.pub".text = "${publicKeys.${username}.ssh}";
# The user will be able to decrypt .age files using agenix.
# On each user/machine, this should generate a corresponding secrets.nix
"${config.paths.nixflake}/system/modules/agenix/secrets.nix".text = let
mkSecret = key: name: "\"${name}.age\".publicKeys = [\"${key}\"];";
in ''
# NOTE: This file will contain keys depending on the host/by which user it was built on.
{
${lib.optionalString
# If this user defined any secrets...
(builtins.hasAttr "${username}" nixosConfig.modules.agenix.secrets)
# ...we will add them to the current secrets.nix,
# s.t. agenix can be used to encrypt the secret.
(builtins.concatStringsSep "\n"
(builtins.map
(mkSecret publicKeys.${username}.ssh)
nixosConfig.modules.agenix.secrets.${username}))}
}
'';
} }
(lib.mkIf nixosConfig.modules.desktopportal.termfilechooser.enable { (lib.mkIf nixosConfig.modules.desktopportal.termfilechooser.enable {
".config/xdg-desktop-portal-termfilechooser/config".text = '' ".config/xdg-desktop-portal-termfilechooser/config".text = ''

3
home/christoph/nixinator/default.nix
View File

@ -4,7 +4,6 @@
nixosConfig, nixosConfig,
config, config,
lib, lib,
username,
... ...
}: { }: {
imports = [ imports = [
@ -13,8 +12,6 @@
config = { config = {
modules = { modules = {
# agenix.secrets.${username} = [];
hyprland = { hyprland = {
kb-layout = "us"; kb-layout = "us";
kb-variant = "altgr-intl"; kb-variant = "altgr-intl";

9
home/christoph/servenix/default.nix
View File

@ -11,15 +11,6 @@
]; ];
config = { config = {
modules = {
agenix.secrets.${username} = [
"heidi-discord-token"
"kopia-password"
"kopia-server-username"
"kopia-server-password"
];
};
home.packages = with pkgs; [ home.packages = with pkgs; [
docker-compose docker-compose
]; ];

1
home/modules/default.nix
View File

@ -3,7 +3,6 @@
# Obsolete modules are kept in "1_deprecated" for reference. # Obsolete modules are kept in "1_deprecated" for reference.
# My own HM modules # My own HM modules
./agenix
./beets ./beets
./chromium ./chromium
./color ./color

21
home/modules/agenix/default.nix → system/modules/agenix/default.nix
View File

@ -1,6 +1,5 @@
{ {
config, config,
nixosConfig,
lib, lib,
mylib, mylib,
pkgs, pkgs,
@ -13,25 +12,9 @@ in {
options.modules.agenix = import ./options.nix {inherit lib mylib;}; options.modules.agenix = import ./options.nix {inherit lib mylib;};
config = { config = {
# The user will be able to decrypt .age files using agenix. # NOTE: See the generated secrets.nix file in home/christoph/default.nix
# On each user/machine, this should generate a corresponding secrets.nix
home.file."${config.paths.nixflake}/home/modules/agenix/secrets.nix".text = let
mkSecret = key: name: "\"${name}.age\".publicKeys = [\"${key}\"];";
in ''
# NOTE: This file will contain keys depending on the host/by which user it was built on.
{
${lib.optionalString
# If this user defined any secrets...
(builtins.hasAttr "${username}" agenix.secrets)
# ...we will add them to the current secrets.nix,
# s.t. agenix can be used to encrypt the secret.
(builtins.concatStringsSep "\n"
(builtins.map
(mkSecret publicKeys.${username}.ssh)
agenix.secrets.${username}))}
}
'';
# Register generated secrets to the age system module
age.secrets = let age.secrets = let
mkSecretIfExists = name: mkSecretIfExists = name:
# If this user has already encrypted the secret... # If this user has already encrypted the secret...

5
system/modules/agenix/heidi-discord-token.age Normal file
View File

@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 PW+5DQ 2vardSYoPFvDEw4TiKSXntAJmChcVu9X+nD1+rCac1c
mbx9xEy0vkQvl6HqLcFTk3qrsUpDAUuKD6GnJGa9elc
--- vKkGWdp/anMV2VzwJEEHeWNUjv/SkzjYOIljRK6ExbI
<EFBFBD>Ҥ<11><>v <0B><>LH<4C><48>l<EFBFBD>|<7C>><3E><><EFBFBD>Mcso<73>{j<>S<EFBFBD><53><EFBFBD>_<EFBFBD><5F>'<27>Ќ<EFBFBD>WlÅ<6C>_i<5F>M<15>Y<EFBFBD><59><EFBFBD><EFBFBD><EFBFBD><EFBFBD>VV<><56>s<EFBFBD>,D%<25>-&+<2B><><EFBFBD><EFBFBD>i<EFBFBD><69>T<EFBFBD>P"<16>g

6
system/modules/agenix/kopia-password.age Normal file
View File

@ -0,0 +1,6 @@
age-encryption.org/v1
-> ssh-ed25519 PW+5DQ Wm5RTSiZ/ndp6l6q2T43wrHiMnyP/FqDzUsl29TYoQc
ti4Pc/+g+6618wOQAb+28bNt87A8f3gRFzCaMlNKpP4
--- aRzLWmbnb7MqPVDSTYLqCIDHqaj0fu3JVp4ES93xZ9I
B6<42><<3C>
I<>mj<6D><6A><EFBFBD><EFBFBD><1B>L<EFBFBD><06>N<EFBFBD><4E><EFBFBD><EFBFBD>-e<>![<5B>'y_<79>aI<61><49>

6
system/modules/agenix/kopia-server-password.age Normal file
View File

@ -0,0 +1,6 @@
age-encryption.org/v1
-> ssh-ed25519 PW+5DQ ZeBpvImtTWyKOxlCh573CNitT2z1OX2PgHAzLB/RTzg
jx7n2REzbCJ9zr2TQHSvEz7lUZap5J2mjHNx710L49w
--- kdRUEg3IOfjUfAgPEMj7MdiGftxVptPeC/Mbh5qWf8c
<EFBFBD><EFBFBD>
<EFBFBD><03>#N'<27>(:a<><61>a<EFBFBD>]<5D><>g<EFBFBD>Po<50><6F><EFBFBD><EFBFBD><EFBFBD>[<5B><>=n<>

5
system/modules/agenix/kopia-server-username.age Normal file
View File

@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 PW+5DQ V2ejrKdFVeO7nNqkRqa3nSnz8MKlHyZcQ+T1NRfntSw
t79YI5ZFtW0k6IZRB5VMjy7st+WlhONTFyVF/tvPaKk
--- Cz4XV8J+oM6q6bVq6uXXUUvW/BqBL0agNzmobzcu2Kc
<EFBFBD><EFBFBD>{*$<24>c<EFBFBD><63>̨&Z<>uthF<68><11><><EFBFBD><EFBFBD>[<5B>T<EFBFBD>%?<3F><><EFBFBD>?|*<2A>`<60>^O<>

13
home/modules/agenix/options.nix → system/modules/agenix/options.nix
View File

@ -2,13 +2,7 @@
lib, lib,
mylib, mylib,
... ...
}: let }: {
mkSecret = file:
lib.mkOption {
type = lib.types.path;
default = file;
};
in {
secrets = lib.mkOption { secrets = lib.mkOption {
type = lib.types.attrs; type = lib.types.attrs;
description = "The secret files managed by agenix (and their associated keys)"; description = "The secret files managed by agenix (and their associated keys)";
@ -25,9 +19,4 @@ in {
default = {}; default = {};
}; };
heidi-discord-token = mkSecret ./heidi-discord-token.age;
kopia-user-password = mkSecret ./kopia-user-password.age;
kopia-server-user = mkSecret ./kopia-server-user.age;
kopia-server-password = mkSecret ./kopia-server-password.age;
} }

0
home/modules/agenix/void.age → system/modules/agenix/void.age
View File

1
system/modules/default.nix
View File

@ -1,5 +1,6 @@
{...}: { {...}: {
imports = [ imports = [
./agenix
./bootloader ./bootloader
./desktopportal ./desktopportal
./docker ./docker

3
system/nixinator/default.nix
View File

@ -1,6 +1,7 @@
{ {
mylib, mylib,
pkgs, pkgs,
username,
... ...
}: { }: {
imports = [ imports = [
@ -11,6 +12,8 @@
]; ];
modules = { modules = {
# agenix.secrets.${username} = [];
network = { network = {
useNetworkManager = true; useNetworkManager = true;

7
system/servenix/default.nix
View File

@ -36,6 +36,13 @@
]; ];
modules = { modules = {
agenix.secrets.${username} = [
"heidi-discord-token"
"kopia-password"
"kopia-server-username"
"kopia-server-password"
];
network = { network = {
useNetworkManager = false; useNetworkManager = false;