Add agenix

yousiki · Mar 24, 2024 · c58b2bf · c58b2bf
1 parent 9d1d106
commit c58b2bf
Show file tree

Hide file tree

Showing 8 changed files with 124 additions and 6 deletions.
diff --git a/cells/common/profiles/core.nix b/cells/common/profiles/core.nix
@@ -53,6 +53,7 @@ in {
 
   # Basic packages for both NixOS and Darwin.
   environment.systemPackages = with pkgs; [
+    agenix
     alejandra
     cachix
     curl

diff --git a/cells/nixos/hosts/hakase/default.nix b/cells/nixos/hosts/hakase/default.nix
@@ -20,6 +20,7 @@
     inputs.cells.nixos.nixosProfiles.core
     inputs.cells.nixos.nixosProfiles.desktop
     inputs.cells.nixos.nixosProfiles.nvidia
+    inputs.cells.nixos.nixosProfiles.secrets
     inputs.cells.nixos.nixosProfiles.server
 
     inputs.cells.home.homeProfiles.base
@@ -57,6 +58,7 @@
         cudaSupport = true;
       };
       overlays = [
+        inputs.agenix.overlays.default
         inputs.fenix.overlays.default
         inputs.nvfetcher.overlays.default
       ];

diff --git a/cells/nixos/hosts/hakase/hardware-configuration.nix b/cells/nixos/hosts/hakase/hardware-configuration.nix
@@ -8,6 +8,8 @@
   modulesPath,
   ...
 }: let
+  credentials = config.age.secrets.nas-credentials.path;
+
   mkCifs = device: {
     device = device;
     fsType = "cifs";
@@ -18,7 +20,7 @@
       "x-systemd.device-timeout=5s"
       "x-systemd.mount-timeout=5s"
       "noperm"
-      "credentials=/etc/credentials"
+      "credentials=${credentials}"
     ];
   };
 in {

diff --git a/cells/nixos/profiles/secrets.nix b/cells/nixos/profiles/secrets.nix
@@ -0,0 +1,10 @@
+{
+  inputs,
+  cell,
+}: {...}: {
+  imports = [
+    inputs.agenix.nixosModules.default
+  ];
+
+  age.secrets.nas-credentials.file = "${inputs.self}/secrets/nas-credentials.age";
+}
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -113,6 +113,11 @@
       url = "github:nix-community/nix-index-database";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   nixConfig = rec {

diff --git a/secrets/nas-credentials.age b/secrets/nas-credentials.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 n0eTIA uldBDn7i4Kme4C6hBrDQ6LHlq1NKa7A75M8YhOhtAAI
+ZGgyCEJr+Xf9CztP9XKoIATiA13jth4xNaE4FPrGJB4
+-> ssh-ed25519 N9KtPg MYvP63pPrC7KoWHLJk/5anYiQh4aVzfhCfEE3Vd/djU
+ZhRwRfhzIPyDYNYCmtEvGWimtCvRNe1TfmpSsR9PG6s
+--- Tb+jv81q4ekvdEivQucmHI+SlkCFzHpl+ToSB2tMM8o
+�����>Q�8�{���]@�&��TE�'VE� K��"�|�NH���ؔ��b������r(n�j

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -0,0 +1,9 @@
+let
+  hakase = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJJIxfWYaoGqw02b2U04OtaaPgIVFH7m2zyFwfRWAQl/";
+  hosts = [hakase];
+
+  yousiki_hakase = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFn+pRkC6G81PSmJOw8j8Y9i8Gt2OZiQ73ZpQV4UIZbg";
+  users = [yousiki_hakase];
+in {
+  "nas-credentials.age".publicKeys = hosts ++ users;
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -53,6 +53,7 @@ in { @@
       # Basic packages for both NixOS and Darwin.
       environment.systemPackages = with pkgs; [
+        agenix
         alejandra
         cachix
         curl
@@ Expand Down @@