feat: more agenix

2023-08-13 19:16:38 +02:00 · 2023-08-13 19:16:38 +02:00 · 8fb7204fee
parent 280853dc66
commit 8fb7204fee
9 changed files with 48 additions and 6 deletions
--- a/modules/nixos/common/default.nix
+++ b/modules/nixos/common/default.nix
@ -7,6 +7,7 @@
    package = pkgs.nixFlakes;
    extraOptions = ''
      experimental-features = nix-command flakes
+      secret-key-files = "/etc/nix/cache-priv-key.pem"
    '';
    optimise.automatic = true;
    gc = {
@ -23,6 +24,24 @@
    config.allowUnfree = true;
  };

+  age.identityPaths = [
+    "/mnt/persist/etc/ssh/ssh_host_ed25519_key"
+    # "/mnt/persist/home/rilla/configs/age/identities/yk_nano"
+    # "/mnt/persist/home/rilla/configs/age/identities/yk_nfc"
+  ];
+
+  age.secrets = with outputs.secrets; {
+    root-passwordfile.file = user-passwordfiles.root;
+    rilla-passwordfile.file = user-passwordfiles.rilla;
+    cache-priv-key = {
+      file = cache-priv-key;
+      mode = "400";
+      owner = "root";
+      group = "root";
+      path = "/etc/nix/cache-priv-key.pem";
+    };
+  };
+
  time.timeZone = "Europe/Madrid";

  # Select internationalisation properties.
@ -86,15 +105,13 @@
  };
  users.users = {

-    root = {
-      initialHashedPassword = "$6$tzMk5I1KZlx7byaO$BvlSz7Cgo1g09e4RpxAjrZEuCptzjibF8nDWDfnOImTbz61Py/qzATDAa7HwAC3JyiZxb.2slTb.vA.f25ypd1";
-    };
+    root.passwordFile = config.age.secrets.root-passwordfile.path;

    rilla = {
      uid = 1000;
      isNormalUser = true;
-      extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
-      initialHashedPassword = "$6$tzMk5I1KZlx7byaO$BvlSz7Cgo1g09e4RpxAjrZEuCptzjibF8nDWDfnOImTbz61Py/qzATDAa7HwAC3JyiZxb.2slTb.vA.f25ypd1";
+      extraGroups = [ "wheel" ];
+      passwordFile = config.age.secrets.rilla-passwordfile.path;
    };

    dags = {
--- a/modules/nixos/desktop/default.nix
+++ b/modules/nixos/desktop/default.nix
@ -189,7 +189,6 @@
    "/mnt/persist" = {
      directories = [
        "/etc/NetworkManager/system-connections"
-        "/etc/nixos"
        "/etc/wireguard"
        "/var/lib/bluetooth"
        "/var/lib/docker"
--- a/secrets/cache-priv-key.age
+++ b/secrets/cache-priv-key.age
--- a/secrets/capibara/ssh_host_ed25519_key.age
+++ b/secrets/capibara/ssh_host_ed25519_key.age
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -1,3 +1,8 @@
 {
  capibara.ssh_host_ed25519_key = ./capibara/ssh_host_ed25519_key.age;
+  user-passwordfiles = {
+    root = ./user-passwordfiles/root.age;
+    rilla = ./user-passwordfiles/rilla.age;
+  };
+  cache-priv-key = ./cache-priv-key.age;
 }
--- a/secrets/justfile
+++ b/secrets/justfile
@ -0,0 +1,7 @@
+AGENIX := "agenix --identity /home/rilla/configs/age/identities/yk_nfc"
+
+edit FILE:
+    {{ AGENIX }} --edit {{FILE}}
+
+rekey:
+    {{ AGENIX }} --rekey   
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -5,4 +5,7 @@ let
 in
 {
  "capibara/ssh_host_ed25519_key.age".publicKeys = [ yk_nano yk_nfc capibara ];
+  "user-passwordfiles/root.age".publicKeys = [ yk_nano yk_nfc capibara ];
+  "user-passwordfiles/rilla.age".publicKeys = [ yk_nano yk_nfc capibara ];
+  "cache-priv-key.age".publicKeys = [ yk_nano yk_nfc capibara ];
 }
--- a/secrets/user-passwordfiles/rilla.age
+++ b/secrets/user-passwordfiles/rilla.age
--- a/secrets/user-passwordfiles/root.age
+++ b/secrets/user-passwordfiles/root.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 z6g2wA GY/RwkGDxHuwZxYxJ3+eqL4reN2qDrrs9j4E1cP3PWI
+67yW3hf+Hweh4r3MZ4IOleuR50Mf3yN+36TIFGMYVS4
+-> piv-p256 dHhT5w A1xwcg+p8VJLMQuRUfJ7xlibmBohxhQbNlGSOL+MvTpX
+FdS4SoIb75Iq0fwtWW97wIbbSocfv6jjCz+uwDOu1AI
+-> piv-p256 QnOxig Aw18aj0jXnC41YhwUsoXvkOx+dO23jaZN1MRaS1L+vdg
+KQL0EqNrrUxqri5IbPer1ca1oExKXRos6fhsTaGoDUE
+-> Rn-i,~>t-grease q@@z]Ln O wm ;
+7PwT
+--- Y13vfwZeRxDaItKvEIfPIUpVTQLXgkE9ZLKVzpG+qds
+Úº´jÐ¥ÈÑ(v±ûÈ˜ò^i¿á?Pž#çp3˜Î=ÝZV„\¦>=W>˜È¼W´kúînº;Âjˆò*Ûáv`F¶0,û:§u¡2öß	w³û§rÁ˜5l(ÙÑ+Îþbœ¾În C¡ž¤¨p/dírÙ²¸?Ùä‘g>8e4¿Qnáâ