feat: more agenix
parent
280853dc66
commit
8fb7204fee
|
@ -7,6 +7,7 @@
|
|||
package = pkgs.nixFlakes;
|
||||
extraOptions = ''
|
||||
experimental-features = nix-command flakes
|
||||
secret-key-files = "/etc/nix/cache-priv-key.pem"
|
||||
'';
|
||||
optimise.automatic = true;
|
||||
gc = {
|
||||
|
@ -23,6 +24,24 @@
|
|||
config.allowUnfree = true;
|
||||
};
|
||||
|
||||
age.identityPaths = [
|
||||
"/mnt/persist/etc/ssh/ssh_host_ed25519_key"
|
||||
# "/mnt/persist/home/rilla/configs/age/identities/yk_nano"
|
||||
# "/mnt/persist/home/rilla/configs/age/identities/yk_nfc"
|
||||
];
|
||||
|
||||
age.secrets = with outputs.secrets; {
|
||||
root-passwordfile.file = user-passwordfiles.root;
|
||||
rilla-passwordfile.file = user-passwordfiles.rilla;
|
||||
cache-priv-key = {
|
||||
file = cache-priv-key;
|
||||
mode = "400";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
path = "/etc/nix/cache-priv-key.pem";
|
||||
};
|
||||
};
|
||||
|
||||
time.timeZone = "Europe/Madrid";
|
||||
|
||||
# Select internationalisation properties.
|
||||
|
@ -86,15 +105,13 @@
|
|||
};
|
||||
users.users = {
|
||||
|
||||
root = {
|
||||
initialHashedPassword = "$6$tzMk5I1KZlx7byaO$BvlSz7Cgo1g09e4RpxAjrZEuCptzjibF8nDWDfnOImTbz61Py/qzATDAa7HwAC3JyiZxb.2slTb.vA.f25ypd1";
|
||||
};
|
||||
root.passwordFile = config.age.secrets.root-passwordfile.path;
|
||||
|
||||
rilla = {
|
||||
uid = 1000;
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
|
||||
initialHashedPassword = "$6$tzMk5I1KZlx7byaO$BvlSz7Cgo1g09e4RpxAjrZEuCptzjibF8nDWDfnOImTbz61Py/qzATDAa7HwAC3JyiZxb.2slTb.vA.f25ypd1";
|
||||
extraGroups = [ "wheel" ];
|
||||
passwordFile = config.age.secrets.rilla-passwordfile.path;
|
||||
};
|
||||
|
||||
dags = {
|
||||
|
|
|
@ -189,7 +189,6 @@
|
|||
"/mnt/persist" = {
|
||||
directories = [
|
||||
"/etc/NetworkManager/system-connections"
|
||||
"/etc/nixos"
|
||||
"/etc/wireguard"
|
||||
"/var/lib/bluetooth"
|
||||
"/var/lib/docker"
|
||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -1,3 +1,8 @@
|
|||
{
|
||||
capibara.ssh_host_ed25519_key = ./capibara/ssh_host_ed25519_key.age;
|
||||
user-passwordfiles = {
|
||||
root = ./user-passwordfiles/root.age;
|
||||
rilla = ./user-passwordfiles/rilla.age;
|
||||
};
|
||||
cache-priv-key = ./cache-priv-key.age;
|
||||
}
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
AGENIX := "agenix --identity /home/rilla/configs/age/identities/yk_nfc"
|
||||
|
||||
edit FILE:
|
||||
{{ AGENIX }} --edit {{FILE}}
|
||||
|
||||
rekey:
|
||||
{{ AGENIX }} --rekey
|
|
@ -5,4 +5,7 @@ let
|
|||
in
|
||||
{
|
||||
"capibara/ssh_host_ed25519_key.age".publicKeys = [ yk_nano yk_nfc capibara ];
|
||||
"user-passwordfiles/root.age".publicKeys = [ yk_nano yk_nfc capibara ];
|
||||
"user-passwordfiles/rilla.age".publicKeys = [ yk_nano yk_nfc capibara ];
|
||||
"cache-priv-key.age".publicKeys = [ yk_nano yk_nfc capibara ];
|
||||
}
|
||||
|
|
Binary file not shown.
|
@ -0,0 +1,11 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 z6g2wA GY/RwkGDxHuwZxYxJ3+eqL4reN2qDrrs9j4E1cP3PWI
|
||||
67yW3hf+Hweh4r3MZ4IOleuR50Mf3yN+36TIFGMYVS4
|
||||
-> piv-p256 dHhT5w A1xwcg+p8VJLMQuRUfJ7xlibmBohxhQbNlGSOL+MvTpX
|
||||
FdS4SoIb75Iq0fwtWW97wIbbSocfv6jjCz+uwDOu1AI
|
||||
-> piv-p256 QnOxig Aw18aj0jXnC41YhwUsoXvkOx+dO23jaZN1MRaS1L+vdg
|
||||
KQL0EqNrrUxqri5IbPer1ca1oExKXRos6fhsTaGoDUE
|
||||
-> Rn-i,~>t-grease q@@z]Ln O wm ;
|
||||
7PwT
|
||||
--- Y13vfwZeRxDaItKvEIfPIUpVTQLXgkE9ZLKVzpG+qds
|
||||
Úº´jÐ¥ÈÑ(v±ûȘò^i¿á?Pž#çp3˜Î=ÝZV„\¦>=W>˜È¼W´kúînº;Âjˆò*Ûáv`F¶0,û:§u¡2öß w³û§rÁ˜5l(ÙÑ+Îþbœ¾În C¡ž¤¨p/dírÙ²¸?Ùä‘g>8e4¿Qnáâ
|
Loading…
Reference in New Issue