From 8fb7204feec1b916c8b0156d7da3a3df2291b465 Mon Sep 17 00:00:00 2001 From: Ricard Illa Date: Sun, 13 Aug 2023 19:16:38 +0200 Subject: [PATCH] feat: more agenix --- modules/nixos/common/default.nix | 27 ++++++++++++++++++---- modules/nixos/desktop/default.nix | 1 - secrets/cache-priv-key.age | Bin 0 -> 650 bytes secrets/capibara/ssh_host_ed25519_key.age | Bin 874 -> 996 bytes secrets/default.nix | 5 ++++ secrets/justfile | 7 ++++++ secrets/secrets.nix | 3 +++ secrets/user-passwordfiles/rilla.age | Bin 0 -> 629 bytes secrets/user-passwordfiles/root.age | 11 +++++++++ 9 files changed, 48 insertions(+), 6 deletions(-) create mode 100644 secrets/cache-priv-key.age create mode 100644 secrets/justfile create mode 100644 secrets/user-passwordfiles/rilla.age create mode 100644 secrets/user-passwordfiles/root.age diff --git a/modules/nixos/common/default.nix b/modules/nixos/common/default.nix index 2b26512..7cfef54 100644 --- a/modules/nixos/common/default.nix +++ b/modules/nixos/common/default.nix @@ -7,6 +7,7 @@ package = pkgs.nixFlakes; extraOptions = '' experimental-features = nix-command flakes + secret-key-files = "/etc/nix/cache-priv-key.pem" ''; optimise.automatic = true; gc = { @@ -23,6 +24,24 @@ config.allowUnfree = true; }; + age.identityPaths = [ + "/mnt/persist/etc/ssh/ssh_host_ed25519_key" + # "/mnt/persist/home/rilla/configs/age/identities/yk_nano" + # "/mnt/persist/home/rilla/configs/age/identities/yk_nfc" + ]; + + age.secrets = with outputs.secrets; { + root-passwordfile.file = user-passwordfiles.root; + rilla-passwordfile.file = user-passwordfiles.rilla; + cache-priv-key = { + file = cache-priv-key; + mode = "400"; + owner = "root"; + group = "root"; + path = "/etc/nix/cache-priv-key.pem"; + }; + }; + time.timeZone = "Europe/Madrid"; # Select internationalisation properties. @@ -86,15 +105,13 @@ }; users.users = { - root = { - initialHashedPassword = "$6$tzMk5I1KZlx7byaO$BvlSz7Cgo1g09e4RpxAjrZEuCptzjibF8nDWDfnOImTbz61Py/qzATDAa7HwAC3JyiZxb.2slTb.vA.f25ypd1"; - }; + root.passwordFile = config.age.secrets.root-passwordfile.path; rilla = { uid = 1000; isNormalUser = true; - extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. - initialHashedPassword = "$6$tzMk5I1KZlx7byaO$BvlSz7Cgo1g09e4RpxAjrZEuCptzjibF8nDWDfnOImTbz61Py/qzATDAa7HwAC3JyiZxb.2slTb.vA.f25ypd1"; + extraGroups = [ "wheel" ]; + passwordFile = config.age.secrets.rilla-passwordfile.path; }; dags = { diff --git a/modules/nixos/desktop/default.nix b/modules/nixos/desktop/default.nix index 95e1528..744a7f9 100644 --- a/modules/nixos/desktop/default.nix +++ b/modules/nixos/desktop/default.nix @@ -189,7 +189,6 @@ "/mnt/persist" = { directories = [ "/etc/NetworkManager/system-connections" - "/etc/nixos" "/etc/wireguard" "/var/lib/bluetooth" "/var/lib/docker" diff --git a/secrets/cache-priv-key.age b/secrets/cache-priv-key.age new file mode 100644 index 0000000000000000000000000000000000000000..a4cda54f418a40611eb121450ead52506b7728e1 GIT binary patch literal 650 zcmY+-OK8&o002-GyyWHwKNKM{%Gk1OY1*VMh??}9PrD>*n>LD?rfHI;Nz*22nlfb< z=fH~!en6OaFT#e(6k%RBgeiE@i+IqJ$n>JagYM|<-JYzeuxcy)(D96}J>BhVGlLia zp9Ni4ht(E}VX-tg!ZkD?Kr-p0b9f;|%cc~DUDFk;fn+i%L8jB1StSyl(pP!3GaHrw zCbVkpvX%2QSf=RF&Yb5Y8Lis#4ZddiXisjEoJgxB1JCVkjxm586vM$*QLkVDNSHdL zRrOqzYtcE)rA$lbp>npPr#i#X%h!|N1BV3dW0D6I8W z*;T<*bg~CREH}lTZ-P@`e9R#Yjs^H49%Gfdjp$Au!csFsT5UspM!=D5s8J=Q>2t%j z;uvCJqeNg=WQkCeN**m%dyG?Q`hXsq01U%mIh_&8I67dZQm2Qy$wEVIWjiermw7>~ zb<1d5Q>mI4%Mm>Ad6DrqK6=RV!!ys1t&h&}(c{y9w%$FB{P_Ls!{(D~rV)^BT+%|V`d?mB^;Qh%RX7l>uA>kLcyWg6)IVb-G Dhiv8u literal 0 HcmV?d00001 diff --git a/secrets/capibara/ssh_host_ed25519_key.age b/secrets/capibara/ssh_host_ed25519_key.age index 70fac9eacd3274704c8a5260a5e6df8d8af29535..ddd14ad9cf1046ec5b3847807fe4d89de96c5c6f 100644 GIT binary patch delta 947 zcmV;k15Ett2IL2jEq^mOW-m)GZ#h|Mbz)0PVM=#GMtM$ZX=zGyS1UMTT3Jy^Gg57G zR%L2;3UXmaPE%=WLpV8eWLRNRQfz5#Yez_ALuOQUcrR{qQg>KbRcCWkXh=*&3N1b$ zaA|fea56PEAY@2rR5f=XL2EH#NN{#`YeaZsQgkp{ZFXyGSwl8jW^Q#kcxO*&VMRn? zD=TzrFf=wYa0+-rOK?y`XHs``S~Pb?Q)6XpVN@_kW^hX}Z8mW>Xh<(>ZFWd`H8WaN zRgv!%e{^OzO+{mPWH@6sMpH*jHEw5OLv?UaF-d7yS9eN8H&1SFPc~RZXftDC3UWnZ zXJtraZ!=M3Y(y|xcXTyMW=U>YH8WU7F=SR$D|b#!b6R9>W=3Ua3N1b$J4jz?EoX9N zVRL05awBvgM^tV|Ss+9@AZSf{N;xtLc`sQte|axULS{oTZBJEIYf*VJWO8k0NHR!5 zNLoiLNHk|MG~PC{XFb75C8I8IVhFho#HX=ZCnZ!kzFFPA@rbH8@CjS2j09VP|U! zQJ4IZ7?BrJyJdm9v6B{PVsN_loTV4lN0W9s6E(|>>^+`lY;ZkyP{tY>%^LU6=vhgU zr=NJ;-($E|sE{k#C^go#e)u6E;lW3qJgk`5 z?Ek_|u19k42*o-@Wd;Blu8Kc1E|8I%qwMs`QSY1fbe^_z$o8hD5HgA>o5U6Fa_V{8)9ir~A$dd|b=h0wp=1=DKlTvTRy);>)1o zy_>)D(fKcA!20&8BlV?99Z3BCWw5uL5@6THkNPP&tTnIHREnidOU(PGVWK3{*X*76KD@1KqS#(TmPh~e) za%OF73Un(gX?aykQ8-XbF>+2tNmxT`QcyBlb5Bn&N@iqiMrK7}L^LmGP;O^u3N1b$ zaA|fea56PEAY@2rR5f=XL2grdLw0jhSa@zPP*_xFNo;pxFhf>uK`Ty6aVs`MS6Xx{ zSa4J_GBH_oK?*r!N;ghPFK1|OLOE?lIYvxtXme9|VlZcTd01w1b5db*dTeShN=9fz zZ;|g6e``TPZ*W*qNP03aVJkIvGj}UNcT7ckNq22>Xi0KzNiT19PE=S&MondK3N&s{ zdUr@xcv)CRa5Z5|N@PlLN@`X?L1r^laxg}3W>alzXficzY)oxu3N1b$d|e|gXL4m> zb7deUCN4B4esdr6>X$gDj=`@wT5~APngkl=J!ZY8`<$+SpTnrecLpH5DYd{T9O36fYSxZ9 zsqr8qyCx||9O&SGC+c8z>c7?eOm3k_5suL&kZ-|865f;vJYZ_Fm*s0|J|`!o-3)HR zAuvrEB?4B8=vsO){l}a(wgrQhsol5Pq^Jrs3^GcCt5?AkV<=Qteg)lBfP8=Ax4BUq C5nM+A diff --git a/secrets/default.nix b/secrets/default.nix index 2093508..464ad0d 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -1,3 +1,8 @@ { capibara.ssh_host_ed25519_key = ./capibara/ssh_host_ed25519_key.age; + user-passwordfiles = { + root = ./user-passwordfiles/root.age; + rilla = ./user-passwordfiles/rilla.age; + }; + cache-priv-key = ./cache-priv-key.age; } diff --git a/secrets/justfile b/secrets/justfile new file mode 100644 index 0000000..11d8a4f --- /dev/null +++ b/secrets/justfile @@ -0,0 +1,7 @@ +AGENIX := "agenix --identity /home/rilla/configs/age/identities/yk_nfc" + +edit FILE: + {{ AGENIX }} --edit {{FILE}} + +rekey: + {{ AGENIX }} --rekey diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 8db351b..154472b 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -5,4 +5,7 @@ let in { "capibara/ssh_host_ed25519_key.age".publicKeys = [ yk_nano yk_nfc capibara ]; + "user-passwordfiles/root.age".publicKeys = [ yk_nano yk_nfc capibara ]; + "user-passwordfiles/rilla.age".publicKeys = [ yk_nano yk_nfc capibara ]; + "cache-priv-key.age".publicKeys = [ yk_nano yk_nfc capibara ]; } diff --git a/secrets/user-passwordfiles/rilla.age b/secrets/user-passwordfiles/rilla.age new file mode 100644 index 0000000000000000000000000000000000000000..3e41b29ff44ee199efa4ac9677f9d7b2eae4fb2e GIT binary patch literal 629 zcmY+-O>5I&003Y=Zn+2^9OxyRAjOd7tLa*VVb-Ndnx;+Hv`s1=n&e%Qu1T}BNt=Sh z!zMZuCWsydhaN;kL_F;vdiLN&beGM6q8q|w3??{{9ew`5)3g8zJR^wxp40KhJAs8o z1cXk)-L8!SlcZ@P0}oRc*=OKhQR$SzxPoPRdRvQ%^^6gUZnN5(!fD?km^n+b8zj~- zT^s^B!3$|qP9-s=ZGwu$at@;^p-TZ*<^6_HVa@rudQp+^qs@0B)F|CybP7Im^QmClM&VVa|; z#`HiR5~aLKQ+%%7U@61t{CAbT(!jA`2Cp=2K3$pBB`5GPo0FufYo{c=Wd~VVO981! zdIin~xk!gHH9{{3vvUP;B3a7;S*sGEnx2-@IO}?43v==^CKz7ajEtj8LahKay8zA# zX5OmvFn@)D6W1<}B^DeWb|7Jxm9WScq$;o}DwK0fPBgV7-I`$MV?!!V=V_xoP!)s? zW@dY`L)4j+Of+kK20~F3?#qQ4(Wz@>Y+72Z$iTowj1OA*z!YkN+Vut|KQvj!_ata{ zeXX{b(cT;^C->hiym&=CyECdSBCBW4-Q$iml2^~a++ ssh-ed25519 z6g2wA GY/RwkGDxHuwZxYxJ3+eqL4reN2qDrrs9j4E1cP3PWI +67yW3hf+Hweh4r3MZ4IOleuR50Mf3yN+36TIFGMYVS4 +-> piv-p256 dHhT5w A1xwcg+p8VJLMQuRUfJ7xlibmBohxhQbNlGSOL+MvTpX +FdS4SoIb75Iq0fwtWW97wIbbSocfv6jjCz+uwDOu1AI +-> piv-p256 QnOxig Aw18aj0jXnC41YhwUsoXvkOx+dO23jaZN1MRaS1L+vdg +KQL0EqNrrUxqri5IbPer1ca1oExKXRos6fhsTaGoDUE +-> Rn-i,~>t-grease q@@z]Ln O wm ; +7PwT +--- Y13vfwZeRxDaItKvEIfPIUpVTQLXgkE9ZLKVzpG+qds + Úº´jХȭÑ(v±ûȘò^i¿á­?Pž#çp3˜Î=ÝZV„\¦>=W>˜È¼W´kúînº;Âjˆò*Ûáv`F¶0,û:§u¡2öß w³û§rÁ˜5l(ÙÑ+Îþbœ¾În C¡ž¤¨p/dírÙ²¸?Ùä‘g>8e4¿Qnáâ \ No newline at end of file