feat: more agenix

2023-08-13 19:16:38 +02:00 · 2023-08-13 19:16:38 +02:00 · 8fb7204fee
parent 280853dc66
commit 8fb7204fee
9 changed files with 48 additions and 6 deletions
--- a/modules/nixos/common/default.nix
+++ b/modules/nixos/common/default.nix
@ -7,6 +7,7 @@
    package = pkgs.nixFlakes;
    extraOptions = ''
      experimental-features = nix-command flakes
      secret-key-files = "/etc/nix/cache-priv-key.pem"
    '';
    optimise.automatic = true;
    gc = {
@ -23,6 +24,24 @@
    config.allowUnfree = true;
  };
  age.identityPaths = [
    "/mnt/persist/etc/ssh/ssh_host_ed25519_key"
    # "/mnt/persist/home/rilla/configs/age/identities/yk_nano"
    # "/mnt/persist/home/rilla/configs/age/identities/yk_nfc"
  ];
  age.secrets = with outputs.secrets; {
    root-passwordfile.file = user-passwordfiles.root;
    rilla-passwordfile.file = user-passwordfiles.rilla;
    cache-priv-key = {
      file = cache-priv-key;
      mode = "400";
      owner = "root";
      group = "root";
      path = "/etc/nix/cache-priv-key.pem";
    };
  };
  time.timeZone = "Europe/Madrid";
  # Select internationalisation properties.
@ -86,15 +105,13 @@
  };
  users.users = {
-    root = {
+    root.passwordFile = config.age.secrets.root-passwordfile.path;
      initialHashedPassword = "$6$tzMk5I1KZlx7byaO$BvlSz7Cgo1g09e4RpxAjrZEuCptzjibF8nDWDfnOImTbz61Py/qzATDAa7HwAC3JyiZxb.2slTb.vA.f25ypd1";
    };
    rilla = {
      uid = 1000;
      isNormalUser = true;
-      extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+      extraGroups = [ "wheel" ];
-      initialHashedPassword = "$6$tzMk5I1KZlx7byaO$BvlSz7Cgo1g09e4RpxAjrZEuCptzjibF8nDWDfnOImTbz61Py/qzATDAa7HwAC3JyiZxb.2slTb.vA.f25ypd1";
+      passwordFile = config.age.secrets.rilla-passwordfile.path;
    };
    dags = {
--- a/modules/nixos/desktop/default.nix
+++ b/modules/nixos/desktop/default.nix
@ -189,7 +189,6 @@
    "/mnt/persist" = {
      directories = [
        "/etc/NetworkManager/system-connections"
        "/etc/nixos"
        "/etc/wireguard"
        "/var/lib/bluetooth"
        "/var/lib/docker"
--- a/secrets/cache-priv-key.age
+++ b/secrets/cache-priv-key.age
--- a/secrets/capibara/ssh_host_ed25519_key.age
+++ b/secrets/capibara/ssh_host_ed25519_key.age
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -1,3 +1,8 @@
 {
  capibara.ssh_host_ed25519_key = ./capibara/ssh_host_ed25519_key.age;
  user-passwordfiles = {
    root = ./user-passwordfiles/root.age;
    rilla = ./user-passwordfiles/rilla.age;
  };
  cache-priv-key = ./cache-priv-key.age;
 }
--- a/secrets/justfile
+++ b/secrets/justfile
@ -0,0 +1,7 @@
 AGENIX := "agenix --identity /home/rilla/configs/age/identities/yk_nfc"
 edit FILE:
    {{ AGENIX }} --edit {{FILE}}
 rekey:
    {{ AGENIX }} --rekey   
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -5,4 +5,7 @@ let
 in
 {
  "capibara/ssh_host_ed25519_key.age".publicKeys = [ yk_nano yk_nfc capibara ];
  "user-passwordfiles/root.age".publicKeys = [ yk_nano yk_nfc capibara ];
  "user-passwordfiles/rilla.age".publicKeys = [ yk_nano yk_nfc capibara ];
  "cache-priv-key.age".publicKeys = [ yk_nano yk_nfc capibara ];
 }
--- a/secrets/user-passwordfiles/rilla.age
+++ b/secrets/user-passwordfiles/rilla.age
--- a/secrets/user-passwordfiles/root.age
+++ b/secrets/user-passwordfiles/root.age
@ -0,0 +1,11 @@
 age-encryption.org/v1
 -> ssh-ed25519 z6g2wA GY/RwkGDxHuwZxYxJ3+eqL4reN2qDrrs9j4E1cP3PWI
 67yW3hf+Hweh4r3MZ4IOleuR50Mf3yN+36TIFGMYVS4
 -> piv-p256 dHhT5w A1xwcg+p8VJLMQuRUfJ7xlibmBohxhQbNlGSOL+MvTpX
 FdS4SoIb75Iq0fwtWW97wIbbSocfv6jjCz+uwDOu1AI
 -> piv-p256 QnOxig Aw18aj0jXnC41YhwUsoXvkOx+dO23jaZN1MRaS1L+vdg
 KQL0EqNrrUxqri5IbPer1ca1oExKXRos6fhsTaGoDUE
 -> Rn-i,~>t-grease q@@z]Ln O wm ;
 7PwT
 --- Y13vfwZeRxDaItKvEIfPIUpVTQLXgkE9ZLKVzpG+qds
 Úº´jÐ¥ÈÑ(v±ûÈ˜ò^i¿á?Pž#çp3˜Î=ÝZV„\¦>=W>˜È¼W´kúînº;Âjˆò*Ûáv`F¶0,û:§u¡2öß	w³û§rÁ˜5l(ÙÑ+Îþbœ¾În C¡ž¤¨p/dírÙ²¸?Ùä‘g>8e4¿Qnáâ