feat: more agenix

main
Ricard Illa 2023-08-13 19:16:38 +02:00
parent 280853dc66
commit 8fb7204fee
Signed by: rilla
GPG Key ID: 525307BD467E4205
9 changed files with 48 additions and 6 deletions

View File

@ -7,6 +7,7 @@
package = pkgs.nixFlakes; package = pkgs.nixFlakes;
extraOptions = '' extraOptions = ''
experimental-features = nix-command flakes experimental-features = nix-command flakes
secret-key-files = "/etc/nix/cache-priv-key.pem"
''; '';
optimise.automatic = true; optimise.automatic = true;
gc = { gc = {
@ -23,6 +24,24 @@
config.allowUnfree = true; config.allowUnfree = true;
}; };
age.identityPaths = [
"/mnt/persist/etc/ssh/ssh_host_ed25519_key"
# "/mnt/persist/home/rilla/configs/age/identities/yk_nano"
# "/mnt/persist/home/rilla/configs/age/identities/yk_nfc"
];
age.secrets = with outputs.secrets; {
root-passwordfile.file = user-passwordfiles.root;
rilla-passwordfile.file = user-passwordfiles.rilla;
cache-priv-key = {
file = cache-priv-key;
mode = "400";
owner = "root";
group = "root";
path = "/etc/nix/cache-priv-key.pem";
};
};
time.timeZone = "Europe/Madrid"; time.timeZone = "Europe/Madrid";
# Select internationalisation properties. # Select internationalisation properties.
@ -86,15 +105,13 @@
}; };
users.users = { users.users = {
root = { root.passwordFile = config.age.secrets.root-passwordfile.path;
initialHashedPassword = "$6$tzMk5I1KZlx7byaO$BvlSz7Cgo1g09e4RpxAjrZEuCptzjibF8nDWDfnOImTbz61Py/qzATDAa7HwAC3JyiZxb.2slTb.vA.f25ypd1";
};
rilla = { rilla = {
uid = 1000; uid = 1000;
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user. extraGroups = [ "wheel" ];
initialHashedPassword = "$6$tzMk5I1KZlx7byaO$BvlSz7Cgo1g09e4RpxAjrZEuCptzjibF8nDWDfnOImTbz61Py/qzATDAa7HwAC3JyiZxb.2slTb.vA.f25ypd1"; passwordFile = config.age.secrets.rilla-passwordfile.path;
}; };
dags = { dags = {

View File

@ -189,7 +189,6 @@
"/mnt/persist" = { "/mnt/persist" = {
directories = [ directories = [
"/etc/NetworkManager/system-connections" "/etc/NetworkManager/system-connections"
"/etc/nixos"
"/etc/wireguard" "/etc/wireguard"
"/var/lib/bluetooth" "/var/lib/bluetooth"
"/var/lib/docker" "/var/lib/docker"

BIN
secrets/cache-priv-key.age Normal file

Binary file not shown.

View File

@ -1,3 +1,8 @@
{ {
capibara.ssh_host_ed25519_key = ./capibara/ssh_host_ed25519_key.age; capibara.ssh_host_ed25519_key = ./capibara/ssh_host_ed25519_key.age;
user-passwordfiles = {
root = ./user-passwordfiles/root.age;
rilla = ./user-passwordfiles/rilla.age;
};
cache-priv-key = ./cache-priv-key.age;
} }

7
secrets/justfile Normal file
View File

@ -0,0 +1,7 @@
AGENIX := "agenix --identity /home/rilla/configs/age/identities/yk_nfc"
edit FILE:
{{ AGENIX }} --edit {{FILE}}
rekey:
{{ AGENIX }} --rekey

View File

@ -5,4 +5,7 @@ let
in in
{ {
"capibara/ssh_host_ed25519_key.age".publicKeys = [ yk_nano yk_nfc capibara ]; "capibara/ssh_host_ed25519_key.age".publicKeys = [ yk_nano yk_nfc capibara ];
"user-passwordfiles/root.age".publicKeys = [ yk_nano yk_nfc capibara ];
"user-passwordfiles/rilla.age".publicKeys = [ yk_nano yk_nfc capibara ];
"cache-priv-key.age".publicKeys = [ yk_nano yk_nfc capibara ];
} }

Binary file not shown.

View File

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 z6g2wA GY/RwkGDxHuwZxYxJ3+eqL4reN2qDrrs9j4E1cP3PWI
67yW3hf+Hweh4r3MZ4IOleuR50Mf3yN+36TIFGMYVS4
-> piv-p256 dHhT5w A1xwcg+p8VJLMQuRUfJ7xlibmBohxhQbNlGSOL+MvTpX
FdS4SoIb75Iq0fwtWW97wIbbSocfv6jjCz+uwDOu1AI
-> piv-p256 QnOxig Aw18aj0jXnC41YhwUsoXvkOx+dO23jaZN1MRaS1L+vdg
KQL0EqNrrUxqri5IbPer1ca1oExKXRos6fhsTaGoDUE
-> Rn-i,~>t-grease q@@z]Ln O wm ;
7PwT
--- Y13vfwZeRxDaItKvEIfPIUpVTQLXgkE9ZLKVzpG+qds
Úº´jХȭÑ(v±ûȘò^i¿á­?Pž#çp3˜Î=ÝZV„\¦>=W>˜È¼W´kúînº;Âjˆò*Ûáv`F¶0,û:§u¡2öß w³û§rÁ˜5l(ÙÑ+Îþbœ¾În C¡ž¤¨p/dírÙ²¸?Ùäg>8e4¿Qnáâ