about summary refs log tree commit diff
diff options
context:
space:
mode:
authorFranck Cuny <franck@fcuny.net>2024-12-14 09:45:26 -0800
committerFranck Cuny <franck@fcuny.net>2024-12-14 09:45:26 -0800
commitd96eda0e683d53779d9ebae53d7897d96216511a (patch)
treebf60429c483c25f59f1628e376b11cc5154ce43f
parentadd docstring to justfile (diff)
downloadworld-d96eda0e683d53779d9ebae53d7897d96216511a.tar.gz
use agenix to manage secrets in the repository
-rw-r--r--.gitignore1
-rw-r--r--flake.lock88
-rw-r--r--flake.nix28
-rw-r--r--nix/lib/mkSystem.nix2
-rw-r--r--secrets/restic-backups.age7
-rw-r--r--secrets/secrets.nix12
6 files changed, 130 insertions, 8 deletions
diff --git a/.gitignore b/.gitignore
index 942f51c..7f2acd4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,4 +10,3 @@
 /*.qcow2
 bin/
 /.direnv/
-/secrets/
diff --git a/flake.lock b/flake.lock
index e4030df..ba094ab 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,8 +1,53 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1723293904,
+        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "darwin": {
       "inputs": {
         "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "darwin_2": {
+      "inputs": {
+        "nixpkgs": [
           "nixpkgs"
         ]
       },
@@ -58,7 +103,7 @@
     },
     "flake-utils": {
       "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
       },
       "locked": {
         "lastModified": 1731533236,
@@ -98,6 +143,27 @@
     "home-manager": {
       "inputs": {
         "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
           "nixpkgs"
         ]
       },
@@ -173,10 +239,11 @@
     },
     "root": {
       "inputs": {
-        "darwin": "darwin",
+        "agenix": "agenix",
+        "darwin": "darwin_2",
         "devshell": "devshell",
         "flake-utils": "flake-utils",
-        "home-manager": "home-manager",
+        "home-manager": "home-manager_2",
         "nixpkgs": "nixpkgs",
         "pre-commit-hooks": "pre-commit-hooks",
         "treefmt-nix": "treefmt-nix"
@@ -197,6 +264,21 @@
         "type": "github"
       }
     },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "treefmt-nix": {
       "inputs": {
         "nixpkgs": [
diff --git a/flake.nix b/flake.nix
index 90a217f..83db950 100644
--- a/flake.nix
+++ b/flake.nix
@@ -20,17 +20,33 @@
     };
 
     flake-utils.url = "github:numtide/flake-utils";
+
     pre-commit-hooks = {
       url = "github:cachix/pre-commit-hooks.nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    devshell.url = "github:numtide/devshell";
-    devshell.inputs.nixpkgs.follows = "nixpkgs";
+
+    devshell = {
+      url = "github:numtide/devshell";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   # Output config, or config for NixOS system
   outputs =
-    { nixpkgs, darwin, flake-utils, pre-commit-hooks, devshell, ... }@inputs:
+    { nixpkgs
+    , darwin
+    , flake-utils
+    , pre-commit-hooks
+    , devshell
+    , agenix
+    , ...
+    }@inputs:
     flake-utils.lib.eachDefaultSystem
       (system:
       let
@@ -53,7 +69,11 @@
         };
 
         devShells.default = pkgs.devshell.mkShell {
-          packages = with pkgs; [ just ];
+          packages = with pkgs; [
+            just
+            agenix
+            inputs.agenix.packages."${system}".default
+          ];
           env = [{
             name = "DEVSHELL_NO_MOTD";
             value = "1";
diff --git a/nix/lib/mkSystem.nix b/nix/lib/mkSystem.nix
index 87af732..13e052e 100644
--- a/nix/lib/mkSystem.nix
+++ b/nix/lib/mkSystem.nix
@@ -36,6 +36,8 @@ systemFunc rec {
       home-manager.users.${user} = import userHMConfig { inputs = inputs; };
     }
 
+    inputs.agenix.nixosModules.default
+
     # We expose some extra arguments so that our modules can parameterize
     # better based on these values.
     {
diff --git a/secrets/restic-backups.age b/secrets/restic-backups.age
new file mode 100644
index 0000000..5e8ea2f
--- /dev/null
+++ b/secrets/restic-backups.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 9Ia8+w mPCN4AjX68aTAy5yMB2ZK7dGHex/1KzgHtIwH3EGn10
+qkAnGg8E6CaGoOFTl5KrkSrb2JVuUjRK2nJQM8UUQec
+-> ssh-ed25519 pXC0Mg pdnJb3OKYTDJ2I083v7On6MMfAm8GrgVWVtet/aJzCM
+qs5Q/xk6KFWgFzN5L+oWAw6VGiGZ1ZXRt4WZglnrdV0
+--- 2ev3nTb+Qhfg6CZnPOJcayE9mp4B1QcHmywEM4al+R0
+PSܮR;
z_b25ωEp5Wp
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..69c15f3
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,12 @@
+let
+  fcuny =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi";
+  users = [ fcuny ];
+
+  vm-aarch64 =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvVTAPXBOynTeMXvti6Xt9luCJAHaHZBb6aGs0SDoO";
+  vm-synology =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHf5gXGbOjaoqdpCDnHjBMhikuM0smLKhUo7J83+by+K";
+  systems = [ vm-aarch64 vm-synology ];
+in
+{ "restic-backups.age".publicKeys = [ fcuny vm-synology ]; }