diff options
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | flake.lock | 88 | ||||
-rw-r--r-- | flake.nix | 28 | ||||
-rw-r--r-- | nix/lib/mkSystem.nix | 2 | ||||
-rw-r--r-- | secrets/restic-backups.age | 7 | ||||
-rw-r--r-- | secrets/secrets.nix | 12 |
6 files changed, 130 insertions, 8 deletions
diff --git a/.gitignore b/.gitignore index 942f51c..7f2acd4 100644 --- a/.gitignore +++ b/.gitignore @@ -10,4 +10,3 @@ /*.qcow2 bin/ /.direnv/ -/secrets/ diff --git a/flake.lock b/flake.lock index e4030df..ba094ab 100644 --- a/flake.lock +++ b/flake.lock @@ -1,8 +1,53 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems" + }, + "locked": { + "lastModified": 1723293904, + "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", + "owner": "ryantm", + "repo": "agenix", + "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "darwin_2": { + "inputs": { + "nixpkgs": [ "nixpkgs" ] }, @@ -58,7 +103,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -98,6 +143,27 @@ "home-manager": { "inputs": { "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ "nixpkgs" ] }, @@ -173,10 +239,11 @@ }, "root": { "inputs": { - "darwin": "darwin", + "agenix": "agenix", + "darwin": "darwin_2", "devshell": "devshell", "flake-utils": "flake-utils", - "home-manager": "home-manager", + "home-manager": "home-manager_2", "nixpkgs": "nixpkgs", "pre-commit-hooks": "pre-commit-hooks", "treefmt-nix": "treefmt-nix" @@ -197,6 +264,21 @@ "type": "github" } }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 90a217f..83db950 100644 --- a/flake.nix +++ b/flake.nix @@ -20,17 +20,33 @@ }; flake-utils.url = "github:numtide/flake-utils"; + pre-commit-hooks = { url = "github:cachix/pre-commit-hooks.nix"; inputs.nixpkgs.follows = "nixpkgs"; }; - devshell.url = "github:numtide/devshell"; - devshell.inputs.nixpkgs.follows = "nixpkgs"; + + devshell = { + url = "github:numtide/devshell"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; # Output config, or config for NixOS system outputs = - { nixpkgs, darwin, flake-utils, pre-commit-hooks, devshell, ... }@inputs: + { nixpkgs + , darwin + , flake-utils + , pre-commit-hooks + , devshell + , agenix + , ... + }@inputs: flake-utils.lib.eachDefaultSystem (system: let @@ -53,7 +69,11 @@ }; devShells.default = pkgs.devshell.mkShell { - packages = with pkgs; [ just ]; + packages = with pkgs; [ + just + agenix + inputs.agenix.packages."${system}".default + ]; env = [{ name = "DEVSHELL_NO_MOTD"; value = "1"; diff --git a/nix/lib/mkSystem.nix b/nix/lib/mkSystem.nix index 87af732..13e052e 100644 --- a/nix/lib/mkSystem.nix +++ b/nix/lib/mkSystem.nix @@ -36,6 +36,8 @@ systemFunc rec { home-manager.users.${user} = import userHMConfig { inputs = inputs; }; } + inputs.agenix.nixosModules.default + # We expose some extra arguments so that our modules can parameterize # better based on these values. { diff --git a/secrets/restic-backups.age b/secrets/restic-backups.age new file mode 100644 index 0000000..5e8ea2f --- /dev/null +++ b/secrets/restic-backups.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 9Ia8+w mPCN4AjX68aTAy5yMB2ZK7dGHex/1KzgHtIwH3EGn10 +qkAnGg8E6CaGoOFTl5KrkSrb2JVuUjRK2nJQM8UUQec +-> ssh-ed25519 pXC0Mg pdnJb3OKYTDJ2I083v7On6MMfAm8GrgVWVtet/aJzCM +qs5Q/xk6KFWgFzN5L+oWAw6VGiGZ1ZXRt4WZglnrdV0 +--- 2ev3nTb+Qhfg6CZnPOJcayE9mp4B1QcHmywEM4al+R0 +PSܮR; z_b25ωEp5Wp \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..69c15f3 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,12 @@ +let + fcuny = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"; + users = [ fcuny ]; + + vm-aarch64 = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvVTAPXBOynTeMXvti6Xt9luCJAHaHZBb6aGs0SDoO"; + vm-synology = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHf5gXGbOjaoqdpCDnHjBMhikuM0smLKhUo7J83+by+K"; + systems = [ vm-aarch64 vm-synology ]; +in +{ "restic-backups.age".publicKeys = [ fcuny vm-synology ]; } |