store password encrypted via agenix

2022-10-10 11:59:05 +03:00 · 2022-10-10 11:59:05 +03:00 · 22ae1aec0d
commit 22ae1aec0d
parent 7b09b44d3e
9 changed files with 43 additions and 29 deletions
--- a/.envrc
+++ b/.envrc
@ -1 +1,3 @@
 use flake
+
+export RULES=./secrets.config.nix
--- a/.gitattributes
+++ b/.gitattributes
@ -1 +1,4 @@
 **/secrets.nix filter=git-crypt diff=git-crypt
+
+secrets.config.nix filter=git-crypt diff=git-crypt
+**/*.age filter=git-crypt diff=git-crypt
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,25 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1664140963,
+        "narHash": "sha256-pFxDtOLduRFlol0Y4ShE+soRQX4kbhaCNBtDOvx7ykw=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "6acb1fe5f8597d5ce63fc82bc7fcac7774b1cdf0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "alejandra": {
      "inputs": {
        "flakeCompat": "flakeCompat",
@ -447,6 +467,7 @@
    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "dedsec-grub-theme": "dedsec-grub-theme",
        "flake-utils": "flake-utils",
        "hardware": "hardware",
--- a/flake.nix
+++ b/flake.nix
@ -6,6 +6,11 @@

    hardware.url = "github:NixOS/nixos-hardware/master";

+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
    home-manager = {
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
@ -68,11 +73,11 @@

          devShells = {
            default = pkgs.mkShell {
-              packages = with pkgs;
-                [
-                  stylua # lua formatter
-                  ormolu # haskell formatter
-                ];
+              packages = with pkgs; [
+                stylua # lua formatter
+                ormolu # haskell formatter
+                inputs.agenix.packages.${system}.agenix
+              ];
            };
          };
        })
@ -90,7 +95,10 @@
              specialArgs = { inherit inputs; } // specialArgs;

              modules =
-                (with inputs; [ home-manager.nixosModule ])
+                (with inputs; [
+                  agenix.nixosModule
+                  home-manager.nixosModule
+                ])
                ++ [ ./machines/${hostname} ]
                ++ extraModules;
            })
--- a/secrets.config.nix
+++ b/secrets.config.nix
--- a/secrets.example.nix
+++ b/secrets.example.nix
@ -1,21 +0,0 @@
-{
-  networking.extraHosts = ''
-    127.0.0.2 other-localhost
-  '';
-
-  realName = "Bob";
-  userName = "bob";
-  userDir = "/home/bob";
-  userEmail = "bob@example.com";
-
-  # gpg --list-secret-keys
-  gpgSigningKey = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
-
-  emailAccounts = {
-    "personal" = {
-      flavor = "yandex.com";
-      address = "bross@yandex.ru";
-      passwordCommand = "pass show emails/bross@yandex.ru";
-    };
-  };
-}
--- a/secrets/users-jan-passfile.age
+++ b/secrets/users-jan-passfile.age
--- a/users/jan/default.nix
+++ b/users/jan/default.nix
@ -1,6 +1,5 @@
 { config, pkgs, lib, inputs, fontSize ? null, ... }:

-let secrets = import ./secrets.nix; in
 {
  nixpkgs.overlays = lib.mkMerge [
    (lib.mkBefore (import ../../overlays))
@ -20,7 +19,7 @@ let secrets = import ./secrets.nix; in
      (lib.mkIf config.virtualisation.docker.enable "docker")
    ];
    shell = pkgs.zsh;
-    inherit (secrets) initialHashedPassword;
+    passwordFile = config.age.secrets.users-jan-passfile.path;
  };

  home-manager = {
@ -39,4 +38,6 @@ let secrets = import ./secrets.nix; in
  };

  nix.settings.trusted-users = lib.mkAfter [ "jan" ];
+
+  age.secrets.users-jan-passfile.file = ../../secrets/users-jan-passfile.age;
 }
--- a/users/jan/secrets.nix
+++ b/users/jan/secrets.nix