store password encrypted via agenix

This commit is contained in:
Dmitriy Pleshevskiy 2022-10-10 11:59:05 +03:00
parent 7b09b44d3e
commit 22ae1aec0d
Signed by: pleshevskiy
GPG key ID: 1B59187B161C0215
9 changed files with 43 additions and 29 deletions

2
.envrc
View file

@ -1 +1,3 @@
use flake
export RULES=./secrets.config.nix

3
.gitattributes vendored
View file

@ -1 +1,4 @@
**/secrets.nix filter=git-crypt diff=git-crypt
secrets.config.nix filter=git-crypt diff=git-crypt
**/*.age filter=git-crypt diff=git-crypt

View file

@ -1,5 +1,25 @@
{
"nodes": {
"agenix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1664140963,
"narHash": "sha256-pFxDtOLduRFlol0Y4ShE+soRQX4kbhaCNBtDOvx7ykw=",
"owner": "ryantm",
"repo": "agenix",
"rev": "6acb1fe5f8597d5ce63fc82bc7fcac7774b1cdf0",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"alejandra": {
"inputs": {
"flakeCompat": "flakeCompat",
@ -447,6 +467,7 @@
},
"root": {
"inputs": {
"agenix": "agenix",
"dedsec-grub-theme": "dedsec-grub-theme",
"flake-utils": "flake-utils",
"hardware": "hardware",

View file

@ -6,6 +6,11 @@
hardware.url = "github:NixOS/nixos-hardware/master";
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
@ -68,11 +73,11 @@
devShells = {
default = pkgs.mkShell {
packages = with pkgs;
[
stylua # lua formatter
ormolu # haskell formatter
];
packages = with pkgs; [
stylua # lua formatter
ormolu # haskell formatter
inputs.agenix.packages.${system}.agenix
];
};
};
})
@ -90,7 +95,10 @@
specialArgs = { inherit inputs; } // specialArgs;
modules =
(with inputs; [ home-manager.nixosModule ])
(with inputs; [
agenix.nixosModule
home-manager.nixosModule
])
++ [ ./machines/${hostname} ]
++ extraModules;
})

BIN
secrets.config.nix Normal file

Binary file not shown.

View file

@ -1,21 +0,0 @@
{
networking.extraHosts = ''
127.0.0.2 other-localhost
'';
realName = "Bob";
userName = "bob";
userDir = "/home/bob";
userEmail = "bob@example.com";
# gpg --list-secret-keys
gpgSigningKey = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
emailAccounts = {
"personal" = {
flavor = "yandex.com";
address = "bross@yandex.ru";
passwordCommand = "pass show emails/bross@yandex.ru";
};
};
}

Binary file not shown.

View file

@ -1,6 +1,5 @@
{ config, pkgs, lib, inputs, fontSize ? null, ... }:
let secrets = import ./secrets.nix; in
{
nixpkgs.overlays = lib.mkMerge [
(lib.mkBefore (import ../../overlays))
@ -20,7 +19,7 @@ let secrets = import ./secrets.nix; in
(lib.mkIf config.virtualisation.docker.enable "docker")
];
shell = pkgs.zsh;
inherit (secrets) initialHashedPassword;
passwordFile = config.age.secrets.users-jan-passfile.path;
};
home-manager = {
@ -39,4 +38,6 @@ let secrets = import ./secrets.nix; in
};
nix.settings.trusted-users = lib.mkAfter [ "jan" ];
age.secrets.users-jan-passfile.file = ../../secrets/users-jan-passfile.age;
}

Binary file not shown.