store password encrypted via agenix
This commit is contained in:
parent
7b09b44d3e
commit
22ae1aec0d
9 changed files with 43 additions and 29 deletions
2
.envrc
2
.envrc
|
@ -1 +1,3 @@
|
|||
use flake
|
||||
|
||||
export RULES=./secrets.config.nix
|
||||
|
|
3
.gitattributes
vendored
3
.gitattributes
vendored
|
@ -1 +1,4 @@
|
|||
**/secrets.nix filter=git-crypt diff=git-crypt
|
||||
|
||||
secrets.config.nix filter=git-crypt diff=git-crypt
|
||||
**/*.age filter=git-crypt diff=git-crypt
|
||||
|
|
21
flake.lock
21
flake.lock
|
@ -1,5 +1,25 @@
|
|||
{
|
||||
"nodes": {
|
||||
"agenix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1664140963,
|
||||
"narHash": "sha256-pFxDtOLduRFlol0Y4ShE+soRQX4kbhaCNBtDOvx7ykw=",
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"rev": "6acb1fe5f8597d5ce63fc82bc7fcac7774b1cdf0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"alejandra": {
|
||||
"inputs": {
|
||||
"flakeCompat": "flakeCompat",
|
||||
|
@ -447,6 +467,7 @@
|
|||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"agenix": "agenix",
|
||||
"dedsec-grub-theme": "dedsec-grub-theme",
|
||||
"flake-utils": "flake-utils",
|
||||
"hardware": "hardware",
|
||||
|
|
20
flake.nix
20
flake.nix
|
@ -6,6 +6,11 @@
|
|||
|
||||
hardware.url = "github:NixOS/nixos-hardware/master";
|
||||
|
||||
agenix = {
|
||||
url = "github:ryantm/agenix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
home-manager = {
|
||||
url = "github:nix-community/home-manager";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
@ -68,11 +73,11 @@
|
|||
|
||||
devShells = {
|
||||
default = pkgs.mkShell {
|
||||
packages = with pkgs;
|
||||
[
|
||||
stylua # lua formatter
|
||||
ormolu # haskell formatter
|
||||
];
|
||||
packages = with pkgs; [
|
||||
stylua # lua formatter
|
||||
ormolu # haskell formatter
|
||||
inputs.agenix.packages.${system}.agenix
|
||||
];
|
||||
};
|
||||
};
|
||||
})
|
||||
|
@ -90,7 +95,10 @@
|
|||
specialArgs = { inherit inputs; } // specialArgs;
|
||||
|
||||
modules =
|
||||
(with inputs; [ home-manager.nixosModule ])
|
||||
(with inputs; [
|
||||
agenix.nixosModule
|
||||
home-manager.nixosModule
|
||||
])
|
||||
++ [ ./machines/${hostname} ]
|
||||
++ extraModules;
|
||||
})
|
||||
|
|
BIN
secrets.config.nix
Normal file
BIN
secrets.config.nix
Normal file
Binary file not shown.
|
@ -1,21 +0,0 @@
|
|||
{
|
||||
networking.extraHosts = ''
|
||||
127.0.0.2 other-localhost
|
||||
'';
|
||||
|
||||
realName = "Bob";
|
||||
userName = "bob";
|
||||
userDir = "/home/bob";
|
||||
userEmail = "bob@example.com";
|
||||
|
||||
# gpg --list-secret-keys
|
||||
gpgSigningKey = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
|
||||
|
||||
emailAccounts = {
|
||||
"personal" = {
|
||||
flavor = "yandex.com";
|
||||
address = "bross@yandex.ru";
|
||||
passwordCommand = "pass show emails/bross@yandex.ru";
|
||||
};
|
||||
};
|
||||
}
|
BIN
secrets/users-jan-passfile.age
Normal file
BIN
secrets/users-jan-passfile.age
Normal file
Binary file not shown.
|
@ -1,6 +1,5 @@
|
|||
{ config, pkgs, lib, inputs, fontSize ? null, ... }:
|
||||
|
||||
let secrets = import ./secrets.nix; in
|
||||
{
|
||||
nixpkgs.overlays = lib.mkMerge [
|
||||
(lib.mkBefore (import ../../overlays))
|
||||
|
@ -20,7 +19,7 @@ let secrets = import ./secrets.nix; in
|
|||
(lib.mkIf config.virtualisation.docker.enable "docker")
|
||||
];
|
||||
shell = pkgs.zsh;
|
||||
inherit (secrets) initialHashedPassword;
|
||||
passwordFile = config.age.secrets.users-jan-passfile.path;
|
||||
};
|
||||
|
||||
home-manager = {
|
||||
|
@ -39,4 +38,6 @@ let secrets = import ./secrets.nix; in
|
|||
};
|
||||
|
||||
nix.settings.trusted-users = lib.mkAfter [ "jan" ];
|
||||
|
||||
age.secrets.users-jan-passfile.file = ../../secrets/users-jan-passfile.age;
|
||||
}
|
||||
|
|
Binary file not shown.
Loading…
Reference in a new issue