diff --git a/.envrc b/.envrc index 3550a30..f025931 100644 --- a/.envrc +++ b/.envrc @@ -1 +1,3 @@ use flake + +export RULES=./secrets.config.nix diff --git a/.gitattributes b/.gitattributes index 1b4ca31..2563acd 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1 +1,4 @@ **/secrets.nix filter=git-crypt diff=git-crypt + +secrets.config.nix filter=git-crypt diff=git-crypt +**/*.age filter=git-crypt diff=git-crypt diff --git a/flake.lock b/flake.lock index 542d911..7891cfa 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,25 @@ { "nodes": { + "agenix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1664140963, + "narHash": "sha256-pFxDtOLduRFlol0Y4ShE+soRQX4kbhaCNBtDOvx7ykw=", + "owner": "ryantm", + "repo": "agenix", + "rev": "6acb1fe5f8597d5ce63fc82bc7fcac7774b1cdf0", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "alejandra": { "inputs": { "flakeCompat": "flakeCompat", @@ -447,6 +467,7 @@ }, "root": { "inputs": { + "agenix": "agenix", "dedsec-grub-theme": "dedsec-grub-theme", "flake-utils": "flake-utils", "hardware": "hardware", diff --git a/flake.nix b/flake.nix index b7b950d..1dfe362 100644 --- a/flake.nix +++ b/flake.nix @@ -6,6 +6,11 @@ hardware.url = "github:NixOS/nixos-hardware/master"; + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; @@ -68,11 +73,11 @@ devShells = { default = pkgs.mkShell { - packages = with pkgs; - [ - stylua # lua formatter - ormolu # haskell formatter - ]; + packages = with pkgs; [ + stylua # lua formatter + ormolu # haskell formatter + inputs.agenix.packages.${system}.agenix + ]; }; }; }) @@ -90,7 +95,10 @@ specialArgs = { inherit inputs; } // specialArgs; modules = - (with inputs; [ home-manager.nixosModule ]) + (with inputs; [ + agenix.nixosModule + home-manager.nixosModule + ]) ++ [ ./machines/${hostname} ] ++ extraModules; }) diff --git a/secrets.config.nix b/secrets.config.nix new file mode 100644 index 0000000..cb038a5 Binary files /dev/null and b/secrets.config.nix differ diff --git a/secrets.example.nix b/secrets.example.nix deleted file mode 100644 index ea4a460..0000000 --- a/secrets.example.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - networking.extraHosts = '' - 127.0.0.2 other-localhost - ''; - - realName = "Bob"; - userName = "bob"; - userDir = "/home/bob"; - userEmail = "bob@example.com"; - - # gpg --list-secret-keys - gpgSigningKey = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; - - emailAccounts = { - "personal" = { - flavor = "yandex.com"; - address = "bross@yandex.ru"; - passwordCommand = "pass show emails/bross@yandex.ru"; - }; - }; -} diff --git a/secrets/users-jan-passfile.age b/secrets/users-jan-passfile.age new file mode 100644 index 0000000..40aa68a Binary files /dev/null and b/secrets/users-jan-passfile.age differ diff --git a/users/jan/default.nix b/users/jan/default.nix index b3ef102..00dd262 100644 --- a/users/jan/default.nix +++ b/users/jan/default.nix @@ -1,6 +1,5 @@ { config, pkgs, lib, inputs, fontSize ? null, ... }: -let secrets = import ./secrets.nix; in { nixpkgs.overlays = lib.mkMerge [ (lib.mkBefore (import ../../overlays)) @@ -20,7 +19,7 @@ let secrets = import ./secrets.nix; in (lib.mkIf config.virtualisation.docker.enable "docker") ]; shell = pkgs.zsh; - inherit (secrets) initialHashedPassword; + passwordFile = config.age.secrets.users-jan-passfile.path; }; home-manager = { @@ -39,4 +38,6 @@ let secrets = import ./secrets.nix; in }; nix.settings.trusted-users = lib.mkAfter [ "jan" ]; + + age.secrets.users-jan-passfile.file = ../../secrets/users-jan-passfile.age; } diff --git a/users/jan/secrets.nix b/users/jan/secrets.nix index 13372c2..41eed1d 100644 Binary files a/users/jan/secrets.nix and b/users/jan/secrets.nix differ