trying agenix

2024-12-29 10:34:03 +01:00 · 2024-12-29 10:34:03 +01:00 · 9e8b388aaa
commit 9e8b388aaa
parent 8000e2d632
8 changed files with 103 additions and 24 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,28 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": [],
+        "home-manager": [],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1723293904,
+        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "disko": {
      "inputs": {
        "nixpkgs": [
@ -7,11 +30,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1734343412,
-        "narHash": "sha256-b7G8oFp0Nj01BYUJ6ENC9Qf/HsYAIZvN9k/p0Kg/PFU=",
+        "lastModified": 1735048446,
+        "narHash": "sha256-Tc35Y8H+krA6rZeOIczsaGAtobSSBPqR32AfNTeHDRc=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "a08bfe06b39e94eec98dd089a2c1b18af01fef19",
+        "rev": "3a4de9fa3a78ba7b7170dda6bd8b4cdab87c0b21",
        "type": "github"
      },
      "original": {
@ -22,11 +45,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1734623593,
-        "narHash": "sha256-iA3kxtbds7yOc77oRBz2On9ZmOVI/1Pic+YQtYUyIsg=",
+        "lastModified": 1735444284,
+        "narHash": "sha256-U0Vw+ZrjbfvmHqeyJKM7lXZWUXIYdaOa32VtNKkfKo8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "8af52ff6ba2ed83047881e877718db3bb02fad85",
+        "rev": "cf802984d6b41ea45044455724d5835a4f5fcf81",
        "type": "github"
      },
      "original": {
@ -38,9 +61,25 @@
    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "disko": "disko",
        "nixpkgs": "nixpkgs"
      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -8,6 +8,15 @@
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        home-manager.follows = "";
+        darwin.follows = "";
+      };
+    };
  };

  outputs =
--- a/hosts/hydra/default.nix
+++ b/hosts/hydra/default.nix
@ -1,22 +1,23 @@
 { ... }:
 {
  kropcloud =
-  let
-    serverIp = "192.168.1.160";
-  in {
-    services = {
-      hydra = {
-        enable = true;
-        listenHost = serverIp;
-        port = 3000;
+    let
+      serverIp = "192.168.1.160";
+    in
+    {
+      services = {
+        hydra = {
+          enable = true;
+          listenHost = serverIp;
+          port = 3000;
+        };
+      };
+      networking = {
+        ipv4 = {
+          address = serverIp;
+          prefixLength = 24;
+          defaultGateway = "192.168.1.1";
+        };
      };
    };
-    networking = {
-      ipv4 = {
-        address = serverIp;
-        prefixLength = 24;
-        defaultGateway = "192.168.1.1";
-      };
-    };
-  };
 }
--- a/lib.nix
+++ b/lib.nix
@ -22,8 +22,8 @@
            };
          }
        )
-
        inputs.disko.nixosModules.disko
+        inputs.agenix.nixosModules.agenix
      ];
      specialArgs = {
        inherit inputs;
--- a/nixosModules/services/hydra/default.nix
+++ b/nixosModules/services/hydra/default.nix
@ -32,7 +32,11 @@ in
    services.hydra = {
      enable = true;
      useSubstitutes = true;
-      hydraURL = if (cfg.hydraURL != null) then cfg.hydraURL else "http://${cfg.listenHost}:${builtins.toString cfg.port}";
+      hydraURL =
+        if (cfg.hydraURL != null) then
+          cfg.hydraURL
+        else
+          "http://${cfg.listenHost}:${builtins.toString cfg.port}";
      notificationSender = "hydra@localhost";
      listenHost = cfg.listenHost;
      port = cfg.port;
--- a/nixosModules/users/default.nix
+++ b/nixosModules/users/default.nix
@ -17,8 +17,12 @@ in
  };

  config = {
+
+    age.secrets.mypassword.file = ../../secrets/mypassword.age;
+
    # Define the admin user
    users.users.${cfg.user} = {
+      passwordFile = config.age.secrets.mypassword.path;
      isNormalUser = true;
      extraGroups = [ "wheel" ];
      openssh.authorizedKeys.keys = cfg.sshKeys;
--- a/secrets/mypassword.age
+++ b/secrets/mypassword.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 5k28aQ KviGGE6dIqfoveCUfwkHUjGbKiOJZSMMuvXGAek8WR4
+VEWhiHssX0z1o6TEt7OBMOg/lhrL7R6sKxbJFJwdYMo
+-> ssh-ed25519 gyQF0A pMPG63ezxmpG/tB6uEo1mLJvhcR9s/+4WwXxdxlIXG4
+tWfIhKt8/cWpZhvqbpALaDU8tjyvHhN6cpfazEhIkXw
+--- 6iqyysXgmUhpSKKTBzWTABlWGY3CaY+DlcsFRgF7Bfk
+ö4GyeIÛ´—çÅ®[(¦ª<ƒ¥á›>HlÐ=£?g…’´7ÞD
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,15 @@
+let
+  wenar-nix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl0Rdo2kHliBeIiPuiO4kYO5M0VZFNXw4siepV1p6Pj";
+  users = [
+    wenar-nix
+  ];
+
+  test-server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID4ioqiTzYe6Y6H0YfFkWyDBbCB25wYs3gKNZIufE/Sn";
+  systems = [
+    test-server
+  ];
+  allKeys = users ++ systems;
+in
+{
+  "mypassword.age".publicKeys = allKeys;
+}