Baldur update + secrets setup

2022-12-19 23:14:11 +01:00 · 2022-12-19 23:14:11 +01:00 · e5675984bb
commit e5675984bb
parent 351538a33d
6 changed files with 51 additions and 28 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,25 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1665870395,
+        "narHash": "sha256-Tsbqb27LDNxOoPLh0gw2hIb6L/6Ow/6lIBvqcHzEKBI=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "a630400067c6d03c9b3e0455347dc8559db14288",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "deploy-rs": {
      "inputs": {
        "flake-compat": "flake-compat",
@ -287,6 +307,7 @@
    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "deploy-rs": "deploy-rs",
        "flake-utils": "flake-utils",
        "home-manager": "home-manager",
--- a/flake.nix
+++ b/flake.nix
@ -4,14 +4,9 @@
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/release-22.11";
    nixpkgs-u.url = "github:NixOS/nixpkgs/nixos-unstable";
-    home-manager = {
-      url = "github:nix-community/home-manager/release-22.05";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    # home-manager-u = {
-    #   url = "github:nix-community/home-manager";
-    #   inputs.nixpkgs.follows = "nixpkgs-u";
-    # };
+    home-manager = { url = "github:nix-community/home-manager/release-22.05"; inputs.nixpkgs.follows = "nixpkgs"; };
+
+    agenix = { url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; };
    deploy-rs = { url = "github:serokell/deploy-rs"; inputs = { nixpkgs.follows = "nixpkgs"; }; };
    flake-utils.url = "github:numtide/flake-utils";
    nixos-generators = { url = "github:nix-community/nixos-generators"; inputs = { nixpkgs.follows = "nixpkgs"; }; };
@ -25,13 +20,13 @@
    , nixpkgs
    , nixpkgs-u
    , home-manager
+    , agenix
    , deploy-rs
    , flake-utils
    , nixos-generators
    , nixos-hardware
    , nix-rice
    , pre-commit-hooks
-    , ...
    }:
    let
      config = {
@ -116,6 +111,10 @@
        # Home manager configuration
        home-manager.nixosModules.home-manager
        { home-manager = { useGlobalPkgs = true; useUserPackages = true; }; }
+        agenix.nixosModule
+        {
+          # age.secrets.oauth_proxy_client_credentials.file = ./secrets/oauth_proxy_client_credentials.age;
+        }

        ./nixos_modules/bertof_user.nix
        ./nixos_modules/distributed.nix
--- a/nixos_modules/bertof_user.nix
+++ b/nixos_modules/bertof_user.nix
@ -6,6 +6,7 @@
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAhxOjo9Ac9hVd3eOR56F6sClUMUh1m7VpcmzA18dslj bertof@odin"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7mcf8fbMo1eXqSJeVFWaweB+JOU+67dFuf8laZKZZG bertof@thor"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbG791lSOl8Rqoy+KkdKiOJnOMRg02+HZ/VrlrWMYAX bertof@baldur"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPbbgBCzRsIO6giIVCgTUMgBCrexgvHmq8pis5A4ievH bertof@loki"
    ];
  };
 }
--- a/nixos_modules/extended_registry.nix
+++ b/nixos_modules/extended_registry.nix
@ -1,26 +1,16 @@
 {
  nix.registry = {
+    agenix = {
+      from = { id = "agenix"; type = "indirect"; };
+      to = { type = "github"; owner = "ryantm"; repo = "agenix"; };
+    };
    my-templates = {
-      from = {
-        id = "my-templates";
-        type = "indirect";
-      };
-      to = {
-        type = "github";
-        owner = "bertof";
-        repo = "flake-templates";
-      };
+      from = { id = "my-templates"; type = "indirect"; };
+      to = { type = "github"; owner = "bertof"; repo = "flake-templates"; };
    };
    tex2nix = {
-      from = {
-        id = "tex2nix";
-        type = "indirect";
-      };
-      to = {
-        type = "github";
-        owner = "Mic92";
-        repo = "tex2nix";
-      };
+      from = { id = "tex2nix"; type = "indirect"; };
+      to = { type = "github"; owner = "Mic92"; repo = "tex2nix"; };
    };
  };
 }
--- a/nixos_modules/installer.nix
+++ b/nixos_modules/installer.nix
@ -7,7 +7,6 @@
  };
  users.users.root = {
    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+zsSWZFFzQKnATCAvtG+iuSm4qkZHjCtHzGa9B/71W bertof@odin" # OLD
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAhxOjo9Ac9hVd3eOR56F6sClUMUh1m7VpcmzA18dslj bertof@odin"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7mcf8fbMo1eXqSJeVFWaweB+JOU+67dFuf8laZKZZG bertof@thor"
    ];
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,13 @@
+# let
+#   bertof_odin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAhxOjo9Ac9hVd3eOR56F6sClUMUh1m7VpcmzA18dslj";
+#   bertof_thor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7mcf8fbMo1eXqSJeVFWaweB+JOU+67dFuf8laZKZZG";
+#   bertof_baldur = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbG791lSOl8Rqoy+KkdKiOJnOMRg02+HZ/VrlrWMYAX";
+#   users = [ bertof_odin bertof_thor bertof_baldur ];
+
+#   baldur = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9G8I75gOfB1QJhZU9z+UaYovWq05OfK2FVKtCb8Xxh";
+#   thor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJbMiGx/QZ/RKgad3UNyEzgLfqRU0zBo8n0AU3s244Zw";
+#   systems = [ thor baldur ];
+# in
+{
+  #   # "oauth_proxy_client_credentials.age".publicKeys = users ++ systems;
+}