From 6691865feb6f3e5737a18d33e2bdd6c1bf952eaf Mon Sep 17 00:00:00 2001 From: Gabriel Simmer Date: Thu, 7 Sep 2023 19:10:23 +0100 Subject: [PATCH] Testing agenix --- flake.lock | 94 ++++++++++++++++++++++++++--- flake.nix | 4 +- nix/nas/configuration.nix | 4 +- secrets.nix | 10 +++ secrets/vancouver-action-runner.age | 9 +++ 5 files changed, 112 insertions(+), 9 deletions(-) create mode 100644 secrets.nix create mode 100644 secrets/vancouver-action-runner.age diff --git a/flake.lock b/flake.lock index 84f22f7..f6625b8 100644 --- a/flake.lock +++ b/flake.lock @@ -1,6 +1,69 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1690228878, + "narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=", + "owner": "ryantm", + "repo": "agenix", + "rev": "d8c973fd228949736dedf61b7f8cc1ece3236792", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682203081, + "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -22,7 +85,7 @@ }, "nixinate": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1688141737, @@ -75,6 +138,22 @@ } }, "nixpkgs": { + "locked": { + "lastModified": 1677676435, + "narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1653060744, "narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=", @@ -90,13 +169,13 @@ "type": "github" } }, - "nixpkgs_2": { + "nixpkgs_3": { "locked": { - "lastModified": 1693844670, - "narHash": "sha256-t69F2nBB8DNQUWHD809oJZJVE+23XBrth4QZuVd6IE0=", + "lastModified": 1694032533, + "narHash": "sha256-I8cfCV/4JNJJ8KHOTxTU1EphKT8ARSb4s9pq99prYV0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3c15feef7770eb5500a4b8792623e2d6f598c9c1", + "rev": "efd23a1c9ae8c574e2ca923c2b2dc336797f4cc4", "type": "github" }, "original": { @@ -108,10 +187,11 @@ }, "root": { "inputs": { - "home-manager": "home-manager", + "agenix": "agenix", + "home-manager": "home-manager_2", "nixinate": "nixinate", "nixos-generators": "nixos-generators", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" } } }, diff --git a/flake.nix b/flake.nix index 82d7153..77afd63 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,7 @@ { description = "Nix flake for my infrastructure"; inputs = { + agenix.url = "github:ryantm/agenix"; nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; nixinate.url = "github:matthewcroughan/nixinate"; home-manager.url = "github:nix-community/home-manager"; @@ -11,7 +12,7 @@ }; }; - outputs = { self, nixpkgs, nixos-generators, nixinate, home-manager }: + outputs = { self, nixpkgs, nixos-generators, nixinate, home-manager, agenix }: let pkgs = nixpkgs.legacyPackages.x86_64-linux; in { @@ -96,6 +97,7 @@ system = "x86_64-linux"; modules = [ (import ./nix/nas/configuration.nix) + agenix.nixosModules.default home-manager.nixosModules.home-manager { home-manager.users.gsimmer = import ./nix/nas/home.nix; diff --git a/nix/nas/configuration.nix b/nix/nas/configuration.nix index c2d78cd..4f60e30 100644 --- a/nix/nas/configuration.nix +++ b/nix/nas/configuration.nix @@ -6,6 +6,8 @@ ./hardware.nix ]; + age.secrets.action-token.file = ../../secrets/vancouver-action-runner.age; + nix = { settings = { auto-optimise-store = true; @@ -231,7 +233,7 @@ "nix:docker://nixos/nix" ]; url = "https://git.gmem.ca/"; - token = "ilTf824bWmTbDtjr0oE2riSzaoUliS54RwjrVDdR"; + tokenFile = config.age.secrets.action-token.path; settings = { cache.port = 4328; }; diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..aeea395 --- /dev/null +++ b/secrets.nix @@ -0,0 +1,10 @@ +let + vancouver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC30kDkktiWJGaJEIrqgneQx1SmIYUEVPm7w1F9p//CB"; + machines = [ vancouver ]; + + gsimmer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com"; + users = [ gsimmer ]; +in +{ + "secrets/vancouver-action-runner.age".publicKeys = [ vancouver gsimmer ]; +} diff --git a/secrets/vancouver-action-runner.age b/secrets/vancouver-action-runner.age new file mode 100644 index 0000000..dcd7e29 --- /dev/null +++ b/secrets/vancouver-action-runner.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 oN6OTQ BBqv4gyfV+ZTQTKNhEUPRrzWNKz1YjVr3qyouxZ1l1s +ApaqQizmjolL/f1j2iQAvRUuCrrv9l0R8ms63TsKmU0 +-> ssh-ed25519 qbziOw XL46mKp0s0IqX3sOY7wdyuxgIAdsNSb+pMl1oUgI2EY +C+4Zy+62bzn7VkRdndpaiDtHc013K9PIrQXBpSqxD3s +-> <#q*-grease +GKgzRmWm4lA3tKsx96FM0QFnDI8Mu8jc76XM5uFZJnEY +--- FZbu3X6NM/NxZBnjbc/BRIsccomlfkwIelFdc4NXt5g +PÄó¨‹u®'®¦TÛ åßšµ¹^ªTÃ{ñevô÷Rb{ð1ìK¦Í´eN œAàØéîÊÎ}MûjZ5K…öXd®vÜ+yƒ³”vÝE \ No newline at end of file