diff --git a/config/basic/nix.nix b/config/basic/nix.nix index 110e855..e0816c1 100644 --- a/config/basic/nix.nix +++ b/config/basic/nix.nix @@ -1,4 +1,8 @@ -{ inputs, stateVersion, ... }: +{ + inputs, + stateVersion, + ... +}: { nix = { channel.enable = false; @@ -25,6 +29,7 @@ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" "ai.cachix.org-1:N9dzRK+alWwoKXQlnn0H6aUx0lU/mspIoz8hMvGvbbc=" + (builtins.readFile ../../secrets/nix-key.pub) ]; cores = 0; max-jobs = "auto"; diff --git a/secrets/nix-key.age b/secrets/nix-key.age new file mode 100644 index 0000000..4b60f3c --- /dev/null +++ b/secrets/nix-key.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> X25519 ZSqhSMLNYE+Zuy7fviIS8WrGJ9s1v697QI09MBephxk +ghtdboWmw743Q2/ZxO/wNb2nfWA/4SD5YIe/QJ/OLcU +-> piv-p256 ZFgiIw A6hz4+nNIewj/lOuAFkq90pQGlRmLXjYC7/kzuqrDWfn +5TegHKLn0xp6ZHOw2xPVgbILuWz66ommzGgvgegx8/4 +-> piv-p256 XTQkUA A3JpjyVeyfR9rTpda7PjN1KqLLUlHfjVFX4nEZi9RIk6 +gPK+N+tFlCQrdWuMk6Sch+ZO1Rm9y8C1HXpx4CelSIs +-> piv-p256 ZFgiIw A1tUke9w5HVAzPNqbRWPff3jNamve/5Vx55wnSAATSXu +x97X+GIa68umqbmTibcK29AfIvwkTrDpXHbYhLpexP4 +-> piv-p256 5vmPtQ AvdJ4kYYAONx3vrYR4tYY0HrR/EAjsTo7Guk32BhpsJN +UWY49vwtTDrX/wgn4hbinadCp+7v7Qu8vJg+4yA2dGo +-> `nceeU-grease nKj9l >n> +dcVffNSdSw +--- leA1O4oK5yJtoHRZLzFBTY8Hvvl96f/CdbAO6zL92Js +0{rgD¨Z q֐u"Y_c`65Ef|qȵ?E' \ No newline at end of file diff --git a/secrets/nix-key.pub b/secrets/nix-key.pub new file mode 100644 index 0000000..c11561a --- /dev/null +++ b/secrets/nix-key.pub @@ -0,0 +1 @@ +patrickdag.lel.lol-1:MrJBnSnIfvBm/fUdrtXnKstu3yo0NfZa6hKgfDvnsFg= \ No newline at end of file diff --git a/users/patrick/dev.nix b/users/patrick/dev.nix index a8afc05..e3eea97 100644 --- a/users/patrick/dev.nix +++ b/users/patrick/dev.nix @@ -7,6 +7,27 @@ ... }: lib.optionalAttrs (!minimal) { + age.secrets.nix-key = { + rekeyFile = ../../secrets/nix-key.age; + generator.script = + { + pkgs, + file, + ... + }: + '' + priv=$(${lib.getExe pkgs.nix} key generate-secret --key-name patrickdag.lel.lol-1) + ${lib.getExe pkgs.nix} key convert-secret-to-public <<< "$priv" > ${ + lib.escapeShellArg (lib.removeSuffix ".age" file + ".pub") + } + echo "$priv" + ''; + }; + nix.settings = { + secret-key-files = [ + config.age.secrets.nix-key.path + ]; + }; environment.systemPackages = with pkgs; [ python3 jq