From f355c527ee46538335fd7bb1f123d1e409f468ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Patrick=20Gro=C3=9Fmann?= <patrickdgro@gmail.com>
Date: Wed, 25 Jan 2023 22:12:36 +0100
Subject: [PATCH] feat: Added secret support with agenix

---
 .gitignore                    |   1 -
 configuration.nix             |  28 +++++++++++++++-------------
 flake.lock                    |  21 +++++++++++++++++++++
 flake.nix                     |   8 ++++----
 secrets/NIXOSa.key            |   7 +++++++
 secrets/NIXOSc.key            |   7 +++++++
 secrets/iwd/devolo-og.psk.age |  10 ++++++++++
 secrets/iwd/eduroam.8021x.age | Bin 0 -> 505 bytes
 8 files changed, 64 insertions(+), 18 deletions(-)
 create mode 100644 secrets/NIXOSa.key
 create mode 100644 secrets/NIXOSc.key
 create mode 100644 secrets/iwd/devolo-og.psk.age
 create mode 100644 secrets/iwd/eduroam.8021x.age

diff --git a/.gitignore b/.gitignore
index 8cdc481..e69de29 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +0,0 @@
-iwd
diff --git a/configuration.nix b/configuration.nix
index 6fa6d97..576d4f1 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -4,6 +4,7 @@
 {
   config,
   pkgs,
+  age,
   ...
 }: {
   imports = [
@@ -23,10 +24,17 @@
   networking.hostId = "68438432";
   # Pick only one of the below networking options.
   networking.wireless.iwd.enable = true;
-  # I would advise against pushing your secrets
-  #system.activationScripts.getIWD.text = ''
-  #  cp -r /etc/nixos/iwd /var/lib/
-  #'';
+  age.identityPaths = [ ./secrets/NIXOSc.key ./secrets/NIXOSa.key ];
+  age.plugins = [ pkgs.age-plugin-yubikey ];
+  age.secrets.eduroam = {
+	file = ./secrets/iwd/eduroam.8021x.age;
+	path = "/etc/iwd/eduroam.8021x";
+  };
+  age.secrets.devoloog = {
+	file = ./secrets/iwd/devolo-og.psk.age;
+	path = "/etc/iwd/devolo-og.psk";
+  };
+
 
   networking.useNetworkd = true;
   networking.dhcpcd.enable = false;
@@ -111,21 +119,14 @@
   # List packages installed in system profile. To search, run:
   # $ nix search wget
   environment.systemPackages = with pkgs; [
-    vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
     xterm
     wget
     gcc
 	tree
+	age-plugin-yubikey
+	rage
   ];
 
-  # Some programs need SUID wrappers, can be configured further or are
-  # started in user sessions.
-  # programs.mtr.enable = true;
-  # programs.gnupg.agent = {
-  #   enable = true;
-  #   enableSSHSupport = true;
-  # };
-
   # List services that you want to enable:
 
   # Enable the OpenSSH daemon.
@@ -168,6 +169,7 @@
   # Copy the NixOS configuration file and link it from the resulting system
   # (/run/current-system/configuration.nix). This is useful in case you
   # accidentally delete configuration.nix.
+  # breaks flake based building
   # system.copySystemConfiguration = true;
 
   # This value determines the NixOS release from which the default
diff --git a/flake.lock b/flake.lock
index dade9ea..8ad81a9 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,25 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1674681075,
+        "narHash": "sha256-hXbIv9WHHEQvoXtK4hWKx4EzmTLUzMdjV8e/x/R9nP8=",
+        "owner": "oddlama",
+        "repo": "agenix",
+        "rev": "12d1b138188dda50704c2816be73d6e183f45797",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oddlama",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -39,6 +59,7 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "home-manager": "home-manager",
         "nixpkgs": "nixpkgs"
       }
diff --git a/flake.nix b/flake.nix
index 9e5659b..496cb30 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,8 +5,10 @@
 	# should use system nixpkgs instead of their own
 	inputs.nixpkgs.follows = "nixpkgs";
   };
+  inputs.agenix.url = "github:oddlama/agenix";
+  inputs.agenix.inputs.nixpkgs.follows = "nixpkgs";
 
-  outputs = { self, nixpkgs, home-manager, ... }: let
+  outputs = { self, nixpkgs, home-manager, agenix, ... }: let
       system = "x86_64-linux";
     in {nixosConfigurations.patricknix =
 		nixpkgs.lib.nixosSystem {
@@ -18,10 +20,8 @@
             home-manager.useGlobalPkgs = true;
             home-manager.useUserPackages = true;
 		  }
+		  agenix.nixosModule
 	  ];
     };
-	pkgs = import nixpkgs {
-		inherit system;
-	};
   };
 }
diff --git a/secrets/NIXOSa.key b/secrets/NIXOSa.key
new file mode 100644
index 0000000..5c4b2bd
--- /dev/null
+++ b/secrets/NIXOSa.key
@@ -0,0 +1,7 @@
+#       Serial: 23010997, Slot: 1
+#         Name: Yubikey A NIXOS
+#      Created: Wed, 25 Jan 2023 17:20:26 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
+#    Recipient: age1yubikey1q2w0nrz60e75shexudc0s3j8n4kggdp87cjzejvc6mzzge5h5yp9sj6sqk5
+AGE-PLUGIN-YUBIKEY-1K5097QVZT56ZG5QC4YLVS
diff --git a/secrets/NIXOSc.key b/secrets/NIXOSc.key
new file mode 100644
index 0000000..026e754
--- /dev/null
+++ b/secrets/NIXOSc.key
@@ -0,0 +1,7 @@
+#       Serial: 15489049, Slot: 1
+#         Name: Yubikey C NIXOS
+#      Created: Wed, 25 Jan 2023 17:29:44 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
+#    Recipient: age1yubikey1qfu3708kl2anypfzas7mn78z5rqnqpy0ffmg9hqn8uxlgcws5r9czuqs6y7
+AGE-PLUGIN-YUBIKEY-1R9VWCQYZV3VZYGCDAXQQM
diff --git a/secrets/iwd/devolo-og.psk.age b/secrets/iwd/devolo-og.psk.age
new file mode 100644
index 0000000..c08e7f6
--- /dev/null
+++ b/secrets/iwd/devolo-og.psk.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 XTQkUA A3bkPQBtgR2mccdoDTmEJN8yhwVyXEQ2qDK3myRAXYmV
+Avcz4f1n3XgaV83IQVXsKYrUvJmrBd4Bm0uufdikRfw
+-> piv-p256 ZFgiIw AsS/RaZgkcvTzu21pjteOA/9u11NsAJmgPjmBz4Mn3mc
+4qTcGG3cTL4LmAFAdrGV9ebjlEkGmbRrYGe6Xkos/m0
+-> li-grease `LQrw #f-02g CBg8gi1
+E8QTqw
+--- uvUZ9VFhJuoHPtKgbFbpLTNCpH86WCeyVXnR9i8SR0E
+�G�&�ʓ��l��PI#G�Y���2�`��_��Ŀ������'���n��i�;���	ߛ��n���9ho��M8���rdVYڧ���3��*v~�[7���6����j�!�,����z�G��#�|�r��Q��
A�O�]�(��Ӡxg�-Z-�����k�-V��������D��+rF�E4�⌍�D?#qzb8����&'Ѹ���0�(9PnM�M�P��������
x(3�L��E��"��
_���j��WaB��fWH��
+�k�=qū�5T�a��a.V$>���K��k���ԛ��wE�ȥ��żq:+���u��̭8�1�I���91�]z�%+}K��%�9��n�|ƍN��1b�C�T�T�?+�riK�m�uf�F�B��JK+y�&��
x><s��/�0���s�{�����]}��\~�:�� ����)��ӷW�wY�P��t�����VL�߳�S�hU��y�b����hB��0���
\ No newline at end of file
diff --git a/secrets/iwd/eduroam.8021x.age b/secrets/iwd/eduroam.8021x.age
new file mode 100644
index 0000000000000000000000000000000000000000..11d85225ceb52ff442ee5e90a782c4bbce13e50c
GIT binary patch
literal 505
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14$Sl(>Ffuh$hzJSH4s}#;%q@yYHTBQ0
z2=fSY%m~RU&dp4!%r(g?&NGMz3k@|5tTZbMb4gE(tk8GnN{tBgbqRNk$SgBSHBKq6
zFbX#{i%cyx^h*zR32@C1Ehx{gD6l9=%PdPru`9|gJ=3#X!7;zY(Z!;w#2~^&J2yW$
zG0`Kt*w>)4tR%gp+|kJ+#Uww}II}V_&nGX{mn%0VuQb=d+{G}<!mK3O#N8>~u`nkz
zF+U~O!@?~i*et`-xGXCrHQb;o5@eS_v_nOnZhBE_VsWa1wOvIKSCU_(xodV|il@K1
zdyZF-M`~`AS#Y9JibZ~8UQ#)iuCA_vesNWLrgxA<o^fWmr*>XNN@z%aSw=;2fVNvi
zQKeHsq>H0|Nv3OLxw|XZNzNy~nJnXzmfv}~DnLoxvb>JJbGPHCP0N1gSe?=iyW5;}
z_c7;3!Nbe_&z|4u`0azm?TeB=QX4Yn_spyLWAN${e^hcwkpBCJ-bbf={My7&!FfZr
zIA3;e%2B;3)&Va&Z=U0y6Q{V}*0wSy>two7SK`u}p~idX)@N09?mJ%c?ThZrkF^!^
o9MdKr_1wU3T`L`vocQ;qVc?V&x32c%$@V-!J`7&(KdMRq06WRU(f|Me

literal 0
HcmV?d00001