feat: Added secret support with agenix

2023-01-25 22:12:36 +01:00 · 2023-01-25 22:12:36 +01:00 · f355c527ee
parent 069dc455a9
commit f355c527ee
8 changed files with 64 additions and 18 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +0,0 @@
 iwd
--- a/configuration.nix
+++ b/configuration.nix
@ -4,6 +4,7 @@
 {
  config,
  pkgs,
  age,
  ...
 }: {
  imports = [
@ -23,10 +24,17 @@
  networking.hostId = "68438432";
  # Pick only one of the below networking options.
  networking.wireless.iwd.enable = true;
-  # I would advise against pushing your secrets
+  age.identityPaths = [ ./secrets/NIXOSc.key ./secrets/NIXOSa.key ];
-  #system.activationScripts.getIWD.text = ''
+  age.plugins = [ pkgs.age-plugin-yubikey ];
-  #  cp -r /etc/nixos/iwd /var/lib/
+  age.secrets.eduroam = {
-  #'';
+	file = ./secrets/iwd/eduroam.8021x.age;
 	path = "/etc/iwd/eduroam.8021x";
  };
  age.secrets.devoloog = {
 	file = ./secrets/iwd/devolo-og.psk.age;
 	path = "/etc/iwd/devolo-og.psk";
  };
  networking.useNetworkd = true;
  networking.dhcpcd.enable = false;
@ -111,21 +119,14 @@
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
    xterm
    wget
    gcc
 	tree
 	age-plugin-yubikey
 	rage
  ];
  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = {
  #   enable = true;
  #   enableSSHSupport = true;
  # };
  # List services that you want to enable:
  # Enable the OpenSSH daemon.
@ -168,6 +169,7 @@
  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
  # breaks flake based building
  # system.copySystemConfiguration = true;
  # This value determines the NixOS release from which the default
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,25 @@
 {
  "nodes": {
    "agenix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1674681075,
        "narHash": "sha256-hXbIv9WHHEQvoXtK4hWKx4EzmTLUzMdjV8e/x/R9nP8=",
        "owner": "oddlama",
        "repo": "agenix",
        "rev": "12d1b138188dda50704c2816be73d6e183f45797",
        "type": "github"
      },
      "original": {
        "owner": "oddlama",
        "repo": "agenix",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -39,6 +59,7 @@
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs"
      }
--- a/flake.nix
+++ b/flake.nix
@ -5,8 +5,10 @@
 	# should use system nixpkgs instead of their own
 	inputs.nixpkgs.follows = "nixpkgs";
  };
  inputs.agenix.url = "github:oddlama/agenix";
  inputs.agenix.inputs.nixpkgs.follows = "nixpkgs";
-  outputs = { self, nixpkgs, home-manager, ... }: let
+  outputs = { self, nixpkgs, home-manager, agenix, ... }: let
      system = "x86_64-linux";
    in {nixosConfigurations.patricknix =
 		nixpkgs.lib.nixosSystem {
@ -18,10 +20,8 @@
            home-manager.useGlobalPkgs = true;
            home-manager.useUserPackages = true;
 		  }
 		  agenix.nixosModule
 	  ];
    };
 	pkgs = import nixpkgs {
 		inherit system;
 	};
  };
 }
--- a/secrets/NIXOSa.key
+++ b/secrets/NIXOSa.key
@ -0,0 +1,7 @@
 #       Serial: 23010997, Slot: 1
 #         Name: Yubikey A NIXOS
 #      Created: Wed, 25 Jan 2023 17:20:26 +0000
 #   PIN policy: Once   (A PIN is required once per session, if set)
 # Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
 #    Recipient: age1yubikey1q2w0nrz60e75shexudc0s3j8n4kggdp87cjzejvc6mzzge5h5yp9sj6sqk5
 AGE-PLUGIN-YUBIKEY-1K5097QVZT56ZG5QC4YLVS
--- a/secrets/NIXOSc.key
+++ b/secrets/NIXOSc.key
@ -0,0 +1,7 @@
 #       Serial: 15489049, Slot: 1
 #         Name: Yubikey C NIXOS
 #      Created: Wed, 25 Jan 2023 17:29:44 +0000
 #   PIN policy: Once   (A PIN is required once per session, if set)
 # Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
 #    Recipient: age1yubikey1qfu3708kl2anypfzas7mn78z5rqnqpy0ffmg9hqn8uxlgcws5r9czuqs6y7
 AGE-PLUGIN-YUBIKEY-1R9VWCQYZV3VZYGCDAXQQM
--- a/secrets/iwd/devolo-og.psk.age
+++ b/secrets/iwd/devolo-og.psk.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> piv-p256 XTQkUA A3bkPQBtgR2mccdoDTmEJN8yhwVyXEQ2qDK3myRAXYmV
 Avcz4f1n3XgaV83IQVXsKYrUvJmrBd4Bm0uufdikRfw
 -> piv-p256 ZFgiIw AsS/RaZgkcvTzu21pjteOA/9u11NsAJmgPjmBz4Mn3mc
 4qTcGG3cTL4LmAFAdrGV9ebjlEkGmbRrYGe6Xkos/m0
 -> li-grease `LQrw #f-02g CBg8gi1
 E8QTqw
 --- uvUZ9VFhJuoHPtKgbFbpLTNCpH86WCeyVXnR9i8SR0E
 ¾Gì&¹Ê“±…lÂêPI#G¡YÈ·±2ô`ú<>_ùÍÄ¿€óòåÚô'‰øå¾néèiõ;‘ØÌ	ß›í×n˜ÙÀ9ho•ÏM8¹Ž™rdVYÚ§Àôµ3¬©*v~¤[7ÕÄÍ6Ÿ<36>ñÓjà°!³,…—ðŽzºGë¶Ë#Â|ÿr¥ÎQœÑ
AÄO…]ÿ(¬ñÓ xg‘-Z-‚¬‰ÜýkÊ-VÒçìÕóËþ<04>DÕÎ+rFøE4¸âŒ<C3A2>˜D?#qzb8²õª£&'Ñ¸‡¥Þ0º(9PnM”M³P¶‹žßéæ¯Ìx(3ºLÜÂEîð"†ˆ_ò÷ÍjîÅWaBåßfWHžÉ
 ºkü=qÅ«å5T¹aïÁa.V$>ŠÒÊK’ëkÊ<0F>¿Ô›€öwE¤È¥Á¼Å¼q:+‹•õuéÖÌ8€1ÒI<C392>öÜ91 ]z<>%+}K¤à%±9¡èŠn‚|Æ<>NðÐ1bËC<>TæTÌ?+©riKÞmåuf‘F²B™äJK+yÊ&çË
x><s”¡/–0¶Øî¿sÜ{¨ø„¢¬]}èû\~™:ÄÁ ÄØâÄ)øÜÓ·WŸwYöP¼œt²ö«âÕVLöß³çSñ‡µhUþ½yžb÷’óÐhB¾§0Ÿº<C5B8>
--- a/secrets/iwd/eduroam.8021x.age
+++ b/secrets/iwd/eduroam.8021x.age