feat: Added secret support with agenix

This commit is contained in:
Patrick Großmann 2023-01-25 22:12:36 +01:00
parent 069dc455a9
commit f355c527ee
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
8 changed files with 64 additions and 18 deletions

1
.gitignore vendored
View file

@ -1 +0,0 @@
iwd

View file

@ -4,6 +4,7 @@
{ {
config, config,
pkgs, pkgs,
age,
... ...
}: { }: {
imports = [ imports = [
@ -23,10 +24,17 @@
networking.hostId = "68438432"; networking.hostId = "68438432";
# Pick only one of the below networking options. # Pick only one of the below networking options.
networking.wireless.iwd.enable = true; networking.wireless.iwd.enable = true;
# I would advise against pushing your secrets age.identityPaths = [ ./secrets/NIXOSc.key ./secrets/NIXOSa.key ];
#system.activationScripts.getIWD.text = '' age.plugins = [ pkgs.age-plugin-yubikey ];
# cp -r /etc/nixos/iwd /var/lib/ age.secrets.eduroam = {
#''; file = ./secrets/iwd/eduroam.8021x.age;
path = "/etc/iwd/eduroam.8021x";
};
age.secrets.devoloog = {
file = ./secrets/iwd/devolo-og.psk.age;
path = "/etc/iwd/devolo-og.psk";
};
networking.useNetworkd = true; networking.useNetworkd = true;
networking.dhcpcd.enable = false; networking.dhcpcd.enable = false;
@ -111,21 +119,14 @@
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
xterm xterm
wget wget
gcc gcc
tree tree
age-plugin-yubikey
rage
]; ];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable: # List services that you want to enable:
# Enable the OpenSSH daemon. # Enable the OpenSSH daemon.
@ -168,6 +169,7 @@
# Copy the NixOS configuration file and link it from the resulting system # Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you # (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix. # accidentally delete configuration.nix.
# breaks flake based building
# system.copySystemConfiguration = true; # system.copySystemConfiguration = true;
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default

View file

@ -1,5 +1,25 @@
{ {
"nodes": { "nodes": {
"agenix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1674681075,
"narHash": "sha256-hXbIv9WHHEQvoXtK4hWKx4EzmTLUzMdjV8e/x/R9nP8=",
"owner": "oddlama",
"repo": "agenix",
"rev": "12d1b138188dda50704c2816be73d6e183f45797",
"type": "github"
},
"original": {
"owner": "oddlama",
"repo": "agenix",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -39,6 +59,7 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix",
"home-manager": "home-manager", "home-manager": "home-manager",
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
} }

View file

@ -5,8 +5,10 @@
# should use system nixpkgs instead of their own # should use system nixpkgs instead of their own
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
inputs.agenix.url = "github:oddlama/agenix";
inputs.agenix.inputs.nixpkgs.follows = "nixpkgs";
outputs = { self, nixpkgs, home-manager, ... }: let outputs = { self, nixpkgs, home-manager, agenix, ... }: let
system = "x86_64-linux"; system = "x86_64-linux";
in {nixosConfigurations.patricknix = in {nixosConfigurations.patricknix =
nixpkgs.lib.nixosSystem { nixpkgs.lib.nixosSystem {
@ -18,10 +20,8 @@
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
} }
agenix.nixosModule
]; ];
}; };
pkgs = import nixpkgs {
inherit system;
};
}; };
} }

7
secrets/NIXOSa.key Normal file
View file

@ -0,0 +1,7 @@
# Serial: 23010997, Slot: 1
# Name: Yubikey A NIXOS
# Created: Wed, 25 Jan 2023 17:20:26 +0000
# PIN policy: Once (A PIN is required once per session, if set)
# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
# Recipient: age1yubikey1q2w0nrz60e75shexudc0s3j8n4kggdp87cjzejvc6mzzge5h5yp9sj6sqk5
AGE-PLUGIN-YUBIKEY-1K5097QVZT56ZG5QC4YLVS

7
secrets/NIXOSc.key Normal file
View file

@ -0,0 +1,7 @@
# Serial: 15489049, Slot: 1
# Name: Yubikey C NIXOS
# Created: Wed, 25 Jan 2023 17:29:44 +0000
# PIN policy: Once (A PIN is required once per session, if set)
# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
# Recipient: age1yubikey1qfu3708kl2anypfzas7mn78z5rqnqpy0ffmg9hqn8uxlgcws5r9czuqs6y7
AGE-PLUGIN-YUBIKEY-1R9VWCQYZV3VZYGCDAXQQM

View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> piv-p256 XTQkUA A3bkPQBtgR2mccdoDTmEJN8yhwVyXEQ2qDK3myRAXYmV
Avcz4f1n3XgaV83IQVXsKYrUvJmrBd4Bm0uufdikRfw
-> piv-p256 ZFgiIw AsS/RaZgkcvTzu21pjteOA/9u11NsAJmgPjmBz4Mn3mc
4qTcGG3cTL4LmAFAdrGV9ebjlEkGmbRrYGe6Xkos/m0
-> li-grease `LQrw #f-02g CBg8gi1
E8QTqw
--- uvUZ9VFhJuoHPtKgbFbpLTNCpH86WCeyVXnR9i8SR0E
¾GìÊ“±…lÂêPI#G¡YÈ·±2ô`ú<>_ùÍÄ¿€óòåÚô'‰øå¾néèiõ; ØÌ ßí×n˜ÙÀ9ho•ÏM 8¹Ž™rdVYÚ§Àôµ3¬©*v~¤[7ÕÄÍ6Ÿ<36>ñÓjà°!³,…—ðŽzºGë¶Ë#Â|ÿr¥ÎQœÑ AÄO…]ÿ(¬ñÓ xg-Z-¬‰ÜýkÊ-VÒçìÕóËþ<04>DÕÎ+rFøE4¸âŒ<C3A2>˜D?#qzb8²õª£&'Ѹ‡¥Þ0º(9P nM”M³P¶‹žßéæ¯Ìx(3ºLÜÂEîð"†ˆ_ò÷ÍjîÅWaBåßfWHžÉ
ºkü=qÅ«å5T¹aïÁa.V$>ŠÒÊKëkÊ<0F>¿Ô›€öwE¤È¥Á¼Å¼q:+‹•õuéÖÌ­8€1ÒI<C392>öÜ91 ]z<>%+}K¤à%±9¡èŠn<> Ð1bËC<> TÌ?+©riKÞmåufF²B™äJK+yÊ&çË x><s”¡/0¶Øî¿sÜ{¨ø„¢¬]}èû\~™:ÄÁ ÄØâÄ)øÜÓ·WŸwY öP¼œt²ö«âÕVLöß³çSñ‡µhUþ½yžb÷óÐhB¾§0Ÿº<C5B8>

Binary file not shown.