feat: Added secret support with agenix

2023-01-25 22:12:36 +01:00 · 2023-01-25 22:12:36 +01:00 · f355c527ee
parent 069dc455a9
commit f355c527ee
8 changed files with 64 additions and 18 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +0,0 @@
-iwd
--- a/configuration.nix
+++ b/configuration.nix
@ -4,6 +4,7 @@
 {
  config,
  pkgs,
+  age,
  ...
 }: {
  imports = [
@ -23,10 +24,17 @@
  networking.hostId = "68438432";
  # Pick only one of the below networking options.
  networking.wireless.iwd.enable = true;
-  # I would advise against pushing your secrets
-  #system.activationScripts.getIWD.text = ''
-  #  cp -r /etc/nixos/iwd /var/lib/
-  #'';
+  age.identityPaths = [ ./secrets/NIXOSc.key ./secrets/NIXOSa.key ];
+  age.plugins = [ pkgs.age-plugin-yubikey ];
+  age.secrets.eduroam = {
+	file = ./secrets/iwd/eduroam.8021x.age;
+	path = "/etc/iwd/eduroam.8021x";
+  };
+  age.secrets.devoloog = {
+	file = ./secrets/iwd/devolo-og.psk.age;
+	path = "/etc/iwd/devolo-og.psk";
+  };
+

  networking.useNetworkd = true;
  networking.dhcpcd.enable = false;
@ -111,21 +119,14 @@
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
-    vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
    xterm
    wget
    gcc
 	tree
+	age-plugin-yubikey
+	rage
  ];

-  # Some programs need SUID wrappers, can be configured further or are
-  # started in user sessions.
-  # programs.mtr.enable = true;
-  # programs.gnupg.agent = {
-  #   enable = true;
-  #   enableSSHSupport = true;
-  # };
-
  # List services that you want to enable:

  # Enable the OpenSSH daemon.
@ -168,6 +169,7 @@
  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
+  # breaks flake based building
  # system.copySystemConfiguration = true;

  # This value determines the NixOS release from which the default
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,25 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1674681075,
+        "narHash": "sha256-hXbIv9WHHEQvoXtK4hWKx4EzmTLUzMdjV8e/x/R9nP8=",
+        "owner": "oddlama",
+        "repo": "agenix",
+        "rev": "12d1b138188dda50704c2816be73d6e183f45797",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oddlama",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -39,6 +59,7 @@
    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs"
      }
--- a/flake.nix
+++ b/flake.nix
@ -5,8 +5,10 @@
 	# should use system nixpkgs instead of their own
 	inputs.nixpkgs.follows = "nixpkgs";
  };
+  inputs.agenix.url = "github:oddlama/agenix";
+  inputs.agenix.inputs.nixpkgs.follows = "nixpkgs";

-  outputs = { self, nixpkgs, home-manager, ... }: let
+  outputs = { self, nixpkgs, home-manager, agenix, ... }: let
      system = "x86_64-linux";
    in {nixosConfigurations.patricknix =
 		nixpkgs.lib.nixosSystem {
@ -18,10 +20,8 @@
            home-manager.useGlobalPkgs = true;
            home-manager.useUserPackages = true;
 		  }
+		  agenix.nixosModule
 	  ];
    };
-	pkgs = import nixpkgs {
-		inherit system;
-	};
  };
 }
--- a/secrets/NIXOSa.key
+++ b/secrets/NIXOSa.key
@ -0,0 +1,7 @@
+#       Serial: 23010997, Slot: 1
+#         Name: Yubikey A NIXOS
+#      Created: Wed, 25 Jan 2023 17:20:26 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
+#    Recipient: age1yubikey1q2w0nrz60e75shexudc0s3j8n4kggdp87cjzejvc6mzzge5h5yp9sj6sqk5
+AGE-PLUGIN-YUBIKEY-1K5097QVZT56ZG5QC4YLVS
--- a/secrets/NIXOSc.key
+++ b/secrets/NIXOSc.key
@ -0,0 +1,7 @@
+#       Serial: 15489049, Slot: 1
+#         Name: Yubikey C NIXOS
+#      Created: Wed, 25 Jan 2023 17:29:44 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
+#    Recipient: age1yubikey1qfu3708kl2anypfzas7mn78z5rqnqpy0ffmg9hqn8uxlgcws5r9czuqs6y7
+AGE-PLUGIN-YUBIKEY-1R9VWCQYZV3VZYGCDAXQQM
--- a/secrets/iwd/devolo-og.psk.age
+++ b/secrets/iwd/devolo-og.psk.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 XTQkUA A3bkPQBtgR2mccdoDTmEJN8yhwVyXEQ2qDK3myRAXYmV
+Avcz4f1n3XgaV83IQVXsKYrUvJmrBd4Bm0uufdikRfw
+-> piv-p256 ZFgiIw AsS/RaZgkcvTzu21pjteOA/9u11NsAJmgPjmBz4Mn3mc
+4qTcGG3cTL4LmAFAdrGV9ebjlEkGmbRrYGe6Xkos/m0
+-> li-grease `LQrw #f-02g CBg8gi1
+E8QTqw
+--- uvUZ9VFhJuoHPtKgbFbpLTNCpH86WCeyVXnR9i8SR0E
+¾Gì&¹Ê“±…lÂêPI#G¡YÈ·±2ô`ú<>_ùÍÄ¿€óòåÚô'‰øå¾néèiõ;‘ØÌ	ß›í×n˜ÙÀ9ho•ÏM8¹Ž™rdVYÚ§Àôµ3¬©*v~¤[7ÕÄÍ6Ÿ<36>ñÓjà°!³,…—ðŽzºGë¶Ë#Â|ÿr¥ÎQœÑ
AÄO…]ÿ(¬ñÓ xg‘-Z-‚¬‰ÜýkÊ-VÒçìÕóËþ<04>DÕÎ+rFøE4¸âŒ<C3A2>˜D?#qzb8²õª£&'Ñ¸‡¥Þ0º(9PnM”M³P¶‹žßéæ¯Ìx(3ºLÜÂEîð"†ˆ_ò÷ÍjîÅWaBåßfWHžÉ
+ºkü=qÅ«å5T¹aïÁa.V$>ŠÒÊK’ëkÊ<0F>¿Ô›€öwE¤È¥Á¼Å¼q:+‹•õuéÖÌ8€1ÒI<C392>öÜ91 ]z<>%+}K¤à%±9¡èŠn‚|Æ<>NðÐ1bËC<>TæTÌ?+©riKÞmåuf‘F²B™äJK+yÊ&çË
x><s”¡/–0¶Øî¿sÜ{¨ø„¢¬]}èû\~™:ÄÁ ÄØâÄ)øÜÓ·WŸwYöP¼œt²ö«âÕVLöß³çSñ‡µhUþ½yžb÷’óÐhB¾§0Ÿº<C5B8>
--- a/secrets/iwd/eduroam.8021x.age
+++ b/secrets/iwd/eduroam.8021x.age