Replace sops-nix with agenix; nix flake update

.sops.yaml

@@ -1,9 +0,0 @@
-keys:
-  - &james age10m78ue8j5l32qftdfqynsvwhwdfmshzq98gqhyxf2fu999xj93rsmymq2y
-  - &matricx_server age1elxjcu8m3k5h0sz30ewx2jgzsnada2pqs9l847vqf0c6y9985vmqdvxdms
-creation_rules:
-  - path_regex: secrets/[^/]+\.yaml$
-    key_groups:
-    - age:
-      - *james
-      - *matricx_server

flake.lock

@@ -1,12 +1,55 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": [],
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1684153753,
+        "narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "db5637d10f797bb251b94ef9040b237f4702cde3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1682203081,
+        "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1685931219,
-        "narHash": "sha256-8EWeOZ6LKQfgAjB/USffUSELPRjw88A+xTcXnOUvO5M=",
+        "lastModified": 1687502512,
+        "narHash": "sha256-dBL/01TayOSZYxtY4cMXuNCBk8UMLoqRZA+94xiFpJA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7409480d5c8584a1a83c422530419efe4afb0d19",
+        "rev": "3ae20aa58a6c0d1ca95c9b11f59a2d12eebc511f",
         "type": "github"
       },
       "original": {
@@ -15,47 +58,10 @@
         "type": "indirect"
       }
     },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1685758009,
-        "narHash": "sha256-IT4Z5WGhafrq+xbDTyuKrRPRQ1f+kVOtE+4JU1CHFeo=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "eaf03591711b46d21abc7082a8ebee4681f9dbeb",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-22.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
-        "nixpkgs": "nixpkgs",
-        "sops": "sops"
-      }
-    },
-    "sops": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
-      },
-      "locked": {
-        "lastModified": 1685848844,
-        "narHash": "sha256-Iury+/SVbAwLES76QJSiKFiQDzmf/8Hsq8j54WF2qyw=",
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "rev": "a522e12ee35e50fa7d902a164a9796e420e6e75b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "type": "github"
+        "agenix": "agenix",
+        "nixpkgs": "nixpkgs"
       }
     }
   },

flake.nix

@@ -1,13 +1,14 @@
 {
   inputs = {
     nixpkgs.url = "nixpkgs/nixos-unstable";
-    sops = {
-      url = "github:Mic92/sops-nix";
+    agenix = {
+      url = "github:ryantm/agenix";
       inputs.nixpkgs.follows = "nixpkgs";
+      inputs.darwin.follows = "";
     };
   };
 
-  outputs = { self, nixpkgs, sops, ... }@attrs:
+  outputs = { self, nixpkgs, agenix, ... }@attrs:
     let
       containerDef = import ./containers.nix;
       serviceContainers = containerDef.containers;
@@ -16,8 +17,11 @@
       system = "x86_64-linux";
     in {
       devShell.x86_64-linux = pkgs.mkShell {
-        buildInputs =
-          [ (pkgs.nixos { }).nixos-rebuild pkgs.terraform pkgs.sops ];
+        buildInputs = [ 
+          agenix.packages.x86_64-linux.default
+          (pkgs.nixos { }).nixos-rebuild 
+          pkgs.terraform 
+        ];
         shellHook = ''
           alias deploy="nixos-rebuild switch --target-host root@matri.cx --build-host root@matri.cx --flake .#eve-psr-nix0"
         '';
@@ -32,7 +36,7 @@
           modules = [
             ({ modulesPath, ... }: {
 
-              imports = [ sops.nixosModules.sops ./hardware-configuration.nix ];
+              imports = [ agenix.nixosModules.default ./hardware-configuration.nix ];
 
               nix = {
                 buildMachines = [ ];
@@ -103,13 +107,15 @@
 
               };
 
-              sops = {
-                age = { sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; };
-                defaultSopsFile = ./secrets/keys.yaml;
-                secrets = {
-                  hostname = { };
-                };
-              };
+              age.secrets.keys.file = ./secrets/keys.age;
+
+              #sops = {
+              #  age = { sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; };
+              #  defaultSopsFile = ./secrets/keys.yaml;
+              #  secrets = {
+              #    hostname = { };
+              #  };
+              #};
 
               system.stateVersion = "22.11";
             })

secrets.nix

@@ -0,0 +1,7 @@
+let
+  james = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7R6FstqVDjVuyKGEUmWolYJ/I/DDxYOQV/zKPkiAth james@eversole.co";
+  eve-psr-nix0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMyaPYK0HcKAjrD1g+FPqPEU9FJ0I6+iKYmQlWKE0zHp root@matri.cx";
+in
+{
+  "secrets/keys.age".publicKeys = [ james eve-psr-nix0 ];
+}

secrets/keys.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 dQ70Fw rk720Z4FcevWzCpHH93B8V13n9Kxj7U6Bt7Cf9anwzY
+SNURWmXdudWxXYu54Kn2Eoy8s/D9KQHnN+caav31jhI
+-> ssh-ed25519 ZIoeGg Bc0ZDRs7FsQ4lzs6blBYow1QtXTNf11+h9AWhoOzTDE
+rmy5FddgsiyMwJ1Rzkh8byCTlTAmPkaEL0SeosW5rks
+-> g-grease 6FX";W
+IsxmKBHS8FjxEywbUIjQvQXHY8xBGIS7zgflLB81hTkh7+jEbiTiuvAJKuNVflCL
+dlcfala3VL/wbLkT5xxCZMY+5hZyukBYqg
+--- FyIxswg/cWqWgWTrPv9jORQT15rF5h6dCbcyekBMTt0
+M<EFBFBD><EFBFBD><EFBFBD>Ϟ9<<3C>!{A<><41><EFBFBD>u<EFBFBD><75>Nk<4E><07>@<40>׭K6<4B><36>@9<><39>Ӈh<>]-<2D><1E>0<EFBFBD>*<2A>d<EFBFBD>֡<EFBFBD>

secrets/keys.yaml

@@ -1,30 +0,0 @@
-hostname: ENC[AES256_GCM,data:cFZxNM65KwVZ7ngg,iv:iqm5Hbr8Q336XjC60Yz9lcSKpLcGwKobzKT/EESCqjk=,tag:msBSYFGI4AR1mMpfmr5C4Q==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age10m78ue8j5l32qftdfqynsvwhwdfmshzq98gqhyxf2fu999xj93rsmymq2y
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbnlHMEFMWUJnRCsxaUh6
-            ZkpRdEwzNkltamdHRzRpSEQ2RUxDTFkrYVhBCmdpNldvWkZDMVJnYU5QOC9hM0lP
-            ZjZBM3JkY1JTZFJEbTJzZS9iWnhHdEEKLS0tIHpDU3hLbjR6UUxNYmJNampGeERw
-            U1hwN1NEZ0tYdVdVOERFdnRLeTJFbVUKSDPmG16R4TC/uuE98iKZg8QL9qZEfBMZ
-            1TV0I66HmrkLX8l9TUkNkKhDdcUO/LCH9vBtgxBCWEM8M1G/mYYnyw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1elxjcu8m3k5h0sz30ewx2jgzsnada2pqs9l847vqf0c6y9985vmqdvxdms
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMT2VZa3lFSVp2dXNUSE1x
-            aWpIcmMrYk14OElDd1EvRGFybWRJVU1aRUgwCjZ5YmRjNnowa0UwVEdvNmE0anBB
-            UUpRRXVsTHQrOTdYVlYvYVpzNzJiQ0UKLS0tIGdHUjR4akwrUHd6N3FFMmV2VDBG
-            S0JzQ1B6WUZlL0hVeXVMcFUyVDNBaVEKtbF6NwzyO69Y7Az36Wm4SOUNnQL7oCTU
-            dx99asfwJW2+6wiofPbL6sn1LFIVqGH2jbAfeZIxyODabFYa8m984g==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-06-25T18:25:59Z"
-    mac: ENC[AES256_GCM,data:MCvfrJ+xA5SyY+PJBFN1SxbAhKYxk18wMUIb1Kg48rUzIyAlN+/TF24msjgae64xvYiKEIIWGtv4kbocghHVM/2JkLa3ddhv73XpoQtn/iswS5a3Bw1eg4uwzDRwX8WQAQN0/JJHIJYbHI5tL+zDwg2R9gi+upadOPq6h540b90=,iv:WaHzOtRRaqBvWd8LyBinpiXQkHxEUES+BCtR75uYCy8=,tag:P8t5LDwMBvurBM3Ktt/M2A==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3