From efbf9c87e9569c6e81489268178155d0feaf5bcd Mon Sep 17 00:00:00 2001 From: James Eversole Date: Sun, 25 Jun 2023 20:49:00 -0500 Subject: [PATCH] Replace sops-nix with agenix; nix flake update --- .sops.yaml | 9 ----- flake.lock | 90 +++++++++++++++++++++++++---------------------- flake.nix | 32 ++++++++++------- secrets.nix | 7 ++++ secrets/keys.age | 10 ++++++ secrets/keys.yaml | 30 ---------------- 6 files changed, 84 insertions(+), 94 deletions(-) delete mode 100644 .sops.yaml create mode 100644 secrets.nix create mode 100644 secrets/keys.age delete mode 100644 secrets/keys.yaml diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index f33e88d..0000000 --- a/.sops.yaml +++ /dev/null @@ -1,9 +0,0 @@ -keys: - - &james age10m78ue8j5l32qftdfqynsvwhwdfmshzq98gqhyxf2fu999xj93rsmymq2y - - &matricx_server age1elxjcu8m3k5h0sz30ewx2jgzsnada2pqs9l847vqf0c6y9985vmqdvxdms -creation_rules: - - path_regex: secrets/[^/]+\.yaml$ - key_groups: - - age: - - *james - - *matricx_server diff --git a/flake.lock b/flake.lock index 37bc75f..55e6fdf 100644 --- a/flake.lock +++ b/flake.lock @@ -1,12 +1,55 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": [], + "home-manager": "home-manager", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1684153753, + "narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=", + "owner": "ryantm", + "repo": "agenix", + "rev": "db5637d10f797bb251b94ef9040b237f4702cde3", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682203081, + "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "nixpkgs": { "locked": { - "lastModified": 1685931219, - "narHash": "sha256-8EWeOZ6LKQfgAjB/USffUSELPRjw88A+xTcXnOUvO5M=", + "lastModified": 1687502512, + "narHash": "sha256-dBL/01TayOSZYxtY4cMXuNCBk8UMLoqRZA+94xiFpJA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7409480d5c8584a1a83c422530419efe4afb0d19", + "rev": "3ae20aa58a6c0d1ca95c9b11f59a2d12eebc511f", "type": "github" }, "original": { @@ -15,47 +58,10 @@ "type": "indirect" } }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1685758009, - "narHash": "sha256-IT4Z5WGhafrq+xbDTyuKrRPRQ1f+kVOtE+4JU1CHFeo=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "eaf03591711b46d21abc7082a8ebee4681f9dbeb", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "release-22.11", - "repo": "nixpkgs", - "type": "github" - } - }, "root": { "inputs": { - "nixpkgs": "nixpkgs", - "sops": "sops" - } - }, - "sops": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" - }, - "locked": { - "lastModified": 1685848844, - "narHash": "sha256-Iury+/SVbAwLES76QJSiKFiQDzmf/8Hsq8j54WF2qyw=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "a522e12ee35e50fa7d902a164a9796e420e6e75b", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" + "agenix": "agenix", + "nixpkgs": "nixpkgs" } } }, diff --git a/flake.nix b/flake.nix index b3a85e3..fbee5a9 100644 --- a/flake.nix +++ b/flake.nix @@ -1,13 +1,14 @@ { inputs = { nixpkgs.url = "nixpkgs/nixos-unstable"; - sops = { - url = "github:Mic92/sops-nix"; + agenix = { + url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; + inputs.darwin.follows = ""; }; }; - outputs = { self, nixpkgs, sops, ... }@attrs: + outputs = { self, nixpkgs, agenix, ... }@attrs: let containerDef = import ./containers.nix; serviceContainers = containerDef.containers; @@ -16,8 +17,11 @@ system = "x86_64-linux"; in { devShell.x86_64-linux = pkgs.mkShell { - buildInputs = - [ (pkgs.nixos { }).nixos-rebuild pkgs.terraform pkgs.sops ]; + buildInputs = [ + agenix.packages.x86_64-linux.default + (pkgs.nixos { }).nixos-rebuild + pkgs.terraform + ]; shellHook = '' alias deploy="nixos-rebuild switch --target-host root@matri.cx --build-host root@matri.cx --flake .#eve-psr-nix0" ''; @@ -32,7 +36,7 @@ modules = [ ({ modulesPath, ... }: { - imports = [ sops.nixosModules.sops ./hardware-configuration.nix ]; + imports = [ agenix.nixosModules.default ./hardware-configuration.nix ]; nix = { buildMachines = [ ]; @@ -103,13 +107,15 @@ }; - sops = { - age = { sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; }; - defaultSopsFile = ./secrets/keys.yaml; - secrets = { - hostname = { }; - }; - }; + age.secrets.keys.file = ./secrets/keys.age; + + #sops = { + # age = { sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; }; + # defaultSopsFile = ./secrets/keys.yaml; + # secrets = { + # hostname = { }; + # }; + #}; system.stateVersion = "22.11"; }) diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..7a5968f --- /dev/null +++ b/secrets.nix @@ -0,0 +1,7 @@ +let + james = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7R6FstqVDjVuyKGEUmWolYJ/I/DDxYOQV/zKPkiAth james@eversole.co"; + eve-psr-nix0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMyaPYK0HcKAjrD1g+FPqPEU9FJ0I6+iKYmQlWKE0zHp root@matri.cx"; +in +{ + "secrets/keys.age".publicKeys = [ james eve-psr-nix0 ]; +} diff --git a/secrets/keys.age b/secrets/keys.age new file mode 100644 index 0000000..c6da52f --- /dev/null +++ b/secrets/keys.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 dQ70Fw rk720Z4FcevWzCpHH93B8V13n9Kxj7U6Bt7Cf9anwzY +SNURWmXdudWxXYu54Kn2Eoy8s/D9KQHnN+caav31jhI +-> ssh-ed25519 ZIoeGg Bc0ZDRs7FsQ4lzs6blBYow1QtXTNf11+h9AWhoOzTDE +rmy5FddgsiyMwJ1Rzkh8byCTlTAmPkaEL0SeosW5rks +-> g-grease 6FX";W +IsxmKBHS8FjxEywbUIjQvQXHY8xBGIS7zgflLB81hTkh7+jEbiTiuvAJKuNVflCL +dlcfala3VL/wbLkT5xxCZMY+5hZyukBYqg +--- FyIxswg/cWqWgWTrPv9jORQT15rF5h6dCbcyekBMTt0 +Mžî‡Ïž9<§!{A»‘™u¤ªNk£¿@ö×­K6çï@9ÀÛÓ‡h­]-Ñœ0å*údüÖ¡Ž \ No newline at end of file diff --git a/secrets/keys.yaml b/secrets/keys.yaml deleted file mode 100644 index e1e6a8a..0000000 --- a/secrets/keys.yaml +++ /dev/null @@ -1,30 +0,0 @@ -hostname: ENC[AES256_GCM,data:cFZxNM65KwVZ7ngg,iv:iqm5Hbr8Q336XjC60Yz9lcSKpLcGwKobzKT/EESCqjk=,tag:msBSYFGI4AR1mMpfmr5C4Q==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age10m78ue8j5l32qftdfqynsvwhwdfmshzq98gqhyxf2fu999xj93rsmymq2y - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbnlHMEFMWUJnRCsxaUh6 - ZkpRdEwzNkltamdHRzRpSEQ2RUxDTFkrYVhBCmdpNldvWkZDMVJnYU5QOC9hM0lP - ZjZBM3JkY1JTZFJEbTJzZS9iWnhHdEEKLS0tIHpDU3hLbjR6UUxNYmJNampGeERw - U1hwN1NEZ0tYdVdVOERFdnRLeTJFbVUKSDPmG16R4TC/uuE98iKZg8QL9qZEfBMZ - 1TV0I66HmrkLX8l9TUkNkKhDdcUO/LCH9vBtgxBCWEM8M1G/mYYnyw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1elxjcu8m3k5h0sz30ewx2jgzsnada2pqs9l847vqf0c6y9985vmqdvxdms - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMT2VZa3lFSVp2dXNUSE1x - aWpIcmMrYk14OElDd1EvRGFybWRJVU1aRUgwCjZ5YmRjNnowa0UwVEdvNmE0anBB - UUpRRXVsTHQrOTdYVlYvYVpzNzJiQ0UKLS0tIGdHUjR4akwrUHd6N3FFMmV2VDBG - S0JzQ1B6WUZlL0hVeXVMcFUyVDNBaVEKtbF6NwzyO69Y7Az36Wm4SOUNnQL7oCTU - dx99asfwJW2+6wiofPbL6sn1LFIVqGH2jbAfeZIxyODabFYa8m984g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-06-25T18:25:59Z" - mac: ENC[AES256_GCM,data:MCvfrJ+xA5SyY+PJBFN1SxbAhKYxk18wMUIb1Kg48rUzIyAlN+/TF24msjgae64xvYiKEIIWGtv4kbocghHVM/2JkLa3ddhv73XpoQtn/iswS5a3Bw1eg4uwzDRwX8WQAQN0/JJHIJYbHI5tL+zDwg2R9gi+upadOPq6h540b90=,iv:WaHzOtRRaqBvWd8LyBinpiXQkHxEUES+BCtR75uYCy8=,tag:P8t5LDwMBvurBM3Ktt/M2A==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.3