James/eve-psr-nix0
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Replace sops-nix with agenix; nix flake update

Browse Source
This commit is contained in:
James Eversole 2023-06-25 20:49:00 -05:00
parent 4ed6c07680
commit efbf9c87e9
6 changed files with 84 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.sops.yaml
View File

@ -1,9 +0,0 @@
keys:
- &james age10m78ue8j5l32qftdfqynsvwhwdfmshzq98gqhyxf2fu999xj93rsmymq2y
- &matricx_server age1elxjcu8m3k5h0sz30ewx2jgzsnada2pqs9l847vqf0c6y9985vmqdvxdms
creation_rules:
- path_regex: secrets/[^/]+\.yaml$
key_groups:
- age:
- *james
- *matricx_server

90
flake.lock generated
View File

@ -1,12 +1,55 @@
{ {
"nodes": { "nodes": {
"agenix": {
"inputs": {
"darwin": [],
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1684153753,
"narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=",
"owner": "ryantm",
"repo": "agenix",
"rev": "db5637d10f797bb251b94ef9040b237f4702cde3",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1682203081,
"narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1685931219, "lastModified": 1687502512,
"narHash": "sha256-8EWeOZ6LKQfgAjB/USffUSELPRjw88A+xTcXnOUvO5M=", "narHash": "sha256-dBL/01TayOSZYxtY4cMXuNCBk8UMLoqRZA+94xiFpJA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "7409480d5c8584a1a83c422530419efe4afb0d19", "rev": "3ae20aa58a6c0d1ca95c9b11f59a2d12eebc511f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -15,47 +58,10 @@
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1685758009,
"narHash": "sha256-IT4Z5WGhafrq+xbDTyuKrRPRQ1f+kVOtE+4JU1CHFeo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "eaf03591711b46d21abc7082a8ebee4681f9dbeb",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs", "agenix": "agenix",
"sops": "sops" "nixpkgs": "nixpkgs"
}
},
"sops": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1685848844,
"narHash": "sha256-Iury+/SVbAwLES76QJSiKFiQDzmf/8Hsq8j54WF2qyw=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "a522e12ee35e50fa7d902a164a9796e420e6e75b",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
} }
} }
}, },

32
flake.nix
View File

@ -1,13 +1,14 @@
{ {
inputs = { inputs = {
nixpkgs.url = "nixpkgs/nixos-unstable"; nixpkgs.url = "nixpkgs/nixos-unstable";
sops = { agenix = {
url = "github:Mic92/sops-nix"; url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
inputs.darwin.follows = "";
}; };
}; };
outputs = { self, nixpkgs, sops, ... }@attrs: outputs = { self, nixpkgs, agenix, ... }@attrs:
let let
containerDef = import ./containers.nix; containerDef = import ./containers.nix;
serviceContainers = containerDef.containers; serviceContainers = containerDef.containers;
@ -16,8 +17,11 @@
system = "x86_64-linux"; system = "x86_64-linux";
in { in {
devShell.x86_64-linux = pkgs.mkShell { devShell.x86_64-linux = pkgs.mkShell {
buildInputs = buildInputs = [
[ (pkgs.nixos { }).nixos-rebuild pkgs.terraform pkgs.sops ]; agenix.packages.x86_64-linux.default
(pkgs.nixos { }).nixos-rebuild
pkgs.terraform
];
shellHook = '' shellHook = ''
alias deploy="nixos-rebuild switch --target-host root@matri.cx --build-host root@matri.cx --flake .#eve-psr-nix0" alias deploy="nixos-rebuild switch --target-host root@matri.cx --build-host root@matri.cx --flake .#eve-psr-nix0"
''; '';
@ -32,7 +36,7 @@
modules = [ modules = [
({ modulesPath, ... }: { ({ modulesPath, ... }: {
imports = [ sops.nixosModules.sops ./hardware-configuration.nix ]; imports = [ agenix.nixosModules.default ./hardware-configuration.nix ];
nix = { nix = {
buildMachines = [ ]; buildMachines = [ ];
@ -103,13 +107,15 @@
}; };
sops = { age.secrets.keys.file = ./secrets/keys.age;
age = { sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; };
defaultSopsFile = ./secrets/keys.yaml; #sops = {
secrets = { # age = { sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; };
hostname = { }; # defaultSopsFile = ./secrets/keys.yaml;
}; # secrets = {
}; # hostname = { };
# };
#};
system.stateVersion = "22.11"; system.stateVersion = "22.11";
}) })

7
secrets.nix Normal file
View File

@ -0,0 +1,7 @@
let
james = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7R6FstqVDjVuyKGEUmWolYJ/I/DDxYOQV/zKPkiAth james@eversole.co";
eve-psr-nix0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMyaPYK0HcKAjrD1g+FPqPEU9FJ0I6+iKYmQlWKE0zHp root@matri.cx";
in
{
"secrets/keys.age".publicKeys = [ james eve-psr-nix0 ];
}

10
secrets/keys.age Normal file
View File

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 dQ70Fw rk720Z4FcevWzCpHH93B8V13n9Kxj7U6Bt7Cf9anwzY
SNURWmXdudWxXYu54Kn2Eoy8s/D9KQHnN+caav31jhI
-> ssh-ed25519 ZIoeGg Bc0ZDRs7FsQ4lzs6blBYow1QtXTNf11+h9AWhoOzTDE
rmy5FddgsiyMwJ1Rzkh8byCTlTAmPkaEL0SeosW5rks
-> g-grease 6FX";W
IsxmKBHS8FjxEywbUIjQvQXHY8xBGIS7zgflLB81hTkh7+jEbiTiuvAJKuNVflCL
dlcfala3VL/wbLkT5xxCZMY+5hZyukBYqg
--- FyIxswg/cWqWgWTrPv9jORQT15rF5h6dCbcyekBMTt0
Mžî‡Ïž9<§!{A»™u¤ªNk£¿@ö×­K6çï@9ÀÛÓ‡h­]-Ñœ0å*údüÖ¡Ž

30
secrets/keys.yaml
View File

@ -1,30 +0,0 @@
hostname: ENC[AES256_GCM,data:cFZxNM65KwVZ7ngg,iv:iqm5Hbr8Q336XjC60Yz9lcSKpLcGwKobzKT/EESCqjk=,tag:msBSYFGI4AR1mMpfmr5C4Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age10m78ue8j5l32qftdfqynsvwhwdfmshzq98gqhyxf2fu999xj93rsmymq2y
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbnlHMEFMWUJnRCsxaUh6
ZkpRdEwzNkltamdHRzRpSEQ2RUxDTFkrYVhBCmdpNldvWkZDMVJnYU5QOC9hM0lP
ZjZBM3JkY1JTZFJEbTJzZS9iWnhHdEEKLS0tIHpDU3hLbjR6UUxNYmJNampGeERw
U1hwN1NEZ0tYdVdVOERFdnRLeTJFbVUKSDPmG16R4TC/uuE98iKZg8QL9qZEfBMZ
1TV0I66HmrkLX8l9TUkNkKhDdcUO/LCH9vBtgxBCWEM8M1G/mYYnyw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1elxjcu8m3k5h0sz30ewx2jgzsnada2pqs9l847vqf0c6y9985vmqdvxdms
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMT2VZa3lFSVp2dXNUSE1x
aWpIcmMrYk14OElDd1EvRGFybWRJVU1aRUgwCjZ5YmRjNnowa0UwVEdvNmE0anBB
UUpRRXVsTHQrOTdYVlYvYVpzNzJiQ0UKLS0tIGdHUjR4akwrUHd6N3FFMmV2VDBG
S0JzQ1B6WUZlL0hVeXVMcFUyVDNBaVEKtbF6NwzyO69Y7Az36Wm4SOUNnQL7oCTU
dx99asfwJW2+6wiofPbL6sn1LFIVqGH2jbAfeZIxyODabFYa8m984g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-06-25T18:25:59Z"
mac: ENC[AES256_GCM,data:MCvfrJ+xA5SyY+PJBFN1SxbAhKYxk18wMUIb1Kg48rUzIyAlN+/TF24msjgae64xvYiKEIIWGtv4kbocghHVM/2JkLa3ddhv73XpoQtn/iswS5a3Bw1eg4uwzDRwX8WQAQN0/JJHIJYbHI5tL+zDwg2R9gi+upadOPq6h540b90=,iv:WaHzOtRRaqBvWd8LyBinpiXQkHxEUES+BCtR75uYCy8=,tag:P8t5LDwMBvurBM3Ktt/M2A==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3