diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index 3740488..0000000 --- a/.sops.yaml +++ /dev/null @@ -1,47 +0,0 @@ -keys: - - &london_system age1ea4egj69ghxwyw9lyjfdp24qyvqj9ha5gcu36lqfp3d5yg6nmpgqm7w96m - - &london_dala age19m7s6rl4l88nv0f7el70k9u9mv6fd0nq5nw5a3f6p3ffzch274lsksu3y7 - - &camelot_system age1qp54d5gzvpyedcv26uckz7lmy2a48m27astawa62hkey59qgmg8setufp5 - - &fuyuki_system age1lpk05l443jd7ra27hssvkc9xctpl990dy78tghmr4e8x7lfndy3qwhakwm - - &okeanos_system age1mj6xs9qpl9xn5kwk82matuyyus75j2dysdmpvtqer5jvk8uknp8s2ttp32 - - &pgp_dala 2763F2B50E63CE401A3EB9C040DE2FEE4D3C5E2C - -creation_rules: - # London - - path_regex: configurations/london/secrets/secrets.yaml$ - key_groups: - - age: - - *london_system - pgp: - - *pgp_dala - - - path_regex: configurations/london/secrets/users/dala.yaml$ - key_groups: - - age: - - *london_dala - pgp: - - *pgp_dala - - # Camelot - - path_regex: configurations/camelot/secrets/secrets.yaml$ - key_groups: - - age: - - *camelot_system - pgp: - - *pgp_dala - - # Fuyuki - - path_regex: configurations/fuyuki/secrets/secrets.yaml$ - key_groups: - - age: - - *fuyuki_system - pgp: - - *pgp_dala - - # Okenaos - - path_regex: configurations/okeanos/secrets/secrets.yaml$ - key_groups: - - age: - - *okeanos_system - pgp: - - *pgp_dala diff --git a/README.md b/README.md index 07c35d7..71b652b 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ This repo contains the NixOS configuration (each package and their configuration It uses: - [colmena](https://github.com/zhaofengli/colmena) as deployment system. -- [sops-nix](https://github.com/Mic92/sops-nix) combined with [age](https://github.com/FiloSottile/age) keys to store secrets. +- [agenix](https://github.com/ryantm/agenix) for secrets management. - [home-manager](https://github.com/nix-community/home-manager) for user-specific configuration on workstation. - [lanzaboote](https://github.com/nix-community/lanzaboote) to manager and sign configurations for SecureBoot on my amd64 machines. - [lix](https://lix.systems) as a replacement for the Nix package manager. diff --git a/configurations/camelot/default.nix b/configurations/camelot/default.nix index 98e4916..c4b6e69 100644 --- a/configurations/camelot/default.nix +++ b/configurations/camelot/default.nix @@ -31,22 +31,20 @@ ]; # System secrets - sops = { - gnupg.sshKeyPaths = [ ]; - age = { - sshKeyPaths = [ ]; - keyFile = "/var/lib/sops-nix/key.txt"; + age.secrets = { + wg0Private.file = ../../secrets/camelot-wg0.age; + wg1Private.file = ../../secrets/camelot-wg1.age; + + nextcloudAdminPassword = { + file = ../../secrets/nextcloud-admin.age; + owner = config.users.users.nextcloud.name; + group = config.users.users.nextcloud.group; }; - defaultSopsFile = ./secrets/secrets.yaml; - secrets = { - wg0_private = { }; - wg1_private = { }; - nextcloud_admin_pw = { - owner = config.users.users.nextcloud.name; - }; - gotosocial_env = { - owner = config.users.users.gotosocial.name; - }; + + gtsEnv = { + file = ../../secrets/gts-env.age; + owner = config.users.users.gotosocial.name; + group = config.users.users.gotosocial.group; }; }; diff --git a/configurations/camelot/gotosocial.nix b/configurations/camelot/gotosocial.nix index 2d41bd5..f39359f 100644 --- a/configurations/camelot/gotosocial.nix +++ b/configurations/camelot/gotosocial.nix @@ -12,7 +12,7 @@ in enable = true; openFirewall = false; setupPostgresqlDB = true; - environmentFile = config.sops.secrets.gotosocial_env.path; + environmentFile = config.age.secrets.gtsEnv.path; settings = { application-name = "Dala's personnal instance"; landing-page-user = "dala"; diff --git a/configurations/camelot/nextcloud.nix b/configurations/camelot/nextcloud.nix index 0c2f9d7..415912b 100644 --- a/configurations/camelot/nextcloud.nix +++ b/configurations/camelot/nextcloud.nix @@ -39,7 +39,7 @@ dbtype = "pgsql"; adminuser = "dala"; - adminpassFile = config.sops.secrets.nextcloud_admin_pw.path; + adminpassFile = config.age.secrets.nextcloudAdminPassword.path; }; caching = { diff --git a/configurations/camelot/secrets/secrets.yaml b/configurations/camelot/secrets/secrets.yaml deleted file mode 100644 index e11b7bd..0000000 --- a/configurations/camelot/secrets/secrets.yaml +++ /dev/null @@ -1,36 +0,0 @@ -wg0_private: ENC[AES256_GCM,data:nuHHAwi+l9BQ8oJupm+i47EbfFc62QZXDeATeE+23RAEq/grJ/bN6sTn/o4=,iv:hZQAvvcCe2DOTvM1mABB26PsEqw8jpQUNhGbBaK/l0I=,tag:9VMaJys4IzelbBdCDuiy0Q==,type:str] -wg1_private: ENC[AES256_GCM,data:tpetT5qyude2G1hRt4lPONhJMSSdHt6V92yY/NhgeZRQkZZg9WIdHAMI2JM=,iv:78Sn0Thki4LkHBM37x618Oc3FjztYoXEzMSoRQGmnFk=,tag:RV9cYT1A68gBrPpwS0npIg==,type:str] -nextcloud_admin_pw: ENC[AES256_GCM,data:MKD4sEOfpvd0GWcA/CHcbV5/uLI=,iv:4WJ0S9OvumWZu4i5EYkX+b3OCODKc7IkUzWsd1GtngA=,tag:phIRRR8dTFwCGwUps3P7tQ==,type:str] -gotosocial_env: ENC[AES256_GCM,data:rs48GFvnQs5qi+Omn0kIHuYtn/P9mLM5D/RAW6MQ7k4MX7aqEcgqrl50GObxDRnvMGQdS6KkJ1rL/a2DjfzP2SAghpvNNu7H82lKKFTfckE5I5PMzvwzSTviMM5kg6Min/glHKurI4ROZYZLb11myq4JsTtYm+8OQUTfLauj/ilr5BiprKDgUDO7Ubon+FMQF5n8bpHSP8bH8hK5+ihY6WeTRGhdGqr/gEqM,iv:69f1KEHVBKgzBH07LwWAkkUjlfqv+peQ/f2VIZYSHAk=,tag:tBkgrR8hQsDWHKwqelrNAA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1qp54d5gzvpyedcv26uckz7lmy2a48m27astawa62hkey59qgmg8setufp5 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqa1NFWmk3TUdLMTF2RHVX - K2EvSDlNSFdDZ0dOMlNHOFErOGlBUGxrSjJNClV2NS9ZQVVxWTAycWJFeE9oc3Ux - NUxDS010azIxV1ZWR2dkdEtWUU1uTGMKLS0tIHA0cWg0ekNPSVdzVlFRMkZqb1VB - b00xT3ZHWTJBNFlUbTUrRjlVV0FoM1UKtfWg4R4Y28r2w8MYp1B1yhFEOBT8rEkz - P5qEP0p1i/zXlglaxxXTiQSuloG1Fwi2l5VGrhm6Hse07u3fEmS2VQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-02T21:36:00Z" - mac: ENC[AES256_GCM,data:HMChIWnGBT9Ge61OyF94BKDhoOc2xqWRy68/iUHl9h5lP15lK2C8WhpnZi4YEkWzpQA6ys7QiOGBc6ebH63sgXyPmGWwBh0Gxjk/K3ioqwKY3pRQYURpOK9D4FsA06G3I6Ml5Xo32EwoALMIZ0iWUzhuHdLVAmd21eozqEql6O4=,iv:/PnWIS2OVOzGqU7EFaSxi2abOaRYWbvhFvN7v+9Tx7k=,tag:Tnq5hU3hTCrt0UhroKYxLg==,type:str] - pgp: - - created_at: "2023-12-10T17:24:42Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4D0ZiEKlLM+TsSAQdAh6/VJpfjaEo02UPMjcuLmQpZoCbmJfCULS0c0e5rQRIw - N2jwiFXYCzT50cMS8QpVJqAyb/unMYFas+pJqXUB83hg/eBZ9BeCKcTz/jkH42xa - 1GYBCQIQbx5GjfFH7IuGyi9XtFE93UmwLVGLcD2J2uM7iDRR+cuFfiPXHHvP4eNA - Q3eRDwZWQQznDfcBfzMo6bF2IvmVBGC8cPzFNYjkVJGX0gP564DWJm4+ByZthhwW - UfQcyCKBYEI= - =zjUa - -----END PGP MESSAGE----- - fp: 2763F2B50E63CE401A3EB9C040DE2FEE4D3C5E2C - unencrypted_suffix: _unencrypted - version: 3.9.1 diff --git a/configurations/camelot/wireguard.nix b/configurations/camelot/wireguard.nix index fcf7375..9d34ca9 100644 --- a/configurations/camelot/wireguard.nix +++ b/configurations/camelot/wireguard.nix @@ -1,6 +1,5 @@ { config, - pkgs, extraInfo, ... }: @@ -12,7 +11,7 @@ ips = [ "10.100.0.6/8" ]; listenPort = 51820; - privateKeyFile = config.sops.secrets.wg0_private.path; + privateKeyFile = config.age.secrets.wg0Private.path; peers = [ # Rock Pro 64 @@ -46,7 +45,7 @@ networking.wireguard.interfaces.wg1 = { ips = [ extraInfo.wireguard.VPNAddress ]; listenPort = 51821; - privateKeyFile = config.sops.secrets.wg1_private.path; + privateKeyFile = config.age.secrets.wg1Private.path; interfaceNamespace = "wg1ns"; preSetup = '' diff --git a/configurations/fuyuki/default.nix b/configurations/fuyuki/default.nix index 9f20c0d..526712e 100644 --- a/configurations/fuyuki/default.nix +++ b/configurations/fuyuki/default.nix @@ -16,14 +16,8 @@ console.keyMap = "us"; - sops = { - gnupg.sshKeyPaths = [ ]; - age = { - sshKeyPaths = [ ]; - keyFile = "/var/lib/sops-nix/key.txt"; - }; - defaultSopsFile = ./secrets/secrets.yaml; - secrets.wg0_private = { }; + age.secrets = { + wg0Private.file = ../../secrets/fuyuki-wg0.age; }; my.users = { diff --git a/configurations/fuyuki/secrets/secrets.yaml b/configurations/fuyuki/secrets/secrets.yaml deleted file mode 100644 index a14636a..0000000 --- a/configurations/fuyuki/secrets/secrets.yaml +++ /dev/null @@ -1,33 +0,0 @@ -wg0_private: ENC[AES256_GCM,data:+59MHO/LNuoqcJZYB05ukVPgRT+RJOsn4IL6Pk16OsSFp22Ikd/t5AIyY8E=,iv:tg7Gl+Ad2bGTYmpkPS4nuIRYX5j9rhB2oOY4JX8YYKo=,tag:Tp3SQkxDUg2X1HZrVAVs5g==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1lpk05l443jd7ra27hssvkc9xctpl990dy78tghmr4e8x7lfndy3qwhakwm - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNVWVQZ1ZmWlJyMTRGMmlr - TDRab1ZqWmx0cjNkb3YzQzF0NXlDK0tib2dZCkFXeXdhSTJDSnA3Nm4zNk50bDQr - RzdndkxxbkhHZldsb24wdmZXSGdMZ1UKLS0tIG14WnRPNG84YUJkUjFheE4zeHpS - Yi9zM01zUWx4ZUg0RmVIcDhWOFk1NDQKpmZvV9rmwF561rwb7fFjF8JoQ5Ofik+L - cMO7E1Df02f+Mxbg44Mz7nh5978ZAuEkxeAhP0rjjzxGyipWShWfjQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-07-26T18:29:32Z" - mac: ENC[AES256_GCM,data:XcpJnbtRxY8UbePnSVq2cBP8A2kekulMgFK7/tIJj63S6Ur72vx/Q9YoiSjwy1vhyhSnS3IBp9PSjEpiLF73Frxr4iQA9j42SvoXdS4h6Q6iQgnphGnKUbT8/GqQK/0cuyvqfBUH7y1BzsGcowvJBUmnWaMK2lJsx4O4/A5os+A=,iv:p+5aV2BMgOd3q/kdnNVZugEf5M5kY1r3kW7Db71cttE=,tag:1lyVYY2ykIW0tF0cab7Vxw==,type:str] - pgp: - - created_at: "2024-07-26T18:28:14Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4D0ZiEKlLM+TsSAQdAejTjnmBOyBz6qc0KMhjtJwyOZL/yQcI56OuDbdgp7R4w - MVMW5no+XnlskkMfESs9REov8T2MjfO6lqqrUj1Q1IIQaP/QlQ9DIS4ejt4nskE3 - 1GgBCQIQPs6lEe9b6Ih2LYt9PaTZ5SSpfNNLsjcfK7lE6EEE9fiEDhhW2CkVN5dq - NejQOIQOv6/0Q4wqbrNzNcqi9UtfXk5XLsqfhJSTuBMne+FaJmmV3ET4TwYt/RH5 - 8XGa13+6HDSHTg== - =F/Hd - -----END PGP MESSAGE----- - fp: 2763F2B50E63CE401A3EB9C040DE2FEE4D3C5E2C - unencrypted_suffix: _unencrypted - version: 3.9.0 diff --git a/configurations/fuyuki/wireguard.nix b/configurations/fuyuki/wireguard.nix index 0e29425..57ead18 100644 --- a/configurations/fuyuki/wireguard.nix +++ b/configurations/fuyuki/wireguard.nix @@ -3,7 +3,7 @@ networking.wg-quick.interfaces.wg0 = { address = [ "10.100.0.3/24" ]; listenPort = 51820; - privateKeyFile = config.sops.secrets.wg0_private.path; + privateKeyFile = config.age.secrets.wg0Private.path; dns = [ "10.100.0.1" ]; diff --git a/configurations/london/default.nix b/configurations/london/default.nix index 71d9e55..63539a9 100644 --- a/configurations/london/default.nix +++ b/configurations/london/default.nix @@ -20,15 +20,8 @@ # Nix nixpkgs.config.allowUnfree = true; - # System secrets - sops = { - gnupg.sshKeyPaths = [ ]; - age = { - sshKeyPaths = [ ]; - keyFile = "/var/lib/sops-nix/key.txt"; - }; - defaultSopsFile = ./secrets/secrets.yaml; - secrets.wg0_private = { }; + age.secrets = { + wg0Private.file = ../../secrets/london-wg0.age; }; # Wireguard @@ -37,7 +30,7 @@ dns = [ "10.100.0.1" ]; listenPort = 51820; - privateKeyFile = config.sops.secrets.wg0_private.path; + privateKeyFile = config.age.secrets.wg0Private.path; peers = [ { diff --git a/configurations/london/secrets/secrets.yaml b/configurations/london/secrets/secrets.yaml deleted file mode 100644 index 1770609..0000000 --- a/configurations/london/secrets/secrets.yaml +++ /dev/null @@ -1,33 +0,0 @@ -wg0_private: ENC[AES256_GCM,data:nQCsWrjg9j8WGk9Ph2mCoe4pysGLTDH1DBtIi+iiT9+FOsTBb3K3wly4Nj4=,iv:Oki3CpsgZnrkuNLqmUn/w7ZcIU5L+x0T2dSUOF2iLGQ=,tag:0Hh/6bSXZzPcbdklq/hByg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1ea4egj69ghxwyw9lyjfdp24qyvqj9ha5gcu36lqfp3d5yg6nmpgqm7w96m - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZE8vS0ZMQTE0NFdHR1hQ - N1pFYTgrS0NRdmFKRUsrWlZOTDEzMmlBZFZvCm1zUVJFQTQ4NmU1dVc4THgrM21Q - VnFJUmZFdURVSTl0WnlHMWFLYTVJencKLS0tIFJqN3cwbTEra05WRTM5Z0pERCtC - WmJuZm5oVjVwVTliOThVaUJtOGFXSkEKAi/Q3IHdvtn9u3W/AoR6STeC3KQalm8G - Rz7idBAXHDtyN+UPBq1QQazoE0+l4+FGC442UUDf4/5FVm4OjL264w== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-31T07:33:51Z" - mac: ENC[AES256_GCM,data:SDXAICCzGdN25PWQuqp9qMXoVAxc16WOcX34FIlFzfonCivhc73jTQ6O1i0vLDZsEvgxTydiJns9kz/SG1iZ8+bLMSE1ERpDDW/dV/vX1MIRsjC9v6FDi/FCuZ2YqvUpT+mMPDpELVQZWtGD4tl4awOyMntnbYnYFUcGV/+jZQQ=,iv:YlytWjuePftyT15E4sK3ZueyULNeLdsnp+uIdQP6vy4=,tag:qMdNsMFCy5MtJOGjgSdn0A==,type:str] - pgp: - - created_at: "2024-08-31T07:33:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4D0ZiEKlLM+TsSAQdAABFBh9/4DIYjwdMKnAYydump+IeUrBB8HLq9iPmmjwkw - hiFhI1zc0TYbht+oIuacq0e1iqTmCkCWqv42MXP1bP0sTQI5PTWWcUAjngWgClHK - 1GgBCQIQFfTg97RZ8osA2D4ndwp5291BcnAW9CbUrQ0tPAaNyz8yPehJM2xklspG - vJ0hN38TTn1ypQXqjphKGsR7giGNhyp8RXkdIlCBrmQCpPXbPPqTSzcod7MceHRr - aH+cjp8GidBRRw== - =zw46 - -----END PGP MESSAGE----- - fp: 2763F2B50E63CE401A3EB9C040DE2FEE4D3C5E2C - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/configurations/okeanos/default.nix b/configurations/okeanos/default.nix index 5ccf671..3118741 100644 --- a/configurations/okeanos/default.nix +++ b/configurations/okeanos/default.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, ... }: +{ pkgs, ... }: { @@ -23,16 +23,8 @@ }; }; - sops = { - gnupg.sshKeyPaths = [ ]; - age = { - sshKeyPaths = [ ]; - keyFile = "/var/lib/sops-nix/key.txt"; - }; - defaultSopsFile = ./secrets/secrets.yaml; - secrets = { - wg0_private = { }; - }; + age.secrets = { + wg0Private.file = ../../secrets/okeanos-wg0.age; }; } diff --git a/configurations/okeanos/secrets/secrets.yaml b/configurations/okeanos/secrets/secrets.yaml deleted file mode 100644 index c3f02fc..0000000 --- a/configurations/okeanos/secrets/secrets.yaml +++ /dev/null @@ -1,33 +0,0 @@ -wg0_private: ENC[AES256_GCM,data:f+W43KoNREeBSTbmVK1Z+G5KAGhsKFQZYXR7/rAViNgEjobAUbaq03RYfZE=,iv:FjuEkb4xhXq1UqG+8USKpG59DbbPbfbzfyu02mvFR9g=,tag:izOWkkeyhE7FizxVOEvabQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1mj6xs9qpl9xn5kwk82matuyyus75j2dysdmpvtqer5jvk8uknp8s2ttp32 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUjRrVkZpTjJLa2JCbnJy - MEpBaFRFRzdIWENEMmZDbWNIbWxZRHk2NmgwCnZtVFpLejYvaUhjcFJGU0tHUnhu - ZEo1UDZ0VythdDZkYVpMMUlyL2dINkkKLS0tIHFUMUpWUlBqUjltdVg2bFo1N2FS - VWN1UnlDajAxbE1ySStHQmhDajVReGcKr9nNx6jVFjU1xEC8dw2yZlx3xHusSzPY - 5dOglp4QVfFm3WjLXrfiIa09dPnKCiRswy33tshfWCObwEvvuOFoTQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-07-30T11:25:30Z" - mac: ENC[AES256_GCM,data:aC/QmbhvtNepBYp2pstcxh1a458caCVBEV5dw04aZzqqflLOT4zzoyrDPBGd8PV2sqzoC0K23bpxz5LcvzwHmHAiLaewOfT++/+VZ7d+4G3oAkZsDW4S4Zat4IJDQE6Rf2SjbltMGMxALvKj4qZNzeFYZRMLd2vj7FsnXGSEhG0=,iv:DtyXx+bSzXMvXc/ucTn1VK/YBkXerj+s0RPimJPjMPs=,tag:Vu4mrMt3N1xMPDaBR1Lg4g==,type:str] - pgp: - - created_at: "2024-07-30T11:24:39Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4D0ZiEKlLM+TsSAQdAGrKWvgORZik4MmMVAlf4LVC7RuWCoJpwZJsXgCLDkQEw - vq1SJTftj2mSLPgJh1b1UkWIoScJIxh3Dw87XYe2sFQ5AvwoNI9932KfbETt3MB3 - 1GgBCQIQbrhFZNgQQoTpzLilPprVqpBEIiz2mfQiTUyCvmKhHVkKIykaxTtwH8dt - mwG0/dRryUyHLUtoQ1P/9danDRZfllHGXwEqo7BetVGuItLtaUoc59C8dRYB+zDv - gyG5IlOUShUhNg== - =fM1u - -----END PGP MESSAGE----- - fp: 2763F2B50E63CE401A3EB9C040DE2FEE4D3C5E2C - unencrypted_suffix: _unencrypted - version: 3.9.0 diff --git a/configurations/okeanos/wireguard.nix b/configurations/okeanos/wireguard.nix index db6a8b4..d26d8dd 100644 --- a/configurations/okeanos/wireguard.nix +++ b/configurations/okeanos/wireguard.nix @@ -12,7 +12,7 @@ address = [ "10.100.0.1/8" ]; listenPort = 51820; - privateKeyFile = config.sops.secrets.wg0_private.path; + privateKeyFile = config.age.secrets.wg0Private.path; peers = [ { diff --git a/flake.lock b/flake.lock index 33ab078..6f9fd48 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,26 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1723293904, + "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", + "owner": "ryantm", + "repo": "agenix", + "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "crane": { "inputs": { "nixpkgs": [ @@ -34,6 +55,28 @@ "url": "https://git.dalaran.fr/dala/dalaran.fr/archive/main.tar.gz" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "extra-config": { "locked": { "lastModified": 1733060531, @@ -88,7 +131,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -106,7 +149,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1710146030, @@ -124,7 +167,7 @@ }, "flake-utils_3": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1726560853, @@ -178,6 +221,27 @@ } }, "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs-unstable" @@ -203,7 +267,7 @@ "flake-compat": "flake-compat", "flake-parts": "flake-parts", "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "pre-commit-hooks-nix": "pre-commit-hooks-nix", "rust-overlay": "rust-overlay" }, @@ -227,7 +291,7 @@ "flake-utils": "flake-utils_3", "flakey-profile": "flakey-profile", "lix": "lix_2", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1732605668, @@ -257,16 +321,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1717794163, - "narHash": "sha256-Ch6ZpFPVvi7Bb6gmmuufpTEFkXqa43pC94XMfU5FEt0=", + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "121f68ed7c6c32de5a8ce91a08ef25713d1c4755", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable-small", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -320,6 +384,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1717794163, + "narHash": "sha256-Ch6ZpFPVvi7Bb6gmmuufpTEFkXqa43pC94XMfU5FEt0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "121f68ed7c6c32de5a8ce91a08ef25713d1c4755", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1729070438, "narHash": "sha256-KOTTUfPkugH52avUvXGxvWy8ibKKj4genodIYUED+Kc=", @@ -364,15 +444,15 @@ }, "root": { "inputs": { + "agenix": "agenix", "dalaran-fr": "dalaran-fr", "extra-config": "extra-config", "flake-utils": "flake-utils", - "home-manager": "home-manager", + "home-manager": "home-manager_2", "lanzaboote": "lanzaboote", "lix": "lix", "nixpkgs-stable": "nixpkgs-stable_2", - "nixpkgs-unstable": "nixpkgs-unstable", - "sops-nix": "sops-nix" + "nixpkgs-unstable": "nixpkgs-unstable" } }, "rust-overlay": { @@ -400,26 +480,6 @@ "type": "github" } }, - "sops-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs-unstable" - ] - }, - "locked": { - "lastModified": 1733128155, - "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" - } - }, "systems": { "locked": { "lastModified": 1681028828, @@ -464,6 +524,21 @@ "repo": "default", "type": "github" } + }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index bbabea4..0c51d71 100644 --- a/flake.nix +++ b/flake.nix @@ -13,12 +13,7 @@ inputs.nixpkgs.follows = "nixpkgs-unstable"; }; - # For sops-nix, we keep the unstable nixpkgs, as it shouldn't break anything. - # This input is made to manage secrets on this repository. - sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nixpkgs-unstable"; - }; + agenix.url = "github:ryantm/agenix"; # Use Lix instead of Nix lix.url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz"; @@ -36,7 +31,7 @@ nixpkgs-unstable, nixpkgs-stable, home-manager, - sops-nix, + agenix, flake-utils, extra-config, lix, @@ -68,12 +63,9 @@ system.stateVersion = config.stateVersion; } ) machines; - buildOptionnalSpecialArgsForMachine = - config: - { - machineProps = config; - } - // (if config.enableHomeManager then { sopsHmModule = sops-nix.homeManagerModules.sops; } else { }); + buildOptionnalSpecialArgsForMachine = config: { + machineProps = config; + }; in { colmena = { @@ -104,7 +96,7 @@ { ... }: { imports = [ - sops-nix.nixosModules.sops + agenix.nixosModules.default my.modules ]; }; @@ -138,7 +130,7 @@ colmena nixfmt-rfc-style nil - sops + agenix.packages.${system}.default ]; }; } diff --git a/modules/workstation/default.nix b/modules/workstation/default.nix index 02bae8b..76b9676 100644 --- a/modules/workstation/default.nix +++ b/modules/workstation/default.nix @@ -2,7 +2,6 @@ config, pkgs, machineProps, - sopsHmModule, ... }: { @@ -31,7 +30,6 @@ home-manager.useUserPackages = true; home-manager.sharedModules = [ ./home-manager - sopsHmModule ]; home-manager.extraSpecialArgs = { keymap = config.console.keyMap; diff --git a/secrets/camelot-wg0.age b/secrets/camelot-wg0.age new file mode 100644 index 0000000..11208c6 --- /dev/null +++ b/secrets/camelot-wg0.age @@ -0,0 +1,6 @@ +age-encryption.org/v1 +-> ssh-ed25519 1urzmQ QthE6va7QOa3TotoElF7lw9lklt/WudjJiuEVEh5mE8 +zvaMQzZ5D7wcDqps+20Km6pXlSXdC5QfKRrOc6M2fc8 +--- f0jLtwHZf8IWMRG6aQaXKU2hUvbFhNkj+EuMDMsqOHo +z*?.T悹>=TY.q\7d Rըjޡf>#0M +渼xDV \ No newline at end of file diff --git a/secrets/camelot-wg1.age b/secrets/camelot-wg1.age new file mode 100644 index 0000000..5f74d64 --- /dev/null +++ b/secrets/camelot-wg1.age @@ -0,0 +1,6 @@ +age-encryption.org/v1 +-> ssh-ed25519 1urzmQ u6Xho2ZF6cQ3obQwFuYIhGCBPNxhPDTtYpLdnd05hW0 +uGC2qqRo7t5Tyy0nXVsvLa2gfXOFLOdrv4xZHZHehqg +--- U7qkawxldhLzGtCwTXGX90SQfTpEDPzTKmg/qmwGibE +?IL)m +ݥ~,) f~Q׶vlk7;sHga , &B}i \ No newline at end of file diff --git a/secrets/fuyuki-wg0.age b/secrets/fuyuki-wg0.age new file mode 100644 index 0000000..40ba4df --- /dev/null +++ b/secrets/fuyuki-wg0.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 BEMung w3V9FJbVq8i6hKQmaJPebuxASKjgrv3kbQMFoTnp3UM +DVDePl8yU0bzcI+OPfZr7ze2w6ZoJ9VtCfgzPCA6U6k +--- cwriaHYf/jbCHTYY8jBVGB7dsH1f4exGr89YIAaKt2s +`aؔ$Ez-x7f >+|g᧔ 0P@,H?RPu}AYIwWI \ No newline at end of file diff --git a/secrets/gts-env.age b/secrets/gts-env.age new file mode 100644 index 0000000..a914d27 Binary files /dev/null and b/secrets/gts-env.age differ diff --git a/secrets/london-wg0.age b/secrets/london-wg0.age new file mode 100644 index 0000000..3ce91b8 --- /dev/null +++ b/secrets/london-wg0.age @@ -0,0 +1,6 @@ +age-encryption.org/v1 +-> ssh-ed25519 bPPSlQ voAyDlYMndTWZk80+6xQYeoIYzAa/kypg6v9voEOugY +zr7g75QDnu3PmULHGryMtSay9sUiV614mLXZFncNqHk +--- MBUtMmttC/UFM3Up+u5mET67REUsx+A0K9JpgH+Ht1U +'yl>K9 +$d~Z>Ĥź8^ywU7iǙWvz"a.T}9 \ No newline at end of file diff --git a/secrets/nextcloud-admin.age b/secrets/nextcloud-admin.age new file mode 100644 index 0000000..1006e26 --- /dev/null +++ b/secrets/nextcloud-admin.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 1urzmQ YHdUBNma4ZfV36fP9rJvqcHE7sEMM1zvKxvYK/bmExU +So+8X/NvzLo0z8DRJq86KsF1+LHvkgA0P+KoAxZ2igI +--- k50nE6+yjQfLmzfHTINtqgtmlNSfz8qdpA5Gw1LfB6g +xC#lmcUk,/[q'HZ{"tqPJz}dR $ \ No newline at end of file diff --git a/secrets/okeanos-wg0.age b/secrets/okeanos-wg0.age new file mode 100644 index 0000000..80d8c16 --- /dev/null +++ b/secrets/okeanos-wg0.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 wYGtoA 3Snoa8hj+D2tDbcZ+tW/PNxs780ssLlfZRXFNPzopTE +s7X+La4LSerexc1EEdiWz/ZPImPTtixXJ+FWTW+TTjg +--- azHMnyhbBw/3pwRwQNSUXvFnQCRSnMeX1CLWOyJ/t0s +vej5ضh[^X&u}0׸͂m!L