tghanken.tngl.sh / nixos-config
this repo has no description
fork atom

chore: move secrets to blueprint module (#68)

authored by tghanken.tngl.sh and committed by GitHub 9e3bf677 9a06745f

options
unified split
Changed files
+19 -16
nix
hosts
inwin-tower
configuration.nix
nixos-thinkpad
configuration.nix
modules
nixos
secrets.nix
secrets
base.nix
secret_files
encrypted
github_pat.age
nix_store_signing_key.age
tailscale_key.age
secrets.nix
secrets
mod.nix
+2 -1
nix/hosts/inwin-tower/configuration.nix
··· 22 22 flake.nixosModules.desktop 23 23 flake.nixosModules.kernel 24 24 flake.nixosModules.networking 25 - flake.nixosModules.secrets 26 25 flake.nixosModules.sound 27 26 flake.nixosModules.tailscale 27 + 28 + flake.modules.secrets.base 28 29 29 30 flake.modules.desktop.jetbrains 30 31 flake.modules.desktop.ollama
+2 -1
nix/hosts/nixos-thinkpad/configuration.nix
··· 24 24 flake.nixosModules.desktop 25 25 flake.nixosModules.kernel 26 26 flake.nixosModules.networking 27 - flake.nixosModules.secrets 28 27 flake.nixosModules.sound 29 28 flake.nixosModules.tailscale 29 + 30 + flake.modules.secrets.base 30 31 31 32 flake.modules.desktop.jetbrains 32 33 flake.modules.desktop.steam
-5
nix/modules/nixos/secrets.nix
··· 1 - { 2 - imports = [ 3 - ../../../secrets/mod.nix 4 - ]; 5 - }
+15
nix/modules/secrets/base.nix
··· 1 + {inputs, ...}: let 2 + encrypted_path = ./secret_files/encrypted; 3 + in { 4 + imports = [ 5 + inputs.agenix.nixosModules.default 6 + ]; 7 + 8 + config.age.identityPaths = ["/etc/ssh/ssh_host_ed25519_key"]; 9 + # Secrets 10 + config.age.secrets = { 11 + github_pat.file = encrypted_path + "/github_pat.age"; 12 + nix_store_signing_key.file = encrypted_path + "/nix_store_signing_key.age"; 13 + tailscale_key.file = encrypted_path + "/tailscale_key.age"; 14 + }; 15 + }
secrets/keys/github_pat.age nix/modules/secrets/secret_files/encrypted/github_pat.age
secrets/keys/nix_store_signing_key.age nix/modules/secrets/secret_files/encrypted/nix_store_signing_key.age
secrets/keys/tailscale_key.age nix/modules/secrets/secret_files/encrypted/tailscale_key.age
-9
secrets/mod.nix
··· 1 - { 2 - age.identityPaths = ["/etc/ssh/ssh_host_ed25519_key"]; 3 - # Secrets 4 - age.secrets = { 5 - github_pat.file = ./keys/github_pat.age; 6 - nix_store_signing_key.file = ./keys/nix_store_signing_key.age; 7 - tailscale_key.file = ./keys/tailscale_key.age; 8 - }; 9 - }
secrets/secrets.nix nix/modules/secrets/secret_files/secrets.nix