tghanken.tngl.sh / nixos-config
this repo has no description
fork atom

feat: setup agenix for secrets (#19)

authored by tghanken.tngl.sh and committed by GitHub a460fa7d 3d69da78

options
unified split
Changed files
+105 -27
common
common.nix
networking
networking.nix
tailscale.nix
flake.lock
flake.nix
machines
inwin-tower
configuration.nix
nixos-thinkpad
configuration.nix
nixos-usb
configuration.nix
secrets
secrets.nix
tailscale_key.age
+4
common/common.nix
··· 37 37 "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" 38 38 ]; 39 39 }; 40 + # Secrets 41 + age.secrets = { 42 + tailscale_key.file = ../secrets/tailscale_key.age; 43 + }; 40 44 programs.nh = { 41 45 enable = true; 42 46 clean.enable = true;
+4
common/networking/networking.nix
··· 6 6 7 7 # Enable networking 8 8 networking.networkmanager.enable = true; 9 + 10 + services.openssh = { 11 + enable = true; 12 + }; 9 13 }
+1 -7
common/networking/tailscale.nix
··· 7 7 with lib; let 8 8 cfg = config.services.tailscale; 9 9 in { 10 - options.services.tailscale = { 11 - authKey = mkOption { 12 - type = types.str; 13 - }; 14 - }; 15 - 16 10 # make the tailscale command usable to users 17 11 config.environment.systemPackages = [pkgs.tailscale]; 18 12 ··· 43 37 fi 44 38 45 39 # otherwise authenticate with tailscale 46 - ${tailscale}/bin/tailscale up -authkey ${cfg.authKey} --ssh 40 + ${tailscale}/bin/tailscale up -authkey $(cat ${config.age.secrets."tailscale_key".path}) --ssh 47 41 ''; 48 42 }; 49 43 }
+47 -16
flake.lock
··· 1 1 { 2 2 "nodes": { 3 + "agenix": { 4 + "inputs": { 5 + "darwin": [], 6 + "home-manager": [ 7 + "home-manager" 8 + ], 9 + "nixpkgs": [ 10 + "nixpkgs" 11 + ], 12 + "systems": [ 13 + "nix-systems" 14 + ] 15 + }, 16 + "locked": { 17 + "lastModified": 1723293904, 18 + "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", 19 + "owner": "ryantm", 20 + "repo": "agenix", 21 + "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", 22 + "type": "github" 23 + }, 24 + "original": { 25 + "owner": "ryantm", 26 + "repo": "agenix", 27 + "type": "github" 28 + } 29 + }, 3 30 "disko": { 4 31 "inputs": { 5 32 "nixpkgs": [ ··· 57 84 }, 58 85 "flake-utils": { 59 86 "inputs": { 60 - "systems": "systems" 87 + "systems": [ 88 + "nix-systems" 89 + ] 61 90 }, 62 91 "locked": { 63 92 "lastModified": 1726560853, ··· 120 149 "type": "github" 121 150 } 122 151 }, 152 + "nix-systems": { 153 + "locked": { 154 + "lastModified": 1681028828, 155 + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", 156 + "owner": "nix-systems", 157 + "repo": "default", 158 + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", 159 + "type": "github" 160 + }, 161 + "original": { 162 + "owner": "nix-systems", 163 + "repo": "default", 164 + "type": "github" 165 + } 166 + }, 123 167 "nixpkgs": { 124 168 "locked": { 125 169 "lastModified": 1725001927, ··· 138 182 }, 139 183 "root": { 140 184 "inputs": { 185 + "agenix": "agenix", 141 186 "disko": "disko", 142 187 "flake-compat": "flake-compat", 143 188 "flake-parts": "flake-parts", 144 189 "flake-utils": "flake-utils", 145 190 "home-manager": "home-manager", 146 191 "nix-serve-ng": "nix-serve-ng", 192 + "nix-systems": "nix-systems", 147 193 "nixpkgs": "nixpkgs" 148 - } 149 - }, 150 - "systems": { 151 - "locked": { 152 - "lastModified": 1681028828, 153 - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", 154 - "owner": "nix-systems", 155 - "repo": "default", 156 - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", 157 - "type": "github" 158 - }, 159 - "original": { 160 - "owner": "nix-systems", 161 - "repo": "default", 162 - "type": "github" 163 194 } 164 195 } 165 196 },
+31
flake.nix
··· 8 8 url = "github:nix-community/home-manager/release-24.05"; 9 9 inputs.nixpkgs.follows = "nixpkgs"; 10 10 }; 11 + agenix = { 12 + url = "github:ryantm/agenix"; 13 + # TODO: Enable once darwin is setup 14 + inputs.darwin.follows = ""; 15 + inputs.home-manager.follows = "home-manager"; 16 + inputs.nixpkgs.follows = "nixpkgs"; 17 + inputs.systems.follows = "nix-systems"; 18 + }; 11 19 disko = { 12 20 url = "github:nix-community/disko"; 13 21 inputs.nixpkgs.follows = "nixpkgs"; ··· 24 32 }; 25 33 flake-utils = { 26 34 url = "github:numtide/flake-utils"; 35 + inputs.systems.follows = "nix-systems"; 27 36 }; 28 37 flake-compat = { 29 38 url = "github:edolstra/flake-compat"; 30 39 }; 40 + nix-systems = { 41 + url = "github:nix-systems/default"; 42 + }; 31 43 }; 32 44 33 45 outputs = inputs @ { 34 46 nixpkgs, 35 47 home-manager, 48 + agenix, 36 49 disko, 37 50 flake-parts, 38 51 nix-serve-ng, ··· 57 70 ./machines/inwin-tower/configuration.nix 58 71 ./common/common.nix 59 72 73 + agenix.nixosModules.default 74 + { 75 + # TODO: Split this into a flake-part module 76 + environment.systemPackages = [agenix.packages."x86_64-linux".default]; 77 + } 78 + 60 79 # make home-manager as a module of nixos 61 80 # so that home-manager configuration will be deployed automatically when executing `nixos-rebuild switch` 62 81 home-manager.nixosModules.home-manager ··· 89 108 ./machines/nixos-thinkpad/configuration.nix 90 109 ./common/common.nix 91 110 111 + agenix.nixosModules.default 112 + { 113 + # TODO: Split this into a flake-part module 114 + environment.systemPackages = [agenix.packages."x86_64-linux".default]; 115 + } 116 + 92 117 # make home-manager as a module of nixos 93 118 # so that home-manager configuration will be deployed automatically when executing `nixos-rebuild switch` 94 119 home-manager.nixosModules.home-manager ··· 118 143 modules = [ 119 144 ./machines/nixos-usb/configuration.nix 120 145 ./common/common.nix 146 + 147 + agenix.nixosModules.default 148 + { 149 + # TODO: Split this into a flake-part module 150 + environment.systemPackages = [agenix.packages."x86_64-linux".default]; 151 + } 121 152 122 153 # make home-manager as a module of nixos 123 154 # so that home-manager configuration will be deployed automatically when executing `nixos-rebuild switch`
-1
machines/inwin-tower/configuration.nix
··· 20 20 networking.hostName = "inwin-tower"; # Define your hostname. 21 21 networking.hostId = "89cc1717"; # Generate using `head -c 8 /etc/machine-id` 22 22 23 - services.tailscale.authKey = "tskey-auth-kfMxvmtDkb11CNTRL-zCvVcCMqVt8vAWaYU9qPw8nKJ4wtAn5nE"; 24 23 boot.binfmt.emulatedSystems = ["aarch64-linux"]; 25 24 26 25 boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
-1
machines/nixos-thinkpad/configuration.nix
··· 19 19 networking.hostName = "nixos-thinkpad"; # Define your hostname. 20 20 networking.hostId = "a0d787a6"; # Generate using `head -c 8 /etc/machine-id` 21 21 22 - services.tailscale.authKey = "tskey-auth-knJSHocuQn11CNTRL-kyer5oNq6ADApVLAVhijCDgEiFYP64nm"; 23 22 boot.binfmt.emulatedSystems = ["aarch64-linux"]; 24 23 25 24 boot.zfs.devNodes = "/dev/disk/by-label";
-2
machines/nixos-usb/configuration.nix
··· 14 14 ]; 15 15 networking.hostName = "nixos-usb"; # Define your hostname. 16 16 17 - services.tailscale.authKey = "tskey-auth-kUpUwT8ne921CNTRL-xHFfTssLnnZgddFsUiLgqZLxKVSoErMFc"; 18 - 19 17 # Overrides for graphical base 20 18 boot.loader.grub.enable = lib.mkForce false; 21 19 networking.wireless.enable = lib.mkForce false;
+18
secrets/secrets.nix
··· 1 + let 2 + # Add user keys from ~/.ssh 3 + inwin-tower-tghanken = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICh921bOnrGEySjw/eRrUAj1UbV2sf1YIcm5X74r6gTh"; 4 + nixos-thinkpad-tghanken = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOHrxGPx3dgap4sUwWyHbQsMJiv9tSNG05BEMNkNLDZF"; 5 + tghanken = [inwin-tower-tghanken nixos-thinkpad-tghanken]; 6 + 7 + users = tghanken; 8 + 9 + # Add machine keys from /etc/ssh 10 + inwin-tower = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/iE8w8saXDau1F/BQ5IktJPQO3MhRT1+1e5UsQt/n0"; 11 + nixos-thinkpad = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEiccufbIo8bYbn5n7PpR1IAFmup53P6nn8IyYfkJfd0"; 12 + 13 + machines = [inwin-tower nixos-thinkpad]; 14 + 15 + all = users ++ machines; 16 + in { 17 + "tailscale_key.age".publicKeys = all; 18 + }
secrets/tailscale_key.age

This is a binary file and will not be displayed.