🚧 Start with secrets. somehow.

MathieuDR · Nov 30, 2024 · 70c4022 · 70c4022
1 parent f2c28ad
commit 70c4022
Show file tree

Hide file tree

Showing 9 changed files with 126 additions and 11 deletions.
diff --git a/.envrc b/.envrc
@@ -0,0 +1,2 @@
+source_up_if_exists
+use flake
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
 result
 .pre-commit-config.yaml
+.direnv
diff --git a/configuration/nixos/security.nix b/configuration/nixos/security.nix
@@ -1,7 +1,19 @@
-{self, ...}: {
+{
+  pkgs,
+  self,
+  ...
+}: {
   # local caddy certificate
   security.pki.certificates = [
     # HPI Certificate
-    (builtins.readFile "${self}/secrets/hpi_ca.crt")
+    (builtins.readFile "${self}/data/secrets/hpi_ca.crt")
   ];
+
+  programs.gnupg = {
+    dirmngr.enable = true;
+    agent = {
+      enable = true;
+      pinentryPackage = pkgs.pinentry-curses;
+    };
+  };
 }
diff --git a/secrets/hpi_ca.crt → data/secrets/hpi_ca.crt b/secrets/hpi_ca.crt → data/secrets/hpi_ca.crt
diff --git a/data/secrets/secrets.nix b/data/secrets/secrets.nix
@@ -0,0 +1,10 @@
+let
+  anchor = "";
+  all_recipients = [anchor];
+in {
+  # network
+  "network/beeconnected.age".publicKeys = all_recipients;
+
+  # common
+  "common/gpg.age".publicKeys = all_recipients;
+}
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -6,6 +6,11 @@
     # global, so they can be `.follow`ed
     # systems.url = "github:nix-systems/default-linux";
 
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     home-manager = {
       url = "github:nix-community/home-manager";
@@ -43,7 +48,6 @@
       inputs.hyprland.follows = "hyprland";
     };
 
-    #Personal NIXVIM
     yvim = {
       url = "github:mathieudr/nixvim";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -65,6 +69,7 @@
       perSystem = {
         config,
         pkgs,
+        system,
         ...
       }: {
         devShells.default = pkgs.mkShell {
@@ -75,6 +80,7 @@
             pkgs.fzf
             pkgs.nodePackages.prettier
             (config.packages.repl)
+            (inputs.agenix.packages.${system}.default)
           ];
           name = "dots";
           DIRENV_LOG_FORMAT = "";

diff --git a/home-manager/default.nix b/home-manager/default.nix
@@ -16,6 +16,7 @@
       inherit extraSpecialArgs;
       modules = [
         self.homeManagerModules.default
+        inputs.agenix.homeManagerModules.default
         inputs.catppuccin.homeManagerModules.catppuccin
         config.home-manager.shared
         ./anchor

diff --git a/hosts/default.nix b/hosts/default.nix
@@ -16,6 +16,7 @@
           inherit inputs self hostname user;
         };
         modules = [
+          inputs.agenix.nixosModules.default
           self.nixosModules.default
           config.nixos.shared
           ./${hostname}