store password in config, managed with agenix

ToasterUwU · May 3, 2024 · 34f1a6a · 34f1a6a
1 parent 53310e1
commit 34f1a6a
Show file tree

Hide file tree

Showing 6 changed files with 90 additions and 4 deletions.
diff --git a/common/configuration.nix b/common/configuration.nix
@@ -1,4 +1,4 @@
-{ inputs, pkgs, ... }: {
+{ inputs, pkgs, config, ... }: {
   nixpkgs.overlays = [ inputs.envision.overlays.default ];
 
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
@@ -54,11 +54,16 @@
 
   environment.sessionVariables.NIXOS_OZONE_WL = "1"; # Electron Apps in Wayland
 
+  age.secrets."aki-password".file = ../secrets/common/aki-password.age;
+  age.secrets."scarlett-password".file = ../secrets/common/scarlett-password.age;
+
+  users.mutableUsers = false;
   users.users =
     {
       aki = {
         isNormalUser = true;
         description = "Aki";
+        hashedPasswordFile = config.age.secrets."aki-password".path;
         extraGroups = [ "networkmanager" "wheel" ];
         packages = with pkgs; [
           freecad
@@ -72,6 +77,7 @@
       scarlett = {
         isNormalUser = true;
         description = "Scarlett";
+        hashedPasswordFile = config.age.secrets."scarlett-password".path;
         packages = with pkgs; [
           brave
         ];

diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -23,14 +23,21 @@
       url = "github:Scrumplex/pkgs";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.darwin.follows = "";
+      inputs.home-manager.follows = "home-manager";
+    };
   };
 
-  outputs = { nixpkgs, ... }@inputs: {
+  outputs = { nixpkgs, agenix, ... }@inputs: {
     nixosConfigurations.Barbara = nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
 
       modules = [
         ./hosts/Barbara
+        agenix.nixosModules.default
       ];
 
       specialArgs = { inherit inputs; };
@@ -40,6 +47,7 @@
 
       modules = [
         ./hosts/Gertrude
+        agenix.nixosModules.default
       ];
 
       specialArgs = { inherit inputs; };

diff --git a/secrets.nix b/secrets.nix
@@ -0,0 +1,19 @@
+let
+  aki = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMV93pUyoE8y3oFfFrgPaaObAP7J9O7aChY1gIWKKTMS aki@Barbara"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGAI3RboKHBPPLvDuHEkWHIj+/qZpsS4Ae80Hheoj8wK aki@Gertrude"
+  ];
+  scarlett = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrcpx3MX+MeCd/gBsBhnLH3DfaLwkPKWyIB0WgFu8Rm scarlett@Barbara"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICBjBHIPZLCX+F6Crm/B9m09YTOUZJzMdH69zgCbqsZR scarlett@Gertrude"
+  ];
+  users = aki ++ scarlett;
+
+  Barbara = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEivYBAuarGiTOHscBYXP0LpG6RGCUDjzDCc/5lT+5sZ";
+  Gertrude = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIy9n203h4Qwj7qcWXTsMl9cbkc7wBoSA5o5u9l9gqwk";
+  systems = [ Barbara Gertrude ];
+in
+{
+  "secrets/common/aki-password.age".publicKeys = aki ++ systems;
+  "secrets/common/scarlett-password.age".publicKeys = users ++ systems;
+}
diff --git a/secrets/common/aki-password.age b/secrets/common/aki-password.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 tWWw1g toXsaYT7bGEgf+aJbfSJglgh9VeKFhL4PZ/uoT3+n3I
+2zAxUGbd0Jz0/ivXh9eywrqBbsnPWeVhT2CLVBz4sWs
+-> ssh-ed25519 QE/lLw fgX68U94pFv5XKZBhGMNpSrxhiYP2/OEO4q/vcXnWSU
+x7r2BbRWiLLHtSewp1m6dw/eYVj83n6l3ncgUx7mzFc
+-> ssh-ed25519 AsveaQ zhX9zmtWSHTRlfX850SgvQ4qukFXIl6poNmLxneHHlM
+JHp7WWcmoWKFBlIumARk0hSN9MKG73BS7CO22XcMrk0
+-> ssh-ed25519 Oji3Vw XW6a+CYGUFYpW5VLOrN9urj0ZATJ7MPBVQbUhPDxpG0
+NSLBgUJ5EhL/rDdDsfNHZrPzjPFt8cMOx/tpjIwo17s
+--- bf7wdSJEDb8lomDwrrAcwLygAq65wD2Vq5tI5Cl0ExU
+�jt<H'�A�oc��鴙�;p��Ky/���*�����t����Jvg����cj�!d��c9����{� ��������]P2��\
+q5#M]�5\:{�e�ɻ�V`f�����DY5�˪���w)��j��x;�Y

diff --git a/secrets/common/scarlett-password.age b/secrets/common/scarlett-password.age