feat(secrets): add initial secrets.nix configuration

2024-12-06 20:49:18 +00:00 · 2024-12-06 20:49:18 +00:00 · 9b1cef61f2
commit 9b1cef61f2
parent 8fbd2cc84a
5 changed files with 140 additions and 21 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,26 @@
 {
  "nodes": {
    "agenix-flake": {
      "inputs": {
        "darwin": "darwin",
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs",
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1723293904,
        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
        "owner": "ryantm",
        "repo": "agenix",
        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
        "type": "github"
      },
      "original": {
        "owner": "ryantm",
        "repo": "agenix",
        "type": "github"
      }
    },
    "cachix": {
      "inputs": {
        "devenv": [
@ -14,7 +35,7 @@
          "teslamate-flake",
          "devenv"
        ],
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
        "lastModified": 1728672398,
@ -31,13 +52,35 @@
        "type": "github"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
          "agenix-flake",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1700795494,
        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
        "ref": "master",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "devenv": {
      "inputs": {
        "cachix": "cachix",
        "flake-compat": "flake-compat",
        "git-hooks": "git-hooks",
        "nix": "nix",
-        "nixpkgs": "nixpkgs_4"
+        "nixpkgs": "nixpkgs_5"
      },
      "locked": {
        "lastModified": 1732298876,
@ -182,15 +225,36 @@
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "agenix-flake",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1732319136,
+        "lastModified": 1703113217,
-        "narHash": "sha256-wpmPl6FkAF9Jj5C/rzANgpUjfzQrUYOn267LnzKU2uI=",
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "f8831cc700030e11fc91da9ef6270593e6440edc",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1733482664,
        "narHash": "sha256-ZD+h1fwvZs+Xvg46lzTWveAqyDe18h9m7wZnTIJfFZ4=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "e38d3dd1d355a003cc63e8fe6ff66ef2257509ed",
        "type": "github"
      },
      "original": {
@ -236,7 +300,7 @@
        ],
        "flake-parts": "flake-parts",
        "libgit2": "libgit2",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_4",
        "nixpkgs-23-11": [
          "teslamate-flake",
          "devenv"
@ -267,11 +331,11 @@
    },
    "nixos-unstable": {
      "locked": {
-        "lastModified": 1732377093,
+        "lastModified": 1733505731,
-        "narHash": "sha256-vJ7axNT6AOtzH2B+nDvObibKuzPImIgYjumk2uG9PyE=",
+        "narHash": "sha256-B3jYxAIMhBdH5ayiSVoXsi4zvInRbZB5eEUac5mboUQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9c4b9f2f99ea64aeb0dd466e2974bf8aa240a117",
+        "rev": "f145dbde156efee66276502a2ecbfd60ed81c18d",
        "type": "github"
      },
      "original": {
@ -283,11 +347,27 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1732377064,
+        "lastModified": 1703013332,
-        "narHash": "sha256-d7iJuzyWeeFYP1HTsS/jMmyD4X2dfi02uKWcju6AaJU=",
+        "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "e10d3ce766fc170730ceaeb5a913ebb3bd70f840",
+        "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1733506536,
        "narHash": "sha256-hmTCczt4tDKyKNtm0UOp78oHSDnJU3qZHX80KEEu1lI=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "260a02d2ee673c2e4a4cfe8bc6c78ce8ea39c08c",
        "type": "github"
      },
      "original": {
@ -297,7 +377,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_2": {
+    "nixpkgs_3": {
      "locked": {
        "lastModified": 1730531603,
        "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
@ -313,7 +393,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_3": {
+    "nixpkgs_4": {
      "locked": {
        "lastModified": 1717432640,
        "narHash": "sha256-+f9c4/ZX5MWDOuB1rKoWj+lBNm0z0rs4CK47HBLxy1o=",
@ -329,7 +409,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_4": {
+    "nixpkgs_5": {
      "locked": {
        "lastModified": 1716977621,
        "narHash": "sha256-Q1UQzYcMJH4RscmpTkjlgqQDX5yi1tZL0O345Ri6vXQ=",
@ -345,7 +425,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_5": {
+    "nixpkgs_6": {
      "locked": {
        "lastModified": 1732014248,
        "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=",
@ -384,10 +464,11 @@
    },
    "root": {
      "inputs": {
-        "home-manager": "home-manager",
+        "agenix-flake": "agenix-flake",
        "home-manager": "home-manager_2",
        "local-unstable": "local-unstable",
        "nixos-unstable": "nixos-unstable",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
        "nvidia-patch": "nvidia-patch",
        "teslamate-flake": "teslamate-flake"
      }
@ -407,12 +488,27 @@
        "type": "github"
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "teslamate-flake": {
      "inputs": {
        "devenv": "devenv",
        "devenv-root": "devenv-root",
        "flake-parts": "flake-parts_2",
-        "nixpkgs": "nixpkgs_5",
+        "nixpkgs": "nixpkgs_6",
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
@ -453,7 +549,7 @@
    },
    "utils": {
      "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1710146030,
--- a/flake.nix
+++ b/flake.nix
@ -4,6 +4,7 @@
    nixos-unstable.url = "github:NixOS/nixpkgs/master";
    local-unstable.url = "path:///home/giulio/dev/nixpkgs";
    teslamate-flake.url = "github:teslamate-org/teslamate/v1.32.0";
    agenix-flake.url = "github:ryantm/agenix";
    home-manager = {
      url = "github:nix-community/home-manager/release-24.11";
      inputs.nixpkgs.follows = "nixpkgs";
@ -14,7 +15,7 @@
    };
  };
-  outputs = { self, nixpkgs, nixos-unstable, local-unstable, home-manager, teslamate-flake, nvidia-patch }:
+  outputs = { self, nixpkgs, nixos-unstable, local-unstable, home-manager, teslamate-flake, nvidia-patch, agenix-flake }:
    let
      sysLinuxX64 = "x86_64-linux";
      sysDarwin = "aarch64-darwin";
@ -50,10 +51,16 @@
            overlays = extOverlays;
          };
          agenixPkgs = import agenix-flake {
            inherit system config;
            overlays = extOverlays;
          };
          overlays = [
            (final: prev: { inherit unstablePkgs; })
            (final: prev: { inherit localPkgs; })
            (final: prev: { inherit teslamatePkgs; })
            (final: prev: { inherit agenixPkgs; })
          ] ++ extOverlays;
        };
@ -91,6 +98,7 @@
          }];
          imports = [
            teslamate-flake.nixosModules.default
            agenix-flake.nixosModules.default
          ];
        };
      };
--- a/hosts/architect/default.nix
+++ b/hosts/architect/default.nix
@ -42,6 +42,8 @@ in
    ./postgres.nix
  ];
  age.identityPaths = [ "/root/.ssh/id_ed25519" ];
  architect = {
    networks.lan = {
      interface = "enp6s0";
--- a/secrets/matrix-synapse.age
+++ b/secrets/matrix-synapse.age
@ -0,0 +1,5 @@
 age-encryption.org/v1
 -> ssh-ed25519 7eGqHw GXtk20+d3LLJB30kQokGRPRa56fmb+lX9YDvIYBQwHg
 Us0v7drXPZXBdfhPFjnnHj31r2eKBZ7UytSHggFxf1E
 --- pXsX3lmuff2Zc4FDBZCBBL4nwBvVZowjc7kgQTjr9oA
 S/íÚ±®.*Àl,ÉïLg©(ÙÖc<C396><63>[ÃX7x‘µ³~‹+ltrdnØ¡¥À
åaw—Á°½0Œ¹ÜO8ðœû±«g•¶ô7ãâÿÊú8dO ˜ôøñàÄ«z@ÂŠOîD}ö5'¸
fÙ¼ÚMíœ¶‚uo«Cƒ˜‰‚Ê<E2809A>ÄWÅ›ã×»þ=bóÉØŸK¿pþÎŠkµëoôŠµz×<7A>ZHˆ&è¢vo¢Òµí¤›=z¾”€êŽ;˜µÍ
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,8 @@
 let
  pubkeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICu7rSsZ+d3BkppimNHJj8xL5jfl5RxMU0+Q5cue0LUu root@architect"
  ];
 in
 {
  "secrets/matrix-synapse.age".publicKeys = pubkeys;
 }