feat(nixos/mounts): Keep babeshare pwd a secret

feat: Set up secrets.nix and secret editing
feat: Install agenix
2025-03-09 15:14:22 -07:00 · 2025-03-09 15:13:48 -07:00 · 2025-03-09 14:29:17 -07:00 · 2025-03-09 13:58:52 -07:00 · 2025-03-09 13:58:39 -07:00
9 changed files with 116 additions and 16 deletions
--- a/4
+++ b/4
@ -70,6 +70,10 @@ genFirefoxAddons:
  overlays/firefox-addons/addons.json \
  overlays/firefox-addons/addons.nix

+[group('maintainence')]
+secret name:
+  cd secrets && agenix -e {{name}}.age && cd -
+
 alias s := search
 search this:
  nh search {{this}}
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,32 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": [
+          "darwin"
+        ],
+        "home-manager": [
+          "home-manager"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1736955230,
+        "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "base16": {
      "inputs": {
        "fromYaml": "fromYaml"
@ -74,15 +101,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1741229100,
-        "narHash": "sha256-0HwrTDXp9buEwal/1ymK9uQmzUD5ozIA7CJGqnT/gLs=",
+        "lastModified": 1741126078,
+        "narHash": "sha256-ng0a4cIq3c9E3iGKomlwqKzVYs2RLOzQho2U1Mc2sqU=",
        "owner": "LnL7",
        "repo": "nix-darwin",
-        "rev": "adf5c88ba1fe21af5c083b4d655004431f20c5ab",
+        "rev": "c172f50b55b087f8e7801631de977461603bb976",
        "type": "github"
      },
      "original": {
        "owner": "LnL7",
+        "ref": "nix-darwin-24.11",
        "repo": "nix-darwin",
        "type": "github"
      }
@ -248,7 +276,7 @@
    },
    "flake-utils": {
      "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1726560853,
@ -300,7 +328,7 @@
    },
    "flake-utils_3": {
      "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_4"
      },
      "locked": {
        "lastModified": 1694529238,
@ -339,7 +367,7 @@
    },
    "flake-utils_5": {
      "inputs": {
-        "systems": "systems_5"
+        "systems": "systems_6"
      },
      "locked": {
        "lastModified": 1731533236,
@ -786,7 +814,7 @@
      "inputs": {
        "flake-compat": "flake-compat_3",
        "nixpkgs": "nixpkgs_4",
-        "systems": "systems_2",
+        "systems": "systems_3",
        "treefmt-nix": "treefmt-nix_2"
      },
      "locked": {
@ -992,6 +1020,7 @@
    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "darwin": "darwin",
        "home-manager": "home-manager",
        "lix": "lix",
@ -1063,7 +1092,7 @@
        "gnome-shell": "gnome-shell",
        "home-manager": "home-manager_2",
        "nixpkgs": "nixpkgs_7",
-        "systems": "systems_4",
+        "systems": "systems_5",
        "tinted-foot": "tinted-foot",
        "tinted-kitty": "tinted-kitty",
        "tinted-tmux": "tinted-tmux"
@ -1108,8 +1137,9 @@
        "type": "github"
      },
      "original": {
-        "id": "systems",
-        "type": "indirect"
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
      }
    },
    "systems_3": {
@ -1122,9 +1152,8 @@
        "type": "github"
      },
      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
+        "id": "systems",
+        "type": "indirect"
      }
    },
    "systems_4": {
@ -1157,6 +1186,21 @@
        "type": "github"
      }
    },
+    "systems_6": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "tinted-foot": {
      "flake": false,
      "locked": {
--- a/flake.nix
+++ b/flake.nix
@ -18,15 +18,18 @@
      overlays = with inputs; [
        lix.overlays.default
        nur.overlays.default
+        agenix.overlays.default
        niri-flake.overlays.niri
      ];

      systems.modules.nixos = with inputs; [
+        agenix.nixosModules.default
        stylix.nixosModules.stylix
        niri-flake.nixosModules.niri
      ];

      systems.modules.darwin = with inputs; [
+        agenix.darwinModules.default
        lix.nixosModules.default
      ];

@ -59,7 +62,7 @@
    };

    darwin = {
-      url = "github:LnL7/nix-darwin";
+      url = "github:LnL7/nix-darwin/nix-darwin-24.11";
      inputs.nixpkgs.follows = "nixpkgs";
    };

@ -68,6 +71,13 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.darwin.follows = "darwin";
+      inputs.home-manager.follows = "home-manager";
+    };
+
    nixgl = {
      url = "github:nix-community/nixGL";
      inputs.nixpkgs.follows = "nixpkgs";
--- a/modules/home/programs/cli/agenix/default.nix
+++ b/modules/home/programs/cli/agenix/default.nix
@ -0,0 +1,16 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}: let
+  cfg = config.marleyos.programs.agenix;
+in {
+  options.marleyos.programs.agenix.enable = lib.mkEnableOption "agenix";
+
+  config = lib.mkIf cfg.enable {
+    home.packages = with pkgs; [
+      agenix
+    ];
+  };
+}
--- a/modules/home/programs/cli/default.nix
+++ b/modules/home/programs/cli/default.nix
@ -11,6 +11,7 @@ in {

  config = lib.mkIf cfg.enable {
    marleyos.programs = {
+      agenix = enabled;
      bat = enabled;
      # cheat = enabled;
      curl = enabled;
--- a/modules/nixos/bundles/desktop/default.nix
+++ b/modules/nixos/bundles/desktop/default.nix
@ -34,6 +34,7 @@ in {
      services = {
        docker = enabled;
        mopidy = enabled;
+        openssh = enabled; # Needed for agenix.
        protonmail-bridge = enabled;
      };
    };
--- a/modules/nixos/mounts/babeshare/default.nix
+++ b/modules/nixos/mounts/babeshare/default.nix
@ -12,8 +12,7 @@
    else 1000;

  options = lib.concatStringsSep "," [
-    "username=marley"
-    "password=granola chaos lend splendid"
+    "credentials=${config.age.secrets.babeshare-pass.path}"
    "uid=${toString uid}"
    "gid=${toString config.users.groups."wheel".gid}"
    "nofail"
@ -26,6 +25,8 @@ in {
      cifs = true;
    };

+    age.secrets.babeshare-pass.file = ../../../../secrets/babeshare-pass.age;
+
    systemd = {
      mounts = [
        {
--- a/secrets/babeshare-pass.age
+++ b/secrets/babeshare-pass.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 Ut1iyA KXGzzzRoLVxe16enj/VGaD5HBLyljoTdQAR9Ff/l8lU
+oUj7ihNyWdCyvO7a0DTJTPkNfr0A/iNNnOzU8Jp0jUw
+-> ssh-ed25519 SC7Q6w pjLBLuF9W1uHR/q3zU1LeYeLIEBvrOVF0FZscPt57ls
+EIHJ7xuzGUZe76pe7WuQZA9AmYbA3q4OpT8y44opmSA
+-> ssh-ed25519 sGewVg aDBi8bigO379VAjytsX1aYHxnIYVJaCXCo4t1igEbxg
+ITCito+Bqn9lCYfB51OO4w8xcoMf3gGkTrJp3tiKzfw
+-> ssh-ed25519 kvP6pA eIb3SsUX6/zwNfhOB7zRAtpgOotSyuwiYvyalbZVJB8
+U/PMCYU6fvUrWUZXTNyXjmusTA/NWROGITlGAz2WqtQ
+--- UoYT5EnmwtSQlxnLdmGnLIAQaPzsb2W72AaQWzid8SY
+Ô?sækÝùãB.-e‹õ‚ßâÑ<15>ìãÖÇ<C396>•Ùfumì=zcÖ>]Bicçò–Eƒ*ŠÒF¬.-m\J
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,12 @@
+let
+  # To allow editing of secrets.
+  marley = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAk+purlXsZMEPDHSO+JDnDNtHB4OBlNThCyC6tIACfm marley@nyx";
+  users = [marley];
+
+  nyx = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMgbXvNv4phFTrtVBJQWP/+HkKn14nkPUrIr5Vu2K1Zf root@nyx";
+  marleycentre = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEA86DphSL36GsvatkXgFU1ONzt53UzXdUaQN1EBWeCD root@nixos";
+  marleynet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArAAwU4JX7wa5X3Un3q5b+ZD52j0nCnNsGEybWf/7SB root@nixos";
+  systems = [nyx marleycentre marleynet];
+in {
+  "babeshare-pass.age".publicKeys = users ++ systems;
+}
Author	SHA1	Message	Date
punkfairie	198e98110d	feat(nixos/mounts): Keep babeshare pwd a secret	2025-03-09 15:14:22 -07:00
punkfairie	820b6b523b	feat: Set up secrets.nix and secret editing	2025-03-09 15:13:48 -07:00
punkfairie	fd9a5e5f84	feat: Install agenix	2025-03-09 14:29:17 -07:00
punkfairie	fbcba7f024	feat(nixos/bundles): Enable openssh on desktop so agenix can function	2025-03-09 13:58:52 -07:00
punkfairie	a9e22f1424	fix(flake): Switch nix-darwin to stable release	2025-03-09 13:58:39 -07:00