From eda8dd3cbdaf270f8dc6e87d962a2e6ba026f5ce Mon Sep 17 00:00:00 2001 From: jolheiser Date: Mon, 10 Jul 2023 17:03:30 -0500 Subject: [PATCH] feat: (r)agenix Signed-off-by: jolheiser --- apps/ssh.nix | 4 +- apps/ssh/config | 41 ------- flake.lock | 210 +++++++++++++++++++++++++++++++++- flake.nix | 69 +++++++---- machines/chai/default.nix | 4 +- secrets/secrets.nix | 7 ++ secrets/shared/ssh-config.age | 29 +++++ 7 files changed, 297 insertions(+), 67 deletions(-) delete mode 100644 apps/ssh/config create mode 100644 secrets/secrets.nix create mode 100644 secrets/shared/ssh-config.age diff --git a/apps/ssh.nix b/apps/ssh.nix index d518b98..4aa3766 100644 --- a/apps/ssh.nix +++ b/apps/ssh.nix @@ -1,6 +1,8 @@ { programs.ssh = { enable = true; - extraConfig = builtins.readFile ./ssh/config; + includes = [ + "/run/agenix/ssh-config" + ]; }; } diff --git a/apps/ssh/config b/apps/ssh/config deleted file mode 100644 index 3335133..0000000 --- a/apps/ssh/config +++ /dev/null @@ -1,41 +0,0 @@ -Host jolheiser - HostName jolheiser.com - User jolheiser - IdentityFile ~/.ssh/jolheiser - IdentitiesOnly yes - -Host jojodev - HostName jojodev.com - User jolheiser - IdentityFile ~/.ssh/jojodev - IdentitiesOnly yes - -Host git.jojodev.com - HostName git.jojodev.com - User git - IdentityFile ~/.ssh/github - IdentitiesOnly yes - -Host github.com - HostName github.com - User git - IdentityFile ~/.ssh/github - IdentitiesOnly yes - -Host gitea.com - HostName gitea.com - User git - IdentityFile ~/.ssh/github - IdentitiesOnly yes - -Host codeberg.org - HostName codeberg.org - User git - IdentityFile ~/.ssh/github - IdentitiesOnly yes - -Host ssh.dev.azure.com - HostName ssh.dev.azure.com - User git - IdentityFile ~/.ssh/ndlegis - IdentitiesOnly yes \ No newline at end of file diff --git a/flake.lock b/flake.lock index 5c0bf52..f072a80 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,132 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "nixpkgs": [ + "ragenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682101079, + "narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=", + "owner": "ryantm", + "repo": "agenix", + "rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "crane": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": [ + "ragenix", + "flake-utils" + ], + "nixpkgs": [ + "ragenix", + "nixpkgs" + ], + "rust-overlay": [ + "ragenix", + "rust-overlay" + ] + }, + "locked": { + "lastModified": 1681680516, + "narHash": "sha256-EB8Adaeg4zgcYDJn9sR6UMjN/OHdIiMMK19+3LmmXQY=", + "owner": "ipetkov", + "repo": "crane", + "rev": "54b63c8eae4c50172cb50b612946ff1d2bc1c75c", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "ragenix", + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1687709756, + "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -85,12 +212,93 @@ "type": "github" } }, + "ragenix": { + "inputs": { + "agenix": "agenix", + "crane": "crane", + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ], + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1682237245, + "narHash": "sha256-xbBR7LNK+d5Yi/D6FXQGc1R6u2VV2nwr/Df5iaEbOEQ=", + "owner": "yaxitech", + "repo": "ragenix", + "rev": "281f68c3d477904f79ff1cd5807a8c226cd80a50", + "type": "github" + }, + "original": { + "owner": "yaxitech", + "repo": "ragenix", + "type": "github" + } + }, "root": { "inputs": { + "flake-utils": "flake-utils", "home-manager": "home-manager", "jolheiser-nur": "jolheiser-nur", "nixpkgs": "nixpkgs_2", - "nur": "nur" + "nur": "nur", + "ragenix": "ragenix" + } + }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "ragenix", + "flake-utils" + ], + "nixpkgs": [ + "ragenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682129965, + "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "2c417c0460b788328220120c698630947547ee83", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 9a7841c..bebc642 100644 --- a/flake.nix +++ b/flake.nix @@ -5,6 +5,9 @@ nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable"; home-manager.url = "github:nix-community/home-manager"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; + ragenix.url = "github:yaxitech/ragenix"; + ragenix.inputs.nixpkgs.follows = "nixpkgs"; + flake-utils.url = "github:numtide/flake-utils"; nur.url = "github:nix-community/nur"; jolheiser-nur.url = "git+https://git.jojodev.com/jolheiser/nur"; @@ -16,6 +19,7 @@ self, nixpkgs, home-manager, + ragenix, jolheiser-nur, ... } @ inputs: let @@ -43,31 +47,50 @@ flakePath = "/home/${username}/.config/nixpkgs"; }; }; + age.secrets = { + ssh-config = { + file = ./secrets/shared/ssh-config.age; + owner = "jolheiser"; + }; + }; }; }); - in { - nixosConfigurations = { - "chai" = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - home-manager.nixosModules.home-manager - ./machines/common - ./machines/chai - (commonConfig {username = "jolheiser";}) - ({pkgs, ...}: { - home-manager.users.jolheiser.programs.git.package = pkgs.gitSVN; - }) + in + { + nixosConfigurations = { + "chai" = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + home-manager.nixosModules.home-manager + ragenix.nixosModules.default + ./machines/common + ./machines/chai + (commonConfig {username = "jolheiser";}) + ({pkgs, ...}: { + home-manager.users.jolheiser.programs.git.package = pkgs.gitSVN; + }) + ]; + }; + "matcha" = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + home-manager.nixosModules.home-manager + ragenix.nixosModules.default + ./machines/common + ./machines/matcha + (commonConfig {username = "jolheiser";}) + ]; + }; + }; + } + // inputs.flake-utils.lib.eachDefaultSystem (system: let + pkgs = nixpkgs.legacyPackages.${system}; + in { + devShells.default = pkgs.mkShell { + nativeBuildInputs = with pkgs; [ + just + ragenix.packages.${system}.ragenix ]; }; - "matcha" = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - home-manager.nixosModules.home-manager - ./machines/common - ./machines/matcha - (commonConfig {username = "jolheiser";}) - ]; - }; - }; - }; + }); } diff --git a/machines/chai/default.nix b/machines/chai/default.nix index 0a3f5da..0864d64 100644 --- a/machines/chai/default.nix +++ b/machines/chai/default.nix @@ -44,10 +44,12 @@ in { }; environment.systemPackages = with pkgs; [ - globalprotect-openconnect + gp-saml-gui + openconnect jetbrains.pycharm-professional jetbrains.idea-ultimate jetbrains.datagrip + subversion teams-for-linux xorg.xauth diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..b950f3e --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,7 @@ +let + jolheiser = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrPUqk9v7FE7OgMDaOMdlnItiXSDkmS+eU94RzQFiMS nix"]; + matcha = []; + chai = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7PS9SJ+OVrUku9dPUQZigioy+r3VlFHVntsa/F7AdM root@chai"]; +in { + "shared/ssh-config.age".publicKeys = jolheiser ++ matcha ++ chai; +} diff --git a/secrets/shared/ssh-config.age b/secrets/shared/ssh-config.age new file mode 100644 index 0000000..b2a8fa6 --- /dev/null +++ b/secrets/shared/ssh-config.age @@ -0,0 +1,29 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEU4ajYvZyAxYys2 +eHYraFR1Y2lGVlBZcklSN1lMYzF3b2xFRXdSaTgyQjFET3BXTFdvClR6cGVDQ1do +ckFObWFCRVJXSllJaFZDcU5VYWg2b1QxanFrK2l1YmhNNzgKLT4gc3NoLWVkMjU1 +MTkgam8xTVBBIFRaUDd5alpxcDVwcVdTb1hOS3hxM2JSb2ppM3dVRGpPK0FUcGx0 +ZU9LbkUKS2ZSaXpueHRBN2JVZWdJNnZ3VlpsWEhEVWFFZ0ZFTi80Q1h6YVB5Rkp6 +OAotPiBBcjBcZWgmIS1ncmVhc2Ugd0k9YXRFIFxEVDNmQ1J5IGw9KkQ2IFZvK2Be +bHsyCms5d1R1Tm0rT1pRdVBXZmhCaktKQXJFQTl3Q01US296bm53Tm45Z0UvS28x +OGNZVHJQMm5XRy84Wm9HRHViWlEKRXNtNFc0Ri9EMHpzakFrTzUvRWIwcEVlM09E +Z1VkNW81a0VhdmZEYk8vOHJRSG1OUTVET0h3Ci0tLSB6RnpoZmw3cUMyK0tSQkV4 +QnFCaXhOdEszSVRFdGJCV0hYS0hENytLT1NBCpap2Ueg9XZJh1ile34NxIu+7tAD +ACP2mrbLJk8SrJ+QJVtcfeHGTad5CwzoT/9SiZufDhSNLTCrCu8TT4ngCHuMOF1x +qVdmBrSacQ8VgVqovkFP9Sj5DZZsXj1XxJfQG5IDRwSK9d6+h4opHCsSHAJ19syg +zu/l7385EGc7+xlSt1Ifdc2HPV8Yk1ozGDTgVmsnvHSgXXkKgyGbjlHLvkrnqJJS +GMXl24N/X075L+hok62y1pzD2YxHWIOnIAs9SHwrKBXReWc4TymBHIYJQv8mSbDS +rDT8QXyKns8b4Zu9SWbWoiAcNzwF4BxUV5qM7PPzVZOlK65tiSSEB4f1Zh+1gL6V +UQqFw6RP10dAqopngNOKNP1WgQkb+Stjs8aplzCf3KBurdn63wcW2D7Z+hQouYE8 +CHMTFB5piAZ9qCWnydACF6/apOT7G7BCK9D8WhXH8mXYl+tlkA6rf4a4KOKuxJR/ +vrtSy3wCir8V4ICCdadxgWicZ+hzp9YP2nAgQxmGUT+SF+eRIDsBSueaz1py3fM1 +THsHGIt0sLJTWWKT6u8agwPpmpNrjDCCdN6wUHW8nCJ4xjXmcQyGwx0IGovLxi+g +6mhhPrg62p9vroCGEIzhkuWNK10SCSVs4WlNRMH0BH/DgFoNkM70rbT6tf2gDKtG +74+9mp5SntGQMuOL5nndscwD6G524fh5mcHFVaAdMvfTnFX6/7+iAI4/URVYrxyj +gEV9YjQrmj7Ync6jv7nKHmgQMesmRLf7lxXswb7AZ281wk5hmT+uv626sLqU9q+9 +z270Jy/7QV3jQk+dS3Y5RgflAzNI8eXmMA0SEojzydWbGT5oFbrY9/DofILQs8Qw +cPQcXtUSW0hRQjBCQPuFvwde7pY3gjfpwVeof/9hcc6usVWoT4PoPAYKr+0tRuPo +syI/Aamn1SO04n6RW51y4wbcOVrofs63pkAjwk9DAmHwO8Qe9ALTFd+n9K/bknMa +HYh+8v3yVa+xfR/9XizRgRpE6eghNGBW30ywPAkGryKchlri6lenfBhcmRwGI4b4 +mc27ZS79Rn3rjTPKXtIgCEoOQYOmGZW38PELS0LWi7h53iXr7W9apQh/ +-----END AGE ENCRYPTED FILE-----