From 0468cf2621e8ef812f774bbf2eed396b4c0d4602 Mon Sep 17 00:00:00 2001
From: andromeda <andromeda@lenovo>
Date: Tue, 30 Dec 2025 17:45:01 +0100
Subject: [PATCH] use agenix

---
 flake.nix                                  |   1 +
 machines/173-249-5-230/configuration.nix   |   9 +++++++--
 machines/laptop/configuration.nix          |  11 +++++++++--
 machines/laptop/hardware-configuration.nix |   8 +++++++-
 secrets/secret0.age                        | Bin 0 -> 396 bytes
 secrets/secret1.age                        | Bin 0 -> 396 bytes
 secrets/secrets.nix                        |   7 +++++++
 7 files changed, 31 insertions(+), 5 deletions(-)
 create mode 100644 secrets/secret0.age
 create mode 100644 secrets/secret1.age
 create mode 100644 secrets/secrets.nix

diff --git a/flake.nix b/flake.nix
index 69b6cff..d8682d5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -53,6 +53,7 @@
       };
     configurationWithHomeManager = machine: (configuration machine
       [
+        agenix.nixosModules.default
         home-manager.nixosModules.home-manager
         {
           nixpkgs.overlays = [
diff --git a/machines/173-249-5-230/configuration.nix b/machines/173-249-5-230/configuration.nix
index b8b403e..853a5db 100644
--- a/machines/173-249-5-230/configuration.nix
+++ b/machines/173-249-5-230/configuration.nix
@@ -1,4 +1,9 @@
-{machine, ...}: {
+{
+  config,
+  machine,
+  ...
+}: {
+  age.secrets.secret1.file = ../../secrets/secret1.age;
   boot.tmp.cleanOnBoot = true;
   boot.loader.grub.devices = ["nodev"];
   environment.persistence."/nix/persist" = {
@@ -66,7 +71,7 @@
   users.users."mtgmonkey" = {
     isNormalUser = true;
     description = "mtgmonkey";
-    initialPassword = "password";
+    passwordFile = builtins.toString config.age.secrets.secret1.path;
     extraGroups = ["wheel"];
     openssh.authorizedKeys.keys = machine.pub-keys.ssh;
   };
diff --git a/machines/laptop/configuration.nix b/machines/laptop/configuration.nix
index 1b07935..58b019e 100644
--- a/machines/laptop/configuration.nix
+++ b/machines/laptop/configuration.nix
@@ -1,8 +1,13 @@
 {
+  config,
   lib,
   machine,
   ...
 }: {
+  age.secrets = {
+    secret0.file = ../../secrets/secret0.age;
+    secret1.file = ../../secrets/secret1.age;
+  };
   boot.loader = {
     efi.canTouchEfiVariables = true;
     systemd-boot.enable = true;
@@ -16,6 +21,7 @@
       "/var/lib/nixos"
       "/var/lib/systemd/coredump"
       "/etc/NetworkManager/system-connections"
+      "/etc/ssh"
     ];
     files = [
       "/etc/machine-id"
@@ -82,6 +88,7 @@
       ly.enable = true;
     };
     libinput.enable = true;
+    openssh.enable = true;
     printing.enable = true;
   };
   system.stateVersion = "26.05";
@@ -89,7 +96,7 @@
   users.users."andromeda" = {
     isNormalUser = true;
     description = "andromeda";
-    initialPassword = "password";
+    hashedPasswordFile = builtins.toString config.age.secrets.secret0.path;
     extraGroups = [
       "networkmanager"
       "wheel"
@@ -98,7 +105,7 @@
   users.users."mtgmonkey" = {
     isNormalUser = true;
     description = "mtgmonkey";
-    initialPassword = "password";
+    hashedPasswordFile = builtins.toString config.age.secrets.secret1.path;
     extraGroups = [
       "networkmanager"
       "wheel"
diff --git a/machines/laptop/hardware-configuration.nix b/machines/laptop/hardware-configuration.nix
index bde1c83..8ebef80 100644
--- a/machines/laptop/hardware-configuration.nix
+++ b/machines/laptop/hardware-configuration.nix
@@ -21,7 +21,7 @@
     #device = "none";
     #fsType = "tmpfs";
     #options = ["defaults" "size=60%" "mode=755"];
-    device = "/dev/disk/by-uuid/16c93673-4f0e-4010-a7f4-7ccffb20edb7";
+    device = "/dev/disk/by-uuid/5455cfb4-0efd-4f55-b496-d2cab3f419b7";
     fsType = "btrfs";
     options = ["subvol=root"];
   };
@@ -48,6 +48,12 @@
     done
 
     btrfs subvolume create /btrfs_tmp/root
+    mkdir /btrfs_tmp/root/nix
+    mkdir /btrfs_tmp/root/etc
+    mount ${config.fileSystems."/nix".device} /btrfs_tmp/root/nix
+    cp /btrfs_tmp/root/nix/persist/etc/ssh /btrfs_tmp/root/etc/ssh -r
+    umount /btrfs_tmp/root/nix
+    rm -r /btrfs_tmp/root/nix
     umount /btrfs_tmp
   '';
 
diff --git a/secrets/secret0.age b/secrets/secret0.age
new file mode 100644
index 0000000000000000000000000000000000000000..4fd14dea8ca33798cd9f3c7278ab991261e2e32b
GIT binary patch
literal 396
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU74KYfqOjjuN4>$8M
z(N4=Yvn(%)ipoeY4$dzO_40KrEYAwf(AW1UO?0;KPpvF7cH}B|Dh>(@&JRxWD$_Rh
z$TBx`5AZi~%C7Q`aEeNGjS9&03^Pith{$p+vp}~k)T1J;%uyjL(kQDmz}Y1rGuf;>
zJI$>s*E}fIFUK&*D<iEu)yKyq$2r{~#nLMzFOVxJIU=pn$Un=+qR2VfE!^AJH#{Yy
zI6TzNG0@V`!#%{nTt6+mGS?^EF_24FS69KSAV53cFDo(C#W5<>FvC4U+bb`yvNSL_
zC)2VZ&pk3I*Ce?lI5ITV&6Vq7$CK0MLN|O0YCo*BVhL|?E_y%V-ddK-1oNWyT{r!g
zgt@A1-cj4|;ZMzxy7=DPZVR>YozASd)yJSZ-EL|Hi_DXDvqcA9e)IPDb^e*hg2g6t
f#V;6Y2`^=Km6>9{Z^u8GsWXb!ZHUVLA1V(3UG0)t

literal 0
HcmV?d00001

diff --git a/secrets/secret1.age b/secrets/secret1.age
new file mode 100644
index 0000000000000000000000000000000000000000..3a172d37e0cead83550c4b7f4d76d13f1069dfbb
GIT binary patch
literal 396
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU74KYfqOjigDcPU6R
z%S#T6sLU!faJGyn@C_-djI^lo*AF)I4|mb`c1tt}P1N=eEa&nrDXc823`;RiuXHMK
zPb*DH&D9QYGbl>+3)N04D))=f4k^?xO)QM4@I<#Q)T1J;%u&J1(m%V(*eA!JAhT54
zGS48&w<I7r!_70@B_q$fz$iB@D$74AurkaiERrifFR7xy*)-oIC!);H-?%a<CBVhU
z+pH+eG(6Y5!Z_8;G(0Ic$0EbaB%e!HS64whx2!PRKO@AaG^`*iuRKNH&)B!XG1O7p
zE7h#f+cecO(<ss>uhPTI$&rgm{#dbl@S`725!+K4ET*3OdVf2|rP{Df(*sv6I>{j#
z{P*^RDa$qA=3Wr}`!?+n=OcAH-~CTy?GFk3R@nP&+eNJ{7kK^5<2LXr^?rO@_`~?s
f0-k7V?JZ0ELT<l^GpsJO)+jl(WrOVJrz@KPnIn|)

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..43b72b3
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,7 @@
+let
+  andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo";
+  lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo";
+in {
+  "secret0.age".publicKeys = [andromeda lenovo];
+  "secret1.age".publicKeys = [andromeda lenovo];
+}