use agenix

2025-12-30 17:45:01 +01:00
parent e39747ae2e
commit 0468cf2621
7 changed files with 31 additions and 5 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -53,6 +53,7 @@
      };
    configurationWithHomeManager = machine: (configuration machine
      [
+        agenix.nixosModules.default
        home-manager.nixosModules.home-manager
        {
          nixpkgs.overlays = [
--- a/machines/173-249-5-230/configuration.nix
+++ b/machines/173-249-5-230/configuration.nix
@@ -1,4 +1,9 @@
-{machine, ...}: {
+{
+  config,
+  machine,
+  ...
+}: {
+  age.secrets.secret1.file = ../../secrets/secret1.age;
  boot.tmp.cleanOnBoot = true;
  boot.loader.grub.devices = ["nodev"];
  environment.persistence."/nix/persist" = {
@@ -66,7 +71,7 @@
  users.users."mtgmonkey" = {
    isNormalUser = true;
    description = "mtgmonkey";
-    initialPassword = "password";
+    passwordFile = builtins.toString config.age.secrets.secret1.path;
    extraGroups = ["wheel"];
    openssh.authorizedKeys.keys = machine.pub-keys.ssh;
  };
--- a/machines/laptop/configuration.nix
+++ b/machines/laptop/configuration.nix
@@ -1,8 +1,13 @@
 {
+  config,
  lib,
  machine,
  ...
 }: {
+  age.secrets = {
+    secret0.file = ../../secrets/secret0.age;
+    secret1.file = ../../secrets/secret1.age;
+  };
  boot.loader = {
    efi.canTouchEfiVariables = true;
    systemd-boot.enable = true;
@@ -16,6 +21,7 @@
      "/var/lib/nixos"
      "/var/lib/systemd/coredump"
      "/etc/NetworkManager/system-connections"
+      "/etc/ssh"
    ];
    files = [
      "/etc/machine-id"
@@ -82,6 +88,7 @@
      ly.enable = true;
    };
    libinput.enable = true;
+    openssh.enable = true;
    printing.enable = true;
  };
  system.stateVersion = "26.05";
@@ -89,7 +96,7 @@
  users.users."andromeda" = {
    isNormalUser = true;
    description = "andromeda";
-    initialPassword = "password";
+    hashedPasswordFile = builtins.toString config.age.secrets.secret0.path;
    extraGroups = [
      "networkmanager"
      "wheel"
@@ -98,7 +105,7 @@
  users.users."mtgmonkey" = {
    isNormalUser = true;
    description = "mtgmonkey";
-    initialPassword = "password";
+    hashedPasswordFile = builtins.toString config.age.secrets.secret1.path;
    extraGroups = [
      "networkmanager"
      "wheel"
--- a/machines/laptop/hardware-configuration.nix
+++ b/machines/laptop/hardware-configuration.nix
@@ -21,7 +21,7 @@
    #device = "none";
    #fsType = "tmpfs";
    #options = ["defaults" "size=60%" "mode=755"];
-    device = "/dev/disk/by-uuid/16c93673-4f0e-4010-a7f4-7ccffb20edb7";
+    device = "/dev/disk/by-uuid/5455cfb4-0efd-4f55-b496-d2cab3f419b7";
    fsType = "btrfs";
    options = ["subvol=root"];
  };
@@ -48,6 +48,12 @@
    done

    btrfs subvolume create /btrfs_tmp/root
+    mkdir /btrfs_tmp/root/nix
+    mkdir /btrfs_tmp/root/etc
+    mount ${config.fileSystems."/nix".device} /btrfs_tmp/root/nix
+    cp /btrfs_tmp/root/nix/persist/etc/ssh /btrfs_tmp/root/etc/ssh -r
+    umount /btrfs_tmp/root/nix
+    rm -r /btrfs_tmp/root/nix
    umount /btrfs_tmp
  '';

--- a/secrets/secret0.age
+++ b/secrets/secret0.age
--- a/secrets/secret1.age
+++ b/secrets/secret1.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -0,0 +1,7 @@
+let
+  andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo";
+  lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo";
+in {
+  "secret0.age".publicKeys = [andromeda lenovo];
+  "secret1.age".publicKeys = [andromeda lenovo];
+}