feat: add agenix for secrets management

2023-10-29 22:38:56 -05:00 · 2023-10-29 22:38:56 -05:00 · 9794f09357
commit 9794f09357
parent 38f10ee48b
4 changed files with 75 additions and 39 deletions
--- a/flake.nix
+++ b/flake.nix
@ -3,31 +3,65 @@

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-    impermanence.url = "github:nix-community/impermanence";
-    agenix.url = "github:ryantm/agenix";
+    impermanence = {
+      url = "github:nix-community/impermanence";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

-  outputs = inputs @ { self, nixpkgs, impermanence, agenix, ... }: rec {
-    imports = [
-      ./configuration.nix
-    ];
-    nixosConfigurations.orion = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      specialArgs = inputs;
-      modules = [
-        ./hosts/orion
-        impermanence.nixosModules.impermanence
-        agenix.nixosModules.default
-      ];
+
+  outputs = inputs @ { self, nixpkgs, impermanence, agenix, ... }:
+    let
+      inputs.secrets = ./secrets;
+      defaults = {
+        config = {
+          environment.persistence = {
+            "/nix/persist" = {
+              hideMounts = true;
+              directories = [
+                "/var/lib"
+                "/var/log"
+                "/etc/nixos"
+                "/opt"
+                "/persist"
+              ];
+              files = [
+                "/etc/machine-id"
+                "/etc/nix/id_rsa"
+              ];
+            };
+          };
+
+          age.identityPaths = [
+            "/persist/nix.key"
+          ];
+        };
+      };
+    in
+    {
+      nixosConfigurations.orion = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        specialArgs = inputs;
+        modules = [
+          defaults
+          ./hosts/orion
+          impermanence.nixosModules.impermanence
+          agenix.nixosModules.default
+        ];
+      };
+      nixosConfigurations.luna = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        specialArgs = inputs;
+        modules = [
+          defaults
+          ./hosts/luna
+          impermanence.nixosModules.impermanence
+          agenix.nixosModules.default
+        ];
+      };
    };
-    nixosConfigurations.luna = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      specialArgs = inputs;
-      modules = [
-        ./hosts/luna
-        impermanence.nixosModules.impermanence
-        agenix.nixosModules.default
-      ];
-    };
-  };
 }
--- a/hosts/luna/default.nix
+++ b/hosts/luna/default.nix
@ -1,5 +1,6 @@
 { config, lib, nixpkgs, ... }:
 {
+
  imports = [
    ./modules
    ./os
--- a/hosts/luna/modules/impermanence.nix
+++ b/hosts/luna/modules/impermanence.nix
@ -1,18 +1,4 @@
 { ... }:
 {
-  environment.persistence = {
-    "/nix/persist" = {
-      hideMounts = true;
-      directories = [
-        "/var/lib"
-        "/var/log"
-        "/etc/nixos"
-        "/opt"
-      ];
-      files = [
-        "/etc/machine-id"
-        "/etc/nix/id_rsa"
-      ];
-    };
-  };
+  environment.persistence = { };
 }
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,15 @@
+let
+  keys = rec {
+    master = "age1yubikey1qdpckyaqwxptfhsnwe5p40wggvlmu67tgx8t5yyf38g8k6xjj6cp7wtvg2s";
+    orion-tech = {
+      luna = [
+        "age1jgwqs04tphuuklx4g3gjdg42mchagn2gu7sftknerh8y8l9n7v7s27wqgu"
+        master
+      ];
+    };
+  };
+in
+
+{
+  "gitlab-runner-reg-config.age".publicKeys = keys.orion-tech.luna;
+}