From 9794f09357be484718984a1e39db06f5712e8a5c Mon Sep 17 00:00:00 2001 From: Price Hiller Date: Sun, 29 Oct 2023 22:38:56 -0500 Subject: [PATCH] feat: add agenix for secrets management --- flake.nix | 82 ++++++++++++++++++++--------- hosts/luna/default.nix | 1 + hosts/luna/modules/impermanence.nix | 16 +----- secrets/secrets.nix | 15 ++++++ 4 files changed, 75 insertions(+), 39 deletions(-) create mode 100644 secrets/secrets.nix diff --git a/flake.nix b/flake.nix index d8a952d..9136046 100644 --- a/flake.nix +++ b/flake.nix @@ -3,31 +3,65 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - impermanence.url = "github:nix-community/impermanence"; - agenix.url = "github:ryantm/agenix"; + impermanence = { + url = "github:nix-community/impermanence"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = inputs @ { self, nixpkgs, impermanence, agenix, ... }: rec { - imports = [ - ./configuration.nix - ]; - nixosConfigurations.orion = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = inputs; - modules = [ - ./hosts/orion - impermanence.nixosModules.impermanence - agenix.nixosModules.default - ]; + + outputs = inputs @ { self, nixpkgs, impermanence, agenix, ... }: + let + inputs.secrets = ./secrets; + defaults = { + config = { + environment.persistence = { + "/nix/persist" = { + hideMounts = true; + directories = [ + "/var/lib" + "/var/log" + "/etc/nixos" + "/opt" + "/persist" + ]; + files = [ + "/etc/machine-id" + "/etc/nix/id_rsa" + ]; + }; + }; + + age.identityPaths = [ + "/persist/nix.key" + ]; + }; + }; + in + { + nixosConfigurations.orion = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = inputs; + modules = [ + defaults + ./hosts/orion + impermanence.nixosModules.impermanence + agenix.nixosModules.default + ]; + }; + nixosConfigurations.luna = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = inputs; + modules = [ + defaults + ./hosts/luna + impermanence.nixosModules.impermanence + agenix.nixosModules.default + ]; + }; }; - nixosConfigurations.luna = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = inputs; - modules = [ - ./hosts/luna - impermanence.nixosModules.impermanence - agenix.nixosModules.default - ]; - }; - }; } diff --git a/hosts/luna/default.nix b/hosts/luna/default.nix index 90dacc7..884a5ad 100644 --- a/hosts/luna/default.nix +++ b/hosts/luna/default.nix @@ -1,5 +1,6 @@ { config, lib, nixpkgs, ... }: { + imports = [ ./modules ./os diff --git a/hosts/luna/modules/impermanence.nix b/hosts/luna/modules/impermanence.nix index 2e7e030..3590a39 100644 --- a/hosts/luna/modules/impermanence.nix +++ b/hosts/luna/modules/impermanence.nix @@ -1,18 +1,4 @@ { ... }: { - environment.persistence = { - "/nix/persist" = { - hideMounts = true; - directories = [ - "/var/lib" - "/var/log" - "/etc/nixos" - "/opt" - ]; - files = [ - "/etc/machine-id" - "/etc/nix/id_rsa" - ]; - }; - }; + environment.persistence = { }; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..e2f87e9 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,15 @@ +let + keys = rec { + master = "age1yubikey1qdpckyaqwxptfhsnwe5p40wggvlmu67tgx8t5yyf38g8k6xjj6cp7wtvg2s"; + orion-tech = { + luna = [ + "age1jgwqs04tphuuklx4g3gjdg42mchagn2gu7sftknerh8y8l9n7v7s27wqgu" + master + ]; + }; + }; +in + +{ + "gitlab-runner-reg-config.age".publicKeys = keys.orion-tech.luna; +}