Price/NixOS
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: add agenix for secrets management

Browse Source
This commit is contained in:
Price Hiller 2023-10-29 22:38:56 -05:00
parent 38f10ee48b
commit 9794f09357
Signed by: Price
SSH Key Fingerprint: SHA256:Y4S9ZzYphRn1W1kbJerJFO6GGsfu9O70VaBSxJO7dF8
4 changed files with 75 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
flake.nix
View File

@ -3,18 +3,51 @@
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
impermanence.url = "github:nix-community/impermanence"; impermanence = {
agenix.url = "github:ryantm/agenix"; url = "github:nix-community/impermanence";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = inputs @ { self, nixpkgs, impermanence, agenix, ... }: rec {
imports = [ outputs = inputs @ { self, nixpkgs, impermanence, agenix, ... }:
./configuration.nix let
inputs.secrets = ./secrets;
defaults = {
config = {
environment.persistence = {
"/nix/persist" = {
hideMounts = true;
directories = [
"/var/lib"
"/var/log"
"/etc/nixos"
"/opt"
"/persist"
]; ];
files = [
"/etc/machine-id"
"/etc/nix/id_rsa"
];
};
};
age.identityPaths = [
"/persist/nix.key"
];
};
};
in
{
nixosConfigurations.orion = nixpkgs.lib.nixosSystem { nixosConfigurations.orion = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = inputs; specialArgs = inputs;
modules = [ modules = [
defaults
./hosts/orion ./hosts/orion
impermanence.nixosModules.impermanence impermanence.nixosModules.impermanence
agenix.nixosModules.default agenix.nixosModules.default
@ -24,6 +57,7 @@
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = inputs; specialArgs = inputs;
modules = [ modules = [
defaults
./hosts/luna ./hosts/luna
impermanence.nixosModules.impermanence impermanence.nixosModules.impermanence
agenix.nixosModules.default agenix.nixosModules.default

1
hosts/luna/default.nix
View File

@ -1,5 +1,6 @@
{ config, lib, nixpkgs, ... }: { config, lib, nixpkgs, ... }:
{ {
imports = [ imports = [
./modules ./modules
./os ./os

16
hosts/luna/modules/impermanence.nix
View File

@ -1,18 +1,4 @@
{ ... }: { ... }:
{ {
environment.persistence = { environment.persistence = { };
"/nix/persist" = {
hideMounts = true;
directories = [
"/var/lib"
"/var/log"
"/etc/nixos"
"/opt"
];
files = [
"/etc/machine-id"
"/etc/nix/id_rsa"
];
};
};
} }

15
secrets/secrets.nix Normal file
View File

@ -0,0 +1,15 @@
let
keys = rec {
master = "age1yubikey1qdpckyaqwxptfhsnwe5p40wggvlmu67tgx8t5yyf38g8k6xjj6cp7wtvg2s";
orion-tech = {
luna = [
"age1jgwqs04tphuuklx4g3gjdg42mchagn2gu7sftknerh8y8l9n7v7s27wqgu"
master
];
};
};
in
{
"gitlab-runner-reg-config.age".publicKeys = keys.orion-tech.luna;
}