init secret management

2024-12-29 16:25:35 +03:00 · 2024-12-29 16:25:35 +03:00 · 788ea511b0
commit 788ea511b0
parent 1e854a93fb
6 changed files with 59 additions and 23 deletions
--- a/common/secrets.nix
+++ b/common/secrets.nix
@ -0,0 +1,6 @@
+{
+  age.secrets = {
+    another-secret.file = ./secrets/another-secret.age;
+    bayram.file = ./secrets/bayram.age;
+  };
+}
--- a/flake.nix
+++ b/flake.nix
@ -21,7 +21,6 @@

    agenix.url = "github:ryantm/agenix";

-
    # stylix.url = "github:danth/stylix/master";
    # stylix.inputs.nixpkgs.follows = "nixpkgs";

@ -69,7 +68,7 @@
          agenix.nixosModules.default
          home-manager.nixosModules.home-manager
          {
-            environment.systemPackages = [ agenix.packages.${system}.default ];
+            environment.systemPackages = [agenix.packages.${system}.default];
          }
        ];
        specialArgs = {
--- a/hosts/ymir/configuration.nix
+++ b/hosts/ymir/configuration.nix
@ -132,27 +132,41 @@
  # Define a user account. Don't forget to set a password with ‘passwd’.
  virtualisation.docker.enable = true;

-  users.users.osbm = {
-    isNormalUser = true;
-    description = "osbm";
-    extraGroups = ["networkmanager" "wheel" "docker"];
-    packages = with pkgs; [
-      kdePackages.kate
-      vscode
-      pkgs-unstable.discord # discord sucks
-      alacritty
-      pkgs-unstable.obsidian
-      mpv
-      libreoffice
-      blender
-      gimp
-      kitty
-      obs-studio
-      audacity
-      pkgs-unstable.qbittorrent
-      arduino-ide
-      prismlauncher
-    ];
+  users.users = {
+    osbm = {
+      isNormalUser = true;
+      description = "osbm";
+      extraGroups = ["networkmanager" "wheel" "docker"];
+      packages = with pkgs; [
+        kdePackages.kate
+        vscode
+        pkgs-unstable.discord # discord sucks
+        alacritty
+        pkgs-unstable.obsidian
+        mpv
+        libreoffice
+        blender
+        gimp
+        kitty
+        obs-studio
+        audacity
+        pkgs-unstable.qbittorrent
+        arduino-ide
+        prismlauncher
+      ];
+    };
+    bayram = {
+      isNormalUser = true;
+      description = "So my family have easy access";
+      passwordFile = config.age.secrets.bayram.path;
+      extraGroups = ["networkmanager"];
+      packages = with pkgs; [
+        vlc
+        ungoogled-chromium
+        prismlauncher
+        qbittorrent
+      ];
+    };
  };

  nixpkgs.config.allowUnfree = true;
--- a/secrets/another-secret.age
+++ b/secrets/another-secret.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 kHqLyg OW2HK97DDr1UZKOpPa0SDNZOsDTLqBELlwBZc1XFrSQ
+uNZWhAoHKBdixxY2U5CKO8HtsTwx4wa0H651xYwDygI
+--- OvggssvwH6p6+QBWTPrY5mtBeI0HbiG2s2bIOhdxSQ0
+³3uÌÉ†sÛ„Ü•h‘õ $&€ÕjvË´¢ZÐšœš ne^Ê]
--- a/secrets/bayram.age
+++ b/secrets/bayram.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 kHqLyg BEyDZtX/I/qiDP0bJ0Jn+NsvJwgDzekkSo8muEIGASA
+tOoVfPm//+PDuVhdDQZ+NZSHtkrIDvqwqpRQMIVRfHw
+--- heWlHp9d+XOBJJbfVXEOxElINm7D8U2aklHfDOwxjVw
+ÉÔ{ÉòyCÑ]ëw¶µÄnCV<43><11>ÀR³h{©.?âÆaSAÛŠ°¼æ*
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,7 @@
+let
+  ymir = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxc1ycxtzO2u4bHas71pi5CpR8Zzcj6GXjx1lLWMOHq";
+in {
+  "another-secret.age".publicKeys = [ymir];
+  # "gpg.age".publicKeys = [ymir];
+  "bayram.age".publicKeys = [ymir];
+}