From 788ea511b01b6bcae3f6a7fc643813acfedc7df2 Mon Sep 17 00:00:00 2001 From: osbm Date: Sun, 29 Dec 2024 16:25:35 +0300 Subject: [PATCH] init secret management --- common/secrets.nix | 6 ++++ flake.nix | 3 +- hosts/ymir/configuration.nix | 56 ++++++++++++++++++++++-------------- secrets/another-secret.age | 5 ++++ secrets/bayram.age | 5 ++++ secrets/secrets.nix | 7 +++++ 6 files changed, 59 insertions(+), 23 deletions(-) create mode 100644 common/secrets.nix create mode 100644 secrets/another-secret.age create mode 100644 secrets/bayram.age create mode 100644 secrets/secrets.nix diff --git a/common/secrets.nix b/common/secrets.nix new file mode 100644 index 0000000..e08c4fe --- /dev/null +++ b/common/secrets.nix @@ -0,0 +1,6 @@ +{ + age.secrets = { + another-secret.file = ./secrets/another-secret.age; + bayram.file = ./secrets/bayram.age; + }; +} diff --git a/flake.nix b/flake.nix index 33a0ae9..a032b8d 100644 --- a/flake.nix +++ b/flake.nix @@ -21,7 +21,6 @@ agenix.url = "github:ryantm/agenix"; - # stylix.url = "github:danth/stylix/master"; # stylix.inputs.nixpkgs.follows = "nixpkgs"; @@ -69,7 +68,7 @@ agenix.nixosModules.default home-manager.nixosModules.home-manager { - environment.systemPackages = [ agenix.packages.${system}.default ]; + environment.systemPackages = [agenix.packages.${system}.default]; } ]; specialArgs = { diff --git a/hosts/ymir/configuration.nix b/hosts/ymir/configuration.nix index 69f3717..8533eae 100644 --- a/hosts/ymir/configuration.nix +++ b/hosts/ymir/configuration.nix @@ -132,27 +132,41 @@ # Define a user account. Don't forget to set a password with ‘passwd’. virtualisation.docker.enable = true; - users.users.osbm = { - isNormalUser = true; - description = "osbm"; - extraGroups = ["networkmanager" "wheel" "docker"]; - packages = with pkgs; [ - kdePackages.kate - vscode - pkgs-unstable.discord # discord sucks - alacritty - pkgs-unstable.obsidian - mpv - libreoffice - blender - gimp - kitty - obs-studio - audacity - pkgs-unstable.qbittorrent - arduino-ide - prismlauncher - ]; + users.users = { + osbm = { + isNormalUser = true; + description = "osbm"; + extraGroups = ["networkmanager" "wheel" "docker"]; + packages = with pkgs; [ + kdePackages.kate + vscode + pkgs-unstable.discord # discord sucks + alacritty + pkgs-unstable.obsidian + mpv + libreoffice + blender + gimp + kitty + obs-studio + audacity + pkgs-unstable.qbittorrent + arduino-ide + prismlauncher + ]; + }; + bayram = { + isNormalUser = true; + description = "So my family have easy access"; + passwordFile = config.age.secrets.bayram.path; + extraGroups = ["networkmanager"]; + packages = with pkgs; [ + vlc + ungoogled-chromium + prismlauncher + qbittorrent + ]; + }; }; nixpkgs.config.allowUnfree = true; diff --git a/secrets/another-secret.age b/secrets/another-secret.age new file mode 100644 index 0000000..057119e --- /dev/null +++ b/secrets/another-secret.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 kHqLyg OW2HK97DDr1UZKOpPa0SDNZOsDTLqBELlwBZc1XFrSQ +uNZWhAoHKBdixxY2U5CKO8HtsTwx4wa0H651xYwDygI +--- OvggssvwH6p6+QBWTPrY5mtBeI0HbiG2s2bIOhdxSQ0 +3uɆsۄܕh$&jv˴ZКne^] \ No newline at end of file diff --git a/secrets/bayram.age b/secrets/bayram.age new file mode 100644 index 0000000..607329d --- /dev/null +++ b/secrets/bayram.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 kHqLyg BEyDZtX/I/qiDP0bJ0Jn+NsvJwgDzekkSo8muEIGASA +tOoVfPm//+PDuVhdDQZ+NZSHtkrIDvqwqpRQMIVRfHw +--- heWlHp9d+XOBJJbfVXEOxElINm7D8U2aklHfDOwxjVw +{yC]wnCVRh{.?aSAۊ* \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..f96ab79 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,7 @@ +let + ymir = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxc1ycxtzO2u4bHas71pi5CpR8Zzcj6GXjx1lLWMOHq"; +in { + "another-secret.age".publicKeys = [ymir]; + # "gpg.age".publicKeys = [ymir]; + "bayram.age".publicKeys = [ymir]; +}