From 7678345313e208860223b63425a9c41b05e6cb5a Mon Sep 17 00:00:00 2001 From: uku Date: Tue, 14 Nov 2023 19:47:42 +0100 Subject: [PATCH] use ragenix for passwords --- flake.lock | 176 ++++++++++++++++++++++++++++++- flake.nix | 5 + secrets/desktop/rootPassword.age | 10 ++ secrets/desktop/userPassword.age | 10 ++ secrets/secrets.nix | 6 ++ systems/default.nix | 17 +-- systems/desktop.nix | 27 ++++- 7 files changed, 240 insertions(+), 11 deletions(-) create mode 100644 secrets/desktop/rootPassword.age create mode 100644 secrets/desktop/userPassword.age create mode 100644 secrets/secrets.nix diff --git a/flake.lock b/flake.lock index 62483b0..4adbbab 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,27 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "nixpkgs": [ + "ragenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682101079, + "narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=", + "owner": "ryantm", + "repo": "agenix", + "rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "crane": { "inputs": { "nixpkgs": [ @@ -21,6 +43,59 @@ "type": "github" } }, + "crane_2": { + "inputs": { + "flake-compat": "flake-compat_3", + "flake-utils": [ + "ragenix", + "flake-utils" + ], + "nixpkgs": [ + "ragenix", + "nixpkgs" + ], + "rust-overlay": [ + "ragenix", + "rust-overlay" + ] + }, + "locked": { + "lastModified": 1681680516, + "narHash": "sha256-EB8Adaeg4zgcYDJn9sR6UMjN/OHdIiMMK19+3LmmXQY=", + "owner": "ipetkov", + "repo": "crane", + "rev": "54b63c8eae4c50172cb50b612946ff1d2bc1c75c", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "ragenix", + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -53,6 +128,22 @@ "type": "github" } }, + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -109,6 +200,24 @@ "type": "github" } }, + "flake-utils_3": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "getchvim": { "inputs": { "nixpkgs": [ @@ -330,6 +439,30 @@ "type": "github" } }, + "ragenix": { + "inputs": { + "agenix": "agenix", + "crane": "crane_2", + "flake-utils": "flake-utils_3", + "nixpkgs": [ + "nixpkgs" + ], + "rust-overlay": "rust-overlay_2" + }, + "locked": { + "lastModified": 1682237245, + "narHash": "sha256-xbBR7LNK+d5Yi/D6FXQGc1R6u2VV2nwr/Df5iaEbOEQ=", + "owner": "yaxitech", + "repo": "ragenix", + "rev": "281f68c3d477904f79ff1cd5807a8c226cd80a50", + "type": "github" + }, + "original": { + "owner": "yaxitech", + "repo": "ragenix", + "type": "github" + } + }, "root": { "inputs": { "flake-parts": "flake-parts", @@ -337,7 +470,8 @@ "home-manager": "home-manager", "lanzaboote": "lanzaboote", "nixpkgs": "nixpkgs", - "nixpkgs-stable": "nixpkgs-stable_2" + "nixpkgs-stable": "nixpkgs-stable_2", + "ragenix": "ragenix" } }, "rust-overlay": { @@ -365,6 +499,31 @@ "type": "github" } }, + "rust-overlay_2": { + "inputs": { + "flake-utils": [ + "ragenix", + "flake-utils" + ], + "nixpkgs": [ + "ragenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682129965, + "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "2c417c0460b788328220120c698630947547ee83", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -394,6 +553,21 @@ "repo": "default", "type": "github" } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index f41233f..2cdece8 100644 --- a/flake.nix +++ b/flake.nix @@ -23,6 +23,11 @@ }; }; + ragenix = { + url = "github:yaxitech/ragenix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + getchvim = { url = "github:getchoo/getchvim"; inputs = { diff --git a/secrets/desktop/rootPassword.age b/secrets/desktop/rootPassword.age new file mode 100644 index 0000000..ce5033e --- /dev/null +++ b/secrets/desktop/rootPassword.age @@ -0,0 +1,10 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDRQMGFOdyBGdDJs +Z0VGSmpsS2UzLzEyVUptU3pBWGJLRFhQUjhuMkNRM2VTQm9hUHhnCjJ5RENQN3dk +V0UvNGxTSXRPVjVncU0yVUNtOG16dkdBSDZkMFVhc29zVVUKLT4gM1poJzxMTC1n +cmVhc2UKSysvbU9Sc1h5TmpyN0R1WDRiL1J0NXI4Ci0tLSB3eDJaaXI2Tmt6dzIr +enJhUWVoZGJkWlcwNGVMRCtrOTZoWjRiZERUYm5RCupwN3g/e9C8PA0AE1G3k9H8 +Guv9rHMTuz4oXdCSs/tOLRmxQRLsAuFB1ANYzgRLvDfN3I89U1YpWcFEyagaXNJm +5sxSV46jEszR8YFk7vz9Wee2lZ34S5SxnT0OOoGp2bRKY0BgbVGxvYh9C/tnpigV +18bdRHc2eM6h0hap0DTNRFmswVBl/idTq28= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/desktop/userPassword.age b/secrets/desktop/userPassword.age new file mode 100644 index 0000000..acef616 --- /dev/null +++ b/secrets/desktop/userPassword.age @@ -0,0 +1,10 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDRQMGFOdyBvTmxz +ajJVK3hadjVucElJRFVHa3RBK1pNUmk1OG56aHR5R05vVmxLNWpzCld1akZxRGtI +MVRkZ1FCYWhnSTlwdTc2dUc5M3ZDRTNVNno2WVNuZTMyR3MKLT4gN0dYUi1ncmVh +c2UgV0RIaFE1MmggOiBrQiN1IEgKUHJjUllRazV1WklmclZOVjJWSlkycGZNY2lw +NGdCeXZHNXdYQ2RFZ1Q5NExwWVk4SzMzaXRBCi0tLSBQeUd1QUlXNVFqYXpyVkxI +MXgzVlFDcUtMYk9PRUlkc2d1TkdhOW1YWThBCpgeZ1KtNA/7tr71A6f6F3ViGH00 +aRkXsQsYIXhpp95ZjGZZFaHtIfX0zU706U0jxmHTU6YE3Cw1z/lBXxcprlJgcDRK +MVUjHmvUErIElr4HG94tAL+0oiM3Zi/PseP9TzaHVLbST+NGC8s= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..930bb46 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,6 @@ +let + main = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+7+KfdOrhcnHayxvOENUeMx8rE4XEIV/AxMHiaNUP8 uku3lig"]; +in { + "desktop/rootPassword.age".publicKeys = main; + "desktop/userPassword.age".publicKeys = main; +} diff --git a/systems/default.nix b/systems/default.nix index ef65cb0..441e715 100644 --- a/systems/default.nix +++ b/systems/default.nix @@ -11,8 +11,6 @@ modules = args.modules ++ [ - ./common.nix - ./${name} ./${name}/hardware-configuration.nix @@ -24,11 +22,18 @@ mapNixOS = lib.mapAttrs (toSystem inputs.nixpkgs.lib.nixosSystem); - desktop = with inputs; [ - ./desktop.nix - lanzaboote.nixosModules.lanzaboote - home-manager.nixosModules.home-manager + nixos = with inputs; [ + ./common.nix + ragenix.nixosModules.default ]; + + desktop = with inputs; + [ + ./desktop.nix + lanzaboote.nixosModules.lanzaboote + home-manager.nixosModules.home-manager + ] + ++ nixos; in { flake.nixosConfigurations = mapNixOS { fuji = { diff --git a/systems/desktop.nix b/systems/desktop.nix index 20b70ff..7df656f 100644 --- a/systems/desktop.nix +++ b/systems/desktop.nix @@ -1,7 +1,9 @@ { lib, pkgs, + config, getchvim, + ragenix, ... }: let username = "leo"; @@ -93,6 +95,17 @@ in { security.rtkit.enable = true; + age = { + identityPaths = ["/home/leo/.ssh/id_ed25519"]; + + secrets = let + base = ../secrets/desktop; + in { + rootPassword.file = "${base}/rootPassword.age"; + userPassword.file = "${base}/userPassword.age"; + }; + }; + home-manager = { useGlobalPkgs = true; useUserPackages = true; @@ -131,6 +144,7 @@ in { osu-lazer-bin gnome.file-roller getchvim.packages.${system}.default + ragenix.packages.${system}.default ]; services = { @@ -161,10 +175,15 @@ in { security.pam.services.greetd.enableGnomeKeyring = true; # Define a user account. Don't forget to set a password with ‘passwd’. - users.users.${username} = { - isNormalUser = true; - shell = pkgs.fish; - extraGroups = ["networkmanager" "wheel" "video"]; + users.users = { + ${username} = { + isNormalUser = true; + shell = pkgs.fish; + extraGroups = ["networkmanager" "wheel" "video"]; + hashedPasswordFile = config.age.secrets.userPassword.path; + }; + + root.hashedPasswordFile = config.age.secrets.rootPassword.path; }; fonts.packages = with pkgs; [