uku/flake
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

use ragenix for passwords

Browse source
This commit is contained in:
uku 2023-11-14 19:47:42 +01:00
parent 6324fa7c57
commit 7678345313
Signed by: uku
GPG key ID: 7D01D7B105E77166
7 changed files with 240 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

176
flake.lock
View file

@ -1,5 +1,27 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"nixpkgs": [
"ragenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1682101079,
"narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=",
"owner": "ryantm",
"repo": "agenix",
"rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"crane": {
"inputs": {
"nixpkgs": [
@ -21,6 +43,59 @@
"type": "github"
}
},
"crane_2": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-utils": [
"ragenix",
"flake-utils"
],
"nixpkgs": [
"ragenix",
"nixpkgs"
],
"rust-overlay": [
"ragenix",
"rust-overlay"
]
},
"locked": {
"lastModified": 1681680516,
"narHash": "sha256-EB8Adaeg4zgcYDJn9sR6UMjN/OHdIiMMK19+3LmmXQY=",
"owner": "ipetkov",
"repo": "crane",
"rev": "54b63c8eae4c50172cb50b612946ff1d2bc1c75c",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"ragenix",
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1673295039,
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
@ -53,6 +128,22 @@
"type": "github"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
@ -109,6 +200,24 @@
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"getchvim": {
"inputs": {
"nixpkgs": [
@ -330,6 +439,30 @@
"type": "github"
}
},
"ragenix": {
"inputs": {
"agenix": "agenix",
"crane": "crane_2",
"flake-utils": "flake-utils_3",
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": "rust-overlay_2"
},
"locked": {
"lastModified": 1682237245,
"narHash": "sha256-xbBR7LNK+d5Yi/D6FXQGc1R6u2VV2nwr/Df5iaEbOEQ=",
"owner": "yaxitech",
"repo": "ragenix",
"rev": "281f68c3d477904f79ff1cd5807a8c226cd80a50",
"type": "github"
},
"original": {
"owner": "yaxitech",
"repo": "ragenix",
"type": "github"
}
},
"root": {
"inputs": {
"flake-parts": "flake-parts",
@ -337,7 +470,8 @@
"home-manager": "home-manager",
"lanzaboote": "lanzaboote",
"nixpkgs": "nixpkgs",
"nixpkgs-stable": "nixpkgs-stable_2"
"nixpkgs-stable": "nixpkgs-stable_2",
"ragenix": "ragenix"
}
},
"rust-overlay": {
@ -365,6 +499,31 @@
"type": "github"
}
},
"rust-overlay_2": {
"inputs": {
"flake-utils": [
"ragenix",
"flake-utils"
],
"nixpkgs": [
"ragenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1682129965,
"narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "2c417c0460b788328220120c698630947547ee83",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
@ -394,6 +553,21 @@
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",

5
flake.nix
View file

@ -23,6 +23,11 @@
};
};
ragenix = {
url = "github:yaxitech/ragenix";
inputs.nixpkgs.follows = "nixpkgs";
};
getchvim = {
url = "github:getchoo/getchvim";
inputs = {

10
secrets/desktop/rootPassword.age Normal file
View file

@ -0,0 +1,10 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDRQMGFOdyBGdDJs
Z0VGSmpsS2UzLzEyVUptU3pBWGJLRFhQUjhuMkNRM2VTQm9hUHhnCjJ5RENQN3dk
V0UvNGxTSXRPVjVncU0yVUNtOG16dkdBSDZkMFVhc29zVVUKLT4gM1poJzxMTC1n
cmVhc2UKSysvbU9Sc1h5TmpyN0R1WDRiL1J0NXI4Ci0tLSB3eDJaaXI2Tmt6dzIr
enJhUWVoZGJkWlcwNGVMRCtrOTZoWjRiZERUYm5RCupwN3g/e9C8PA0AE1G3k9H8
Guv9rHMTuz4oXdCSs/tOLRmxQRLsAuFB1ANYzgRLvDfN3I89U1YpWcFEyagaXNJm
5sxSV46jEszR8YFk7vz9Wee2lZ34S5SxnT0OOoGp2bRKY0BgbVGxvYh9C/tnpigV
18bdRHc2eM6h0hap0DTNRFmswVBl/idTq28=
-----END AGE ENCRYPTED FILE-----

10
secrets/desktop/userPassword.age Normal file
View file

@ -0,0 +1,10 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDRQMGFOdyBvTmxz
ajJVK3hadjVucElJRFVHa3RBK1pNUmk1OG56aHR5R05vVmxLNWpzCld1akZxRGtI
MVRkZ1FCYWhnSTlwdTc2dUc5M3ZDRTNVNno2WVNuZTMyR3MKLT4gN0dYUi1ncmVh
c2UgV0RIaFE1MmggOiBrQiN1IEgKUHJjUllRazV1WklmclZOVjJWSlkycGZNY2lw
NGdCeXZHNXdYQ2RFZ1Q5NExwWVk4SzMzaXRBCi0tLSBQeUd1QUlXNVFqYXpyVkxI
MXgzVlFDcUtMYk9PRUlkc2d1TkdhOW1YWThBCpgeZ1KtNA/7tr71A6f6F3ViGH00
aRkXsQsYIXhpp95ZjGZZFaHtIfX0zU706U0jxmHTU6YE3Cw1z/lBXxcprlJgcDRK
MVUjHmvUErIElr4HG94tAL+0oiM3Zi/PseP9TzaHVLbST+NGC8s=
-----END AGE ENCRYPTED FILE-----

6
secrets/secrets.nix Normal file
View file

@ -0,0 +1,6 @@
let
main = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+7+KfdOrhcnHayxvOENUeMx8rE4XEIV/AxMHiaNUP8 uku3lig"];
in {
"desktop/rootPassword.age".publicKeys = main;
"desktop/userPassword.age".publicKeys = main;
}

17
systems/default.nix
View file

@ -11,8 +11,6 @@
modules =
args.modules
++ [
./common.nix
./${name}
./${name}/hardware-configuration.nix
@ -24,11 +22,18 @@
mapNixOS = lib.mapAttrs (toSystem inputs.nixpkgs.lib.nixosSystem);
desktop = with inputs; [
./desktop.nix
lanzaboote.nixosModules.lanzaboote
home-manager.nixosModules.home-manager
nixos = with inputs; [
./common.nix
ragenix.nixosModules.default
];
desktop = with inputs;
[
./desktop.nix
lanzaboote.nixosModules.lanzaboote
home-manager.nixosModules.home-manager
]
++ nixos;
in {
flake.nixosConfigurations = mapNixOS {
fuji = {

27
systems/desktop.nix
View file

@ -1,7 +1,9 @@
{
lib,
pkgs,
config,
getchvim,
ragenix,
...
}: let
username = "leo";
@ -93,6 +95,17 @@ in {
security.rtkit.enable = true;
age = {
identityPaths = ["/home/leo/.ssh/id_ed25519"];
secrets = let
base = ../secrets/desktop;
in {
rootPassword.file = "${base}/rootPassword.age";
userPassword.file = "${base}/userPassword.age";
};
};
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
@ -131,6 +144,7 @@ in {
osu-lazer-bin
gnome.file-roller
getchvim.packages.${system}.default
ragenix.packages.${system}.default
];
services = {
@ -161,10 +175,15 @@ in {
security.pam.services.greetd.enableGnomeKeyring = true;
# Define a user account. Don't forget to set a password with passwd.
users.users.${username} = {
isNormalUser = true;
shell = pkgs.fish;
extraGroups = ["networkmanager" "wheel" "video"];
users.users = {
${username} = {
isNormalUser = true;
shell = pkgs.fish;
extraGroups = ["networkmanager" "wheel" "video"];
hashedPasswordFile = config.age.secrets.userPassword.path;
};
root.hashedPasswordFile = config.age.secrets.rootPassword.path;
};
fonts.packages = with pkgs; [