diff --git a/flake.lock b/flake.lock index d877781..1b95cb9 100644 --- a/flake.lock +++ b/flake.lock @@ -110,11 +110,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1709884566, - "narHash": "sha256-NSYJg2sfdO/XS3L8XN/59Zhzn0dqWm7XtVnKI2mHq3w=", + "lastModified": 1710197026, + "narHash": "sha256-0OdO4FsI7isTUKIGoFF6YRSp0H9oRAnb9ET1SlNu5G4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2be119add7b37dc535da2dd4cba68e2cf8d1517e", + "rev": "9c1dfe2db4be1095cc221e97a54323bc55d42696", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 5249b4a..e3c40d2 100644 --- a/flake.nix +++ b/flake.nix @@ -21,10 +21,11 @@ # home-manager = { }; }; - outputs = { self, nypkgs, nixpkgs, ragenix, ... } @ args: + outputs = { self, nypkgs, nixpkgs, ... } @ inputs: let nixosSystem = nixpkgs.lib.nixosSystem; mkMerge = nixpkgs.lib.mkMerge; + settings = { system = { hostname = "gpdPocket3"; @@ -39,21 +40,20 @@ name = "RingOfStorms (Joshua Bell)"; }; }; - usersDir = ./users; - systemsDir = ./systems; - commonDir = ./_common; flakeDir = ./.; + secretsDir = ./secrets; + systemsDir = ./systems; + usersDir = ./users; }; ypkgs = nypkgs.legacyPackages.${settings.system.architecture}; ylib = ypkgs.lib; - ragenixPkg = ragenix.packages.${settings.system.architecture}.default; in { nixosConfigurations.${settings.system.hostname} = nixosSystem { system = settings.system.architecture; modules = [ ./systems/_common/configuration.nix ./systems/${settings.system.hostname}/configuration.nix ]; - specialArgs = args // { inherit settings; inherit ylib; inherit ragenixPkg; }; + specialArgs = inputs // { inherit settings; inherit ylib; }; }; # homeConfigurations = { }; }; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 0f96cfa..db2aa17 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -6,8 +6,6 @@ # from authority # `nix run github:yaxitech/ragenix/ -- -i ~/.ssh/ragenix_authority --rules /etc/nixos/secrets/secrets.nix` <-r(eykey)|-e(edit) > -# Creating a new secret: - let publicKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBdG4tG18VeuEr/g4GM7HWUzHuUVcR9k6oS3TPBs4JRF ragenix authority key" diff --git a/systems/_common/configuration.nix b/systems/_common/configuration.nix index 337c423..caff93f 100644 --- a/systems/_common/configuration.nix +++ b/systems/_common/configuration.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, settings, ylib, ragenixPkg, ... }: +{ config, lib, pkgs, settings, ylib, ... } @ args: let home-manager = builtins.fetchTarball { url = "https://github.com/nix-community/home-manager/archive/release-23.11.tar.gz"; @@ -14,6 +14,7 @@ in (/${settings.systemsDir}/${settings.system.hostname}/hardware-configuration.nix) # home manager import (import "${home-manager}/nixos") + # ./ragenix.nix ]; # Enable flakes @@ -23,7 +24,7 @@ in security.polkit.enable = true; home-manager.useUserPackages = true; home-manager.useGlobalPkgs = true; - home-manager.extraSpecialArgs = { inherit settings; inherit ylib; }; + home-manager.extraSpecialArgs = args; # ========== # Common @@ -61,9 +62,6 @@ in git fzf ripgrep - - # nix secrets - ragenixPkg ]; environment.shellAliases = { diff --git a/systems/_common/ragenix.nix b/systems/_common/ragenix.nix new file mode 100644 index 0000000..2e4279e --- /dev/null +++ b/systems/_common/ragenix.nix @@ -0,0 +1,23 @@ +# TODO check out the by host way this person does: https://github.com/hlissner/dotfiles/blob/089f1a9da9018df9e5fc200c2d7bef70f4546026/modules/agenix.nix +{ settings, lib, inputs, ... }: +let + secretsDir = "${settings.secretsDir}"; + secretsFile = "${secretsDir}/secrets.nix"; +in +{ + # imports = [ inputs.ragenix.nixosModules.age ]; + environment.systemPackages = [ inputs.ragenix.defaultPackage.${settings.system.architecture} ]; + + # age = { + # secrets = + # if pathExists secretsFile + # then + # mapAttrs' + # (n: _: nameValuePair (removeSuffix ".age" n) { + # file = "${secretsDir}/${n}"; + # owner = mkDefault settings.user.username; # TODO and root? or does that matter... + # }) + # (import secretsFile) + # else { }; + # }; +} diff --git a/users/_common/home.nix b/users/_common/home.nix index 22b0177..052a856 100644 --- a/users/_common/home.nix +++ b/users/_common/home.nix @@ -5,8 +5,9 @@ home.username = settings.user.username; home.homeDirectory = "/home/${settings.user.username}"; - # We always want a standard ssh key-pair used for secret management, create it if not there. - home.activation.generateSshKey = lib.hm.dag.entryAfter [ "writeBoundary" ] (import ./generate_ssh_key.nix args); - - imports = ylib.umport { paths = [ ./programs ]; recursive = true; }; + imports = ylib.umport { + paths = [ ./programs ]; + recursive = true; + exclude = [ ./programs/ssh/generate_ssh_key.nix ]; + }; } diff --git a/users/_common/generate_ssh_key.nix b/users/_common/programs/ssh/generate_ssh_key.nix similarity index 100% rename from users/_common/generate_ssh_key.nix rename to users/_common/programs/ssh/generate_ssh_key.nix diff --git a/users/_common/programs/ssh/ssh.nix b/users/_common/programs/ssh/ssh.nix new file mode 100644 index 0000000..7386e02 --- /dev/null +++ b/users/_common/programs/ssh/ssh.nix @@ -0,0 +1,17 @@ +{ lib, ... } @ args: +{ + # We always want a standard ssh key-pair used for secret management, create it if not there. + home.activation.generateSshKey = lib.hm.dag.entryAfter [ "writeBoundary" ] (import ./generate_ssh_key.nix args); + + programs.ssh = { + enable = true; + matchBlocks = { + github = { + hostname = "github.com"; + # TODO lEFT OFF HERE TRYING TO GET THIS TO WORK + # identityFile = age.secrets.test1.file; + }; + }; + }; +} + diff --git a/users/josh/home.nix b/users/josh/home.nix index 7402c39..b889bd8 100644 --- a/users/josh/home.nix +++ b/users/josh/home.nix @@ -1,4 +1,4 @@ -{ settings, ylib, ... } @ _args: +{ settings, ylib, ... }: { imports = # Common settings all users share