diff --git a/flake.lock b/flake.lock index 3ca98bc..d877781 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,113 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": [ + "ragenix", + "nixpkgs" + ], + "systems": "systems" + }, + "locked": { + "lastModified": 1707830867, + "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=", + "owner": "ryantm", + "repo": "agenix", + "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "crane": { + "inputs": { + "nixpkgs": [ + "ragenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1708794349, + "narHash": "sha256-jX+B1VGHT0ruHHL5RwS8L21R6miBn4B6s9iVyUJsJJY=", + "owner": "ipetkov", + "repo": "crane", + "rev": "2c94ff9a6fbeb9f3ea0107f28688edbe9c81deaa", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "ragenix", + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "ragenix", + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1709884566, @@ -32,15 +140,94 @@ }, "original": { "owner": "yunfachi", - "ref": "master", "repo": "nypkgs", "type": "github" } }, + "ragenix": { + "inputs": { + "agenix": "agenix", + "crane": "crane", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1709831932, + "narHash": "sha256-WsP8rOFa/SqYNbVtYJ/l2mWWOgyDTJFbITMV8tv0biI=", + "owner": "yaxitech", + "repo": "ragenix", + "rev": "06de099ef02840ec463419f12de73729d458e1eb", + "type": "github" + }, + "original": { + "owner": "yaxitech", + "repo": "ragenix", + "type": "github" + } + }, "root": { "inputs": { "nixpkgs": "nixpkgs", - "nypkgs": "nypkgs" + "nypkgs": "nypkgs", + "ragenix": "ragenix" + } + }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "ragenix", + "flake-utils" + ], + "nixpkgs": [ + "ragenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1708740535, + "narHash": "sha256-NCTw235XwSDbeTAtAwg/hOeNOgwYhVq7JjDdbkOgBeA=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "9b24383d77f598716fa0cbb8b48c97249f5ee1af", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 5c72e3d..5249b4a 100644 --- a/flake.nix +++ b/flake.nix @@ -4,7 +4,13 @@ inputs = { # Nix utility methods nypkgs = { - url = "github:yunfachi/nypkgs/master"; + url = "github:yunfachi/nypkgs"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + # Secrets management for nix + ragenix = { + url = "github:yaxitech/ragenix"; inputs.nixpkgs.follows = "nixpkgs"; }; @@ -15,7 +21,7 @@ # home-manager = { }; }; - outputs = { self, nypkgs, nixpkgs, ... } @ args: + outputs = { self, nypkgs, nixpkgs, ragenix, ... } @ args: let nixosSystem = nixpkgs.lib.nixosSystem; mkMerge = nixpkgs.lib.mkMerge; @@ -41,12 +47,13 @@ ypkgs = nypkgs.legacyPackages.${settings.system.architecture}; ylib = ypkgs.lib; + ragenixPkg = ragenix.packages.${settings.system.architecture}.default; in { nixosConfigurations.${settings.system.hostname} = nixosSystem { system = settings.system.architecture; modules = [ ./systems/_common/configuration.nix ./systems/${settings.system.hostname}/configuration.nix ]; - specialArgs = args // { inherit settings; inherit ylib; }; + specialArgs = args // { inherit settings; inherit ylib; inherit ragenixPkg; }; }; # homeConfigurations = { }; }; diff --git a/readme.md b/readme.md index 6ca687b..1a75da0 100644 --- a/readme.md +++ b/readme.md @@ -2,6 +2,8 @@ - Before anything else, ensure the generated hardware-configuration is copied over into the desired hostname target in systems directory. - //todo add experimental whatevers `nixos-rebuild switch --flake /etc/nixos#gpdPocket3` +- copy oover this systems ssh public key pairs into the ./secrets/secrets.nix file - push those up, using another computer re-key all the secrets, push up again + - pull new secrets down with new added keys # Later updates diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 836433a..3902b44 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -6,6 +6,8 @@ # from authority # `nix run github:yaxitech/ragenix/ -- -i ~/.ssh/ragenix_authority --rules /etc/nixos/secrets/secrets.nix` <-r(eykey)|-e(edit) > +# Creating a new secret: + let authority = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBdG4tG18VeuEr/g4GM7HWUzHuUVcR9k6oS3TPBs4JRF ragenix authority key"; gpd3_josh_2024_march_11 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhgYzACsd0GPuF8bl9SFB5y9KDwv+pU9UihoInzhRok josh@gpdPocket3"; diff --git a/systems/_common/configuration.nix b/systems/_common/configuration.nix index e3a227f..337c423 100644 --- a/systems/_common/configuration.nix +++ b/systems/_common/configuration.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, settings, ylib, ... }: +{ config, lib, pkgs, settings, ylib, ragenixPkg, ... }: let home-manager = builtins.fetchTarball { url = "https://github.com/nix-community/home-manager/archive/release-23.11.tar.gz"; @@ -61,6 +61,9 @@ in git fzf ripgrep + + # nix secrets + ragenixPkg ]; environment.shellAliases = { @@ -90,8 +93,8 @@ in stashes = "git stash list"; # ripgrep - rg="rg --no-ignore"; - rgf="rg --files 2>/dev/null | rg"; + rg = "rg --no-ignore"; + rgf = "rg --files 2>/dev/null | rg"; }; environment.shellInit = builtins.readFile ./shellInit.sh;