agenix support

2023-01-31 22:37:18 +01:00 · 2023-01-31 22:37:18 +01:00 · 55a541d555
parent 106f2a204d
commit 55a541d555
11 changed files with 91 additions and 45 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,48 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1675176355,
+        "narHash": "sha256-Qjxh5cmN56siY97mzmBLI1+cdjXSPqmfPVsKxBvHmwI=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "b7ffcfe77f817d9ee992640ba1f270718d197f28",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1673295039,
+        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
    "flake-compat": {
      "flake": false,
      "locked": {
@ -129,6 +172,7 @@
    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "flake-parts": "flake-parts",
        "nixpkgs": "nixpkgs",
        "pre-commit-hooks-nix": "pre-commit-hooks-nix"
--- a/flake.nix
+++ b/flake.nix
@ -5,13 +5,15 @@
  };

  inputs = {
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
    pre-commit-hooks-nix = {
      url = "github:cachix/pre-commit-hooks.nix";
-      inputs = {
-        nixpkgs.follows = "nixpkgs";
-      };
+      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

@ -27,18 +29,28 @@
      systems = ["x86_64-linux"];
      perSystem = {
        self',
+        inputs',
        pkgs,
        config,
        lib,
        ...
      }: let
-        packages = import ./packages {inherit pkgs;};
-      in {
-        devShells.default = packages.shell {
-          shellHook = config.pre-commit.installationScript;
+        inherit (import ./packages {inherit pkgs;}) haskellPackagesOverlay selectHaskellPackages;
+        hpkgs = pkgs.haskellPackages.override {
+          overrides = haskellPackagesOverlay;
        };
-        inherit (packages) packages;
-        legacyPackages = {inherit (packages) haskellPackagesOverlay;};
+      in {
+        devShells.default = hpkgs.shellFor {
+          packages = hpkgs: (builtins.attrValues (selectHaskellPackages hpkgs));
+          shellHook = config.pre-commit.installationScript;
+          buildInputs = [
+            hpkgs.haskell-language-server
+            pkgs.cabal-install
+            inputs'.agenix.packages.default
+          ];
+        };
+        packages = selectHaskellPackages hpkgs;
+        legacyPackages = {inherit haskellPackagesOverlay;};

        pre-commit = {
          check.enable = true;
--- a/nixos/machines/apollo/configuration.nix
+++ b/nixos/machines/apollo/configuration.nix
@ -41,19 +41,11 @@ in {
    hostName = "apollo";
    domain = "m-0.eu";
    networkmanager.enable = true;
-    firewall = {
-      allowedTCPPorts = [
-        4713 # pulseaudio
-      ];
-      allowedUDPPorts = [
-        4713 # pulseaudio
-      ];
-    };
    wireguard.interfaces = {
      m0wire = {
        allowedIPsAsRoutes = false;
        ips = ["${hosts.apollo-wg}/112" "${hosts.vpn.apollo}/64"];
-        privateKeyFile = pkgs.privatePath "wireguard/apollo-private";
+        privateKeyFile = config.age.secrets."wireguard/apollo-private".path;
        peers = [
          {
            publicKey = wireguard.pub.hera;
@ -61,7 +53,7 @@ in {
            # endpoint =
            #  "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
            endpoint = "[${hosts.hera-v4}]:${builtins.toString wireguard.port}";
-            presharedKeyFile = pkgs.privatePath "wireguard/psk";
+            presharedKeyFile = config.age.secrets."wireguard/psk".path;
            persistentKeepalive = 25;
          }
        ];
@ -96,8 +88,8 @@ in {
        group = "users";
        user = "maralorn";
        openDefaultPorts = true;
-        cert = pkgs.privatePath "syncthing/apollo/cert.pem";
-        key = pkgs.privatePath "syncthing/apollo/key.pem";
+        cert = config.age.secrets."syncthing/apollo/cert.pem".path;
+        key = config.age.secrets."syncthing/apollo/key.pem".path;
      }
      // syncthing.declarativeWith ["hera" "zeus" "pegasus"] "/home/maralorn/media";
  };
--- a/nixos/machines/fluffy/configuration.nix
+++ b/nixos/machines/fluffy/configuration.nix
@ -121,7 +121,7 @@ in {
            publicKey = wireguard.pub.hera;
            allowedIPs = ["${hosts.vpn.prefix}::/64"];
            endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
-            presharedKeyFile = pkgs.privatePath "wireguard/psk";
+            presharedKeyFile = config.age.secrets."wireguard/psk".path;
            persistentKeepalive = 25;
          }
        ];
--- a/nixos/machines/hera/network.nix
+++ b/nixos/machines/hera/network.nix
@ -62,28 +62,28 @@ in {
    wireguard.interfaces = {
      m0wire = {
        ips = ["${hosts.hera-wg}/112" "${hosts.vpn.hera}/64"];
-        privateKeyFile = pkgs.privatePath "wireguard/hera-private";
+        privateKeyFile = config.age.secrets."wireguard/hera-private".path;
        listenPort = wireguard.port;
        peers = [
          {
            publicKey = wireguard.pub.zeus;
            allowedIPs = ["${hosts.zeus-wg}/128" "${hosts.vpn.zeus}/128"];
-            presharedKeyFile = pkgs.privatePath "wireguard/psk";
+            presharedKeyFile = config.age.secrets."wireguard/psk".path;
          }
          {
            publicKey = wireguard.pub.apollo;
            allowedIPs = ["${hosts.apollo-wg}/128" "${hosts.vpn.apollo}/128"];
-            presharedKeyFile = pkgs.privatePath "wireguard/psk";
+            presharedKeyFile = config.age.secrets."wireguard/psk".path;
          }
          {
            publicKey = wireguard.pub.fluffy;
            allowedIPs = ["${hosts.vpn.fluffy}/128"];
-            presharedKeyFile = pkgs.privatePath "wireguard/psk";
+            presharedKeyFile = config.age.secrets."wireguard/psk".path;
          }
          {
            publicKey = wireguard.pub.pegasus;
            allowedIPs = ["${hosts.vpn.pegasus}/128"];
-            presharedKeyFile = pkgs.privatePath "wireguard/psk";
+            presharedKeyFile = config.age.secrets."wireguard/psk".path;
          }
        ];
      };
--- a/nixos/machines/zeus/configuration.nix
+++ b/nixos/machines/zeus/configuration.nix
@ -137,7 +137,7 @@ in {
            publicKey = wireguard.pub.hera;
            allowedIPs = ["::/0"];
            endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
-            presharedKeyFile = pkgs.privatePath "wireguard/psk";
+            presharedKeyFile = config.age.secrets."wireguard/psk".path;
            persistentKeepalive = 25;
          }
        ];
--- a/nixos/roles/admin.nix
+++ b/nixos/roles/admin.nix
@ -4,8 +4,8 @@
  lib,
  ...
 }: let
-  passwordFile = pkgs.privatePath "pam-login-password";
  openssh.authorizedKeys.keys = pkgs.privateValue [] "ssh-keys";
+  passwordFile = config.age.secrets.pam-login-password.path;
 in {
  users.users = {
    maralorn = {
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@ -19,6 +19,7 @@ in {
  ];

  imports = [
+    (builtins.getFlake "github:ryantm/agenix").nixosModules.default
    (networkingModule "firewall-iptables")
    (networkingModule "firewall-nftables")
    (networkingModule "firewall")
@ -30,6 +31,11 @@ in {
    ./admin.nix
  ];

+  age.secrets = (import ../../private/secret-config.nix).module-config {
+    inherit (config.networking) hostName;
+    inherit lib;
+  };
+
  i18n = {
    defaultLocale = "en_DK.UTF-8";
    supportedLocales = ["en_DK.UTF-8/UTF-8" "de_DE.UTF-8/UTF-8" "en_US.UTF-8/UTF-8"];
--- a/overlays/packages.nix
+++ b/overlays/packages.nix
@ -1 +1,6 @@
-_: prev: (import ../packages {pkgs = prev.unstable;}).packages
+_: prev: let
+  inherit (import ../packages {pkgs = prev;}) haskellPackagesOverlay selectHaskellPackages;
+in
+  selectHaskellPackages (prev.unstable.haskellPackages.override {
+    overrides = haskellPackagesOverlay;
+  })
--- a/packages/default.nix
+++ b/packages/default.nix
@ -35,9 +35,6 @@
        prev.matrix-client;
      aeson-schemas = unmarkBroken (dontCheck prev.aeson-schemas);
    };
-  hpkgs = pkgs.haskellPackages.override {
-    overrides = haskellPackagesOverlay;
-  };
  selectHaskellPackages = attrs: lib.mapAttrs (name: _: attrs.${name}) myHaskellPackages;
  myHaskellPackages = {
    wizards-dialog = cleanCabalPackage {
@ -62,15 +59,5 @@
    };
  };
 in {
-  packages = selectHaskellPackages hpkgs;
-  inherit haskellPackagesOverlay;
-  shell = args:
-    hpkgs.shellFor ({
-        packages = hpkgs: (builtins.attrValues (selectHaskellPackages hpkgs));
-        buildInputs = [
-          hpkgs.haskell-language-server
-          pkgs.cabal-install
-        ];
-      }
-      // args);
+  inherit selectHaskellPackages haskellPackagesOverlay;
 }
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit ea5c59c88c6a963fed4a31b6a3c31b424c4ae091
+Subproject commit 4970e368d9b554df2881b16cdb5d1712fcfbf575