start replacing sops with agenix

2025-01-19 01:21:39 +01:00 · 2023-11-16 13:29:18 +01:00 · 2023-11-16 13:29:18 +01:00 · 591c0cd6b5
commit 591c0cd6b5
parent 719ef1ba91
15 changed files with 61 additions and 17 deletions
--- a/flake.lock
+++ b/flake.lock
@ -179,11 +179,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1699783872,
+        "lastModified": 1700087144,
-        "narHash": "sha256-4zTwLT2LL45Nmo6iwKB3ls3hWodVP9DiSWxki/oewWE=",
+        "narHash": "sha256-LJP1RW0hKNWmv2yRhnjkUptMXInKpn/rV6V6ofuZkHU=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "280721186ab75a76537713ec310306f0eba3e407",
+        "rev": "ab1459a1fb646c40419c732d05ec0bf2416d4506",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -112,6 +112,7 @@
            impermanence.nixosModules.impermanence
            ./hosts/nuc
            ./shared
            ./shared/sops.nix
            sops-nix.nixosModules.sops
            {
              nixpkgs.overlays = [ self.overlays.default ];
@ -124,6 +125,7 @@
          modules = [
            ./hosts/falkenstein-1
            ./shared
            ./shared/sops.nix
            {
              nixpkgs.overlays = [ self.overlays.default ];
            }
--- a/hosts/thinkpad/default.nix
+++ b/hosts/thinkpad/default.nix
@ -49,8 +49,9 @@
    ];
  };
  # impermanence fixes
-  sops.age.sshKeyPaths = lib.mkForce [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
+  # sops.age.sshKeyPaths = lib.mkForce [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
-  sops.gnupg.sshKeyPaths = lib.mkForce [ ];
+  # sops.gnupg.sshKeyPaths = lib.mkForce [ ];
  age.identityPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
  time.timeZone = "Europe/Berlin";
  i18n.defaultLocale = "en_US.UTF-8";
--- a/hosts/thinkpad/modules/backup/default.nix
+++ b/hosts/thinkpad/modules/backup/default.nix
@ -1,6 +1,8 @@
 { config, pkgs, ... }:
 {
-  sops.secrets."borg/passphrase" = { };
+  age.secrets."borg/passphrase" = {
    file = ../../../../secrets/thinkpad/borg/passphrase.age;
  };
  environment.systemPackages = [ pkgs.borgbackup ];
  services.borgmatic = {
    enable = true;
@ -32,7 +34,7 @@
        "/home/*/.local/share"
        "/home/*/Linux/Isos"
      ];
-      encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets."borg/passphrase".path}";
+      encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets."borg/passphrase".path}";
      compression = "lz4";
      keep_daily = 7;
      keep_weekly = 4;
--- a/hosts/thinkpad/modules/networks/default.nix
+++ b/hosts/thinkpad/modules/networks/default.nix
@ -2,14 +2,19 @@
 {
  imports = [ ./uni.nix ];
-  sops.secrets = {
+  age.secrets = {
-    "wireless-env" = { };
+    wireless = {
      file = ../../../../secrets/thinkpad/wireless.age;
    };
    "wireguard/dorm/private" = {
      file = ../../../../secrets/thinkpad/wireguard/dorm/private.age;
      owner = config.users.users.systemd-network.name;
    };
    "wireguard/dorm/preshared" = {
      file = ../../../../secrets/thinkpad/wireguard/dorm/preshared.age;
      owner = config.users.users.systemd-network.name;
    };
  };
  services.lldpd.enable = true;
  services.resolved = {
@ -32,7 +37,7 @@
    wireless = {
      enable = true;
      userControlled.enable = true;
-      environmentFile = config.sops.secrets."wireless-env".path;
+      environmentFile = config.age.secrets.wireless.path;
      networks = {
        "@HOME_SSID@" = {
          psk = "@HOME_PSK@";
@ -109,14 +114,14 @@
        Name = "wg0";
      };
      wireguardConfig = {
-        PrivateKeyFile = config.sops.secrets."wireguard/dorm/private".path;
+        PrivateKeyFile = config.age.secrets."wireguard/dorm/private".path;
        ListenPort = 51820;
      };
      wireguardPeers = [
        {
          wireguardPeerConfig = {
            PublicKey = "Z5lwwHTCDr6OF4lfaCdSHNveunOn4RzuOQeyB+El9mQ=";
-            PresharedKeyFile = config.sops.secrets."wireguard/dorm/preshared".path;
+            PresharedKeyFile = config.age.secrets."wireguard/dorm/preshared".path;
            Endpoint = "141.30.227.6:51820";
            AllowedIPs = "192.168.42.0/24, 192.168.43.0/24";
          };
--- a/hosts/thinkpad/modules/networks/uni.nix
+++ b/hosts/thinkpad/modules/networks/uni.nix
@ -1,6 +1,9 @@
 { config, ... }:
 {
-  sops.secrets."uni/zih" = { };
+  # sops.secrets."uni/zih" = { };
  age.secrets.tud = {
    file = ../../../../secrets/thinkpad/tud.age;
  };
  networking = {
    wireless.networks = {
      eduroam = {
@ -60,7 +63,7 @@
        protocol = "anyconnect";
        gateway = "vpn2.zih.tu-dresden.de";
        user = "rose159e@tu-dresden.de";
-        passwordFile = config.sops.secrets."uni/zih".path;
+        passwordFile = config.age.secrets.tud.path;
        autoStart = false;
        extraOptions = {
          authgroup = "A-Tunnel-TU-Networks";
@ -71,7 +74,7 @@
        protocol = "anyconnect";
        gateway = "vpn2.zih.tu-dresden.de";
        user = "rose159e@tu-dresden.de";
-        passwordFile = config.sops.secrets."uni/zih".path;
+        passwordFile = config.age.secrets.tud.path;
        autoStart = false;
        extraOptions = {
          authgroup = "C-Tunnel-All-Networks";
--- a/secrets.nix
+++ b/secrets.nix
@ -0,0 +1,14 @@
 let
  thinkpad = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2X5hdT9/6BIrRWSE+XBbc4+ocVkPqoAGO2DMSYiJB/";
  nuc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH6pI2rVvnEMG7oHzA47NRahEKQj99pagrat+Q7pOT2v";
  falkenstein = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJxar1P+KXVPzHCaIcGg33Gvog+a5Z8snHWSFqbY3WC6";
  rouven = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILkxTuzjS3EswMfj+wSKu9ciRyStvjDlDUXzkqEUGDaP";
 in
 {
  "secrets/thinkpad/wireless.age".publicKeys = [ rouven thinkpad ];
  "secrets/thinkpad/tud.age".publicKeys = [ rouven thinkpad ];
  "secrets/thinkpad/wireguard/dorm/private.age".publicKeys = [ rouven thinkpad ];
  "secrets/thinkpad/wireguard/dorm/preshared.age".publicKeys = [ rouven thinkpad ];
  "secrets/thinkpad/borg/passphrase.age".publicKeys = [ rouven thinkpad ];
  "secrets/thinkpad/borg/key.age".publicKeys = [ rouven thinkpad ];
 }
--- a/secrets/thinkpad/borg/key.age
+++ b/secrets/thinkpad/borg/key.age
--- a/secrets/thinkpad/borg/passphrase.age
+++ b/secrets/thinkpad/borg/passphrase.age
--- a/secrets/thinkpad/tud.age
+++ b/secrets/thinkpad/tud.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 uWbAHQ 8qDAQ233j/CRqJRSjx0CIMNyBl5y/D03ujizUlyeDQk
 YvxS49YognMr1d9ldJP0R4RKxZMLKxLk4G6juMpufag
 -> ssh-ed25519 EVzt9Q z5q719PZfij/wMAzL/Co+zn5fItb2d1ixaLETSYBcHc
 GHe/BBkAva/H3XE7Es6quxcVetNPhrjQvhqpskHzRuc
 -> <AuSD0{0-grease D,\j%9Iu l<5 f3evt DjX
 hfGCrRLXCdgz5Ea+9PRFfzWR8Jakr9MayFqQkdZMKeCjBCHH6g
 --- WZqO7QcXXC135yLGJq0UjANeM1StWqscMgS6fQ7rQJE
 Ä¶a-þ5¦É	ñ9q‰6‹†Èt³ö»ùû4’î”b2±t9h›Ð”b4¾o¤Å‘«–cˆ7Q
--- a/secrets/thinkpad/wireguard/dorm/preshared.age
+++ b/secrets/thinkpad/wireguard/dorm/preshared.age
--- a/secrets/thinkpad/wireguard/dorm/private.age
+++ b/secrets/thinkpad/wireguard/dorm/private.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 uWbAHQ wNqtwu/45ALrTdTmuEhYq2HpRA8s2DnHX1Hocw3zFCM
 1QvOewuqXACyFTJqzypf6cxZdM0MgXl9KACvl40qTN0
 -> ssh-ed25519 EVzt9Q fXLkwuPJ5y8ODKFpmDWVsma5sgx3WUMeqM/NRXiIbys
 VM8XIkPplNiFxjKvHjjVWkBHt2EyLD3Ngdjtlor3yzs
 -> (+cA16G-grease b`HZ0&CK
 CjJd2a8z/BrTQXKduxMh1vc9AaHJT8O+jEyxHBrKBpHIF2Q
 --- V/8tACrExnaGyEr7LJgeMtnfi+YGe631Z/FG7qoI/VM
 Ó@Ö¤À1ŽÝýNÌØpÌ5$‰ê×zƒf°fQ«½8ÑCâ”òKJ×¸òûzØ.}îÌ›E-â¹¥¯ü²ó›ÖPª+ó”r0
--- a/secrets/thinkpad/wireless.age
+++ b/secrets/thinkpad/wireless.age
--- a/shared/default.nix
+++ b/shared/default.nix
@ -4,7 +4,6 @@
  imports = [
    ./activation.nix
    ./gpg.nix
    ./sops.nix
    ./vim.nix
    ./nix.nix
    ./tmux.nix
--- a/shared/zsh.nix
+++ b/shared/zsh.nix
@ -25,7 +25,7 @@
      la = "ls -a";
      less = "bat";
      update = "cd /etc/nixos && nix flake update";
-      mosh = "f() {mosh $1 zsh};f";
+      msh = "f() {mosh $1 zsh};f";
    };
    histSize = 100000;
    histFile = "~/.local/share/zsh/history";