diff --git a/default.nix b/default.nix index efbb9c5..0c5e725 100644 --- a/default.nix +++ b/default.nix @@ -47,6 +47,7 @@ let modules = [ { networking.hostName = hostname; } ./hosts/${hostname} + inputs.agenix.nixosModules.age ] ++ ((listFilesRecursive ./modules) |> filter (hasSuffix ".mod.nix")); lib = inputs.nixpkgs.lib.extend ( diff --git a/flake.lock b/flake.lock index 95c0c5a..0f251b1 100644 --- a/flake.lock +++ b/flake.lock @@ -16,6 +16,29 @@ "url": "https://git.lix.systems/lix-project/flake-compat.git" } }, + "agenix": { + "inputs": { + "darwin": [], + "home-manager": "home-manager", + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems" + }, + "locked": { + "lastModified": 1754433428, + "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=", + "owner": "ryantm", + "repo": "agenix", + "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "crane": { "locked": { "lastModified": 1754269165, @@ -101,7 +124,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -184,6 +207,27 @@ "type": "github" } }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "impermanence": { "locked": { "lastModified": 1737831083, @@ -355,6 +399,7 @@ "root": { "inputs": { "__flake-compat": "__flake-compat", + "agenix": "agenix", "ghostty": "ghostty", "hjem": "hjem", "impermanence": "impermanence", @@ -363,7 +408,6 @@ "nil": "nil", "nixpkgs": "nixpkgs_2", "quickshell": "quickshell", - "sops-nix": "sops-nix", "watt": "watt", "zedless": "zedless", "zen-browser-flake": "zen-browser-flake" @@ -419,7 +463,7 @@ "nixpkgs" ], "rust-overlay": "rust-overlay", - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1749906619, @@ -435,26 +479,6 @@ "type": "github" } }, - "sops-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1754988908, - "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=", - "owner": "mic92", - "repo": "sops-nix", - "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48", - "type": "github" - }, - "original": { - "owner": "mic92", - "repo": "sops-nix", - "type": "github" - } - }, "systems": { "locked": { "lastModified": 1681028828, @@ -485,6 +509,21 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "watt": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 3e9607f..762a888 100644 --- a/flake.nix +++ b/flake.nix @@ -51,9 +51,10 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - sops-nix = { - url = "github:mic92/sops-nix"; + agenix = { + url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; + inputs.darwin.follows = ""; }; __flake-compat = { diff --git a/modules/home/dev/helix.hjem.nix b/modules/home/dev/helix.hjem.nix index 58eb06b..9ed38c2 100644 --- a/modules/home/dev/helix.hjem.nix +++ b/modules/home/dev/helix.hjem.nix @@ -350,7 +350,6 @@ let clipboard-provider = "wayland"; completion-trigger-len = 1; - completion-replace = true; mouse = true; bufferline = "multiple"; popup-border = "none"; @@ -388,10 +387,6 @@ let "diagnostics" "line-numbers" ]; - inline-diagnostics = { - cursor-line = "hint"; - other-lines = "error"; - }; }; keys = { normal = { diff --git a/modules/packages/packages.mod.nix b/modules/packages/packages.mod.nix index 1c72936..acabc14 100644 --- a/modules/packages/packages.mod.nix +++ b/modules/packages/packages.mod.nix @@ -6,10 +6,8 @@ ... }: let - inherit (lib) getFlakePkg; nil = getFlakePkg inputs.nil; - in { environment = { @@ -94,6 +92,7 @@ in ]) ++ [ nil + inputs.agenix.packages.${pkgs.stdenv.system}.agenix ]; }; } diff --git a/modules/programs/cli/jj.mod.nix b/modules/programs/cli/jujutsu.mod.nix similarity index 75% rename from modules/programs/cli/jj.mod.nix rename to modules/programs/cli/jujutsu.mod.nix index 4ec0a1c..25c73f5 100644 --- a/modules/programs/cli/jj.mod.nix +++ b/modules/programs/cli/jujutsu.mod.nix @@ -2,19 +2,17 @@ config, lib, pkgs, + self, ... }: let inherit (lib.meta) getExe; inherit (lib.lists) singleton; - inherit (lib.strings) optionalString; + inherit (lib.modules) mkIf; inherit (config.meta.mainUser) username; inherit (config.meta.system) isWorkstation; - organizationScope = config.sops.secrets.organization_scope.path; - uniScope = config.sops.secrets.uni_scope.path; - toml = pkgs.formats.toml { }; jj-config = toml.generate "config.toml" { user = { @@ -62,7 +60,10 @@ let "@-" ]; }; - git.push-new-bookmarks = true; + git = { + # colocate = true; + push-new-bookmarks = true; + }; revset-aliases."closest_bookmark(to)" = "heads(::to & bookmarks())"; signing = { backend = "ssh"; @@ -88,6 +89,7 @@ let }; ui = { default-command = "log"; + diff-editor = ":builtin"; diff-formatter = [ "${getExe pkgs.difftastic}" "--color" @@ -105,17 +107,26 @@ let }; }; + inherit (config.age.secrets) organizationScope uniScope; jj-wrapped = pkgs.symlinkJoin { name = "jj-wrapped"; - paths = [ pkgs.jujutsu ]; + paths = singleton [ pkgs.jujutsu ]; nativeBuildInputs = [ pkgs.makeWrapper ]; - postBuild = optionalString isWorkstation '' - wrapProgram $out/bin/jj --add-flags " --config-file ${uniScope} --config-file ${organizationScope}" + postBuild = '' + wrapProgram $out/bin/jj --add-flags " --config-file ${organizationScope.path} --config-file ${uniScope.path}" ''; }; - in { hjem.users.${username}.xdg.config.files."jj/config.toml".source = jj-config; - environment.systemPackages = singleton jj-wrapped; + age.secrets.organizationScope = mkIf isWorkstation { + file = "${self}/secrets/organization_scope.age"; + owner = username; + }; + age.secrets.uniScope = mkIf isWorkstation { + file = "${self}/secrets/uni_scope.age"; + owner = username; + }; + environment.systemPackages = singleton (if isWorkstation then jj-wrapped else pkgs.jujutsu); + } diff --git a/modules/programs/gui/bitwarden.mod.nix b/modules/programs/gui/bitwarden.mod.nix index 34f1891..9ab4529 100644 --- a/modules/programs/gui/bitwarden.mod.nix +++ b/modules/programs/gui/bitwarden.mod.nix @@ -2,16 +2,13 @@ config, lib, pkgs, + self, ... }: let inherit (config.modules.system) isGraphical; inherit (lib.modules) mkIf; - inherit (lib.meta) getExe; - inherit (builtins) readFile; inherit (config.meta.mainUser) username; - realEmail = readFile config.sops.secrets.real_email.path; - bitwardenUrl = readFile config.sops.secrets.bitwarden_url.path; fix_ssh_keys = pkgs.writeText "patch" '' diff --git a/src/api.rs b/src/api.rs @@ -65,13 +62,9 @@ let in { config = mkIf isGraphical { - hjem.users.${username}.xdg.config.files."rbw/config.json".text = - builtins.toJSON - <| { - email = realEmail; - pinentry = getExe pkgs.pinentry-qt; - base_url = bitwardenUrl; - }; + age.secrets.rbwConfig.file = (self + "/secrets/rbw_config.age"); + hjem.users.${username}.xdg.config.files."rbw/config.json".source = config.age.secrets.rbwConfig.path; + environment = { systemPackages = lib.attrValues { inherit (pkgs) diff --git a/modules/services/matrix.mod.nix b/modules/services/matrix.mod.nix index 81db364..4dffbe5 100644 --- a/modules/services/matrix.mod.nix +++ b/modules/services/matrix.mod.nix @@ -2,6 +2,7 @@ config, lib, pkgs, + self, ... }: let @@ -12,8 +13,6 @@ let cfg = config.modules.system.services.matrix; - registrationToken = config.sops.secrets.tuwunel_token_file.path; - port = 4926; domain = "faukah.com"; @@ -29,6 +28,8 @@ in { options.modules.system.services.matrix.enable = mkEnableOption "matrix"; config = mkIf cfg.enable { + age.secrets.registrationToken.file = "${self}/secrets/tuwunel_token_file.age"; + services = { nginx = { enable = true; @@ -62,7 +63,7 @@ in allow_federation = true; allow_encryption = true; new_user_displayname_suffix = ""; - registration_token_file = registrationToken; + registration_token_file = config.age.secrets.registrationToken.path; }; }; }; diff --git a/modules/style/gtk.mod.nix b/modules/style/gtk.mod.nix index 8be837b..f6e126a 100644 --- a/modules/style/gtk.mod.nix +++ b/modules/style/gtk.mod.nix @@ -96,8 +96,18 @@ in "xdg/gtk-3.0/settings.ini".text = toGtk3Ini { Settings = gtkIni; }; - "xdg/gtk-4.0/gtk.css".text = css; - "xdg/gtk-3.0/gtk.css".text = css; + "xdg/gtk-4.0/gtk.css".text = '' + ${css} + window { + border-radius: 0 0; + } + ''; + "xdg/gtk-3.0/gtk.css".text = '' + ${css} + window { + border-radius: 0 0; + } + ''; "xdg/gtk-2.0/gtkrc".text = '' gtk-cursor-theme-name = BreezeX-RosePine-Linux diff --git a/modules/system/os/impermanence.mod.nix b/modules/system/os/impermanence.mod.nix index ea12735..c50c9b4 100644 --- a/modules/system/os/impermanence.mod.nix +++ b/modules/system/os/impermanence.mod.nix @@ -40,6 +40,7 @@ in "/var/lib/pipewire" "/var/lib/systemd/coredump" "/etc/secureboot" + "/run/secrets" ]; users.cr = { diff --git a/modules/system/secrets/organization_scope.toml b/modules/system/secrets/organization_scope.toml deleted file mode 100644 index d5d8268..0000000 --- a/modules/system/secrets/organization_scope.toml +++ /dev/null @@ -1,23 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:vwfjHpLbHG8g79CpMpsDzYAk0vlfwKuWUTSZnKzGwCZW5rrFFBLamQoZLt5HpvvsGqBrqRditj+GSsHsZAzxz25Vfv7dcyvz1AdaFI56zmU1NzSK+RAyucPZfnjV98vJUqFgVmOFQBkv0o1ThrzXmE8jd1Osz7qKIoy/+rHCzqsBw8wFD3tMe4UjGtkI9DYFSJUh1Ym9PjBE,iv:JeLgCfQXvjWNk8BypNbqJw1+OHawEDQSCdamq0C+lis=,tag:XZUy4g3W4O9L/c1PXlooKA==,type:str]", - "sops": { - "age": [ - { - "recipient": "age1a4jv2avdlj5zzq9p7ss9958t4wt3an95c3j86eclge7q2qc6n3wq4ucymc", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArSy9XdnBQbld5Ly9ET3ZR\nb0U3aW16LytkOUdxNmNVUU40V3NZTWNnNEJjClA2WE5XS0xjdUN3TENoRWlaR2Vn\nQ0MzTnBzME42TVY0cFRQNk4xcng1dkEKLS0tIFJOSC9OT01TNTZTWERjRXFCZFVq\nbEpFRHpVYXI0YXJYcjVxN3hkWEpZM0kKynHKxZwBUWiCdUx/fqYsWWHmIJLrYGTC\naXQXbjR2fprPsyZb7tTZ4L8DtxdjKgmxsbgi+8QYumy/S/ivH4Gipw==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age12neldqxts6h3zstmk5hvmn2pq8s9qfhkt7cjcdd9wygekqrmparq6djsff", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiYVU3V2xkNm9qRGd5enBB\nK3YyRjN1YjhDbjRsbEdteVRFa3Q2QkNPZDNNCkI4Qk1kcU9XUlo2eXpDdnl0WFdN\nSnZweHFIZmQ0UjBoRmxzekxoRDhNRVEKLS0tIGE2d1o2czVMbXFzODl4NjZib2Nv\nNnVZMVJScGc0cTRlYzVocHpPdmlsekUKlsFnd1aNCDBBlCto+vBdchtaRBJ/7LJT\nrW4h5YE9RbbMF1TEJOJf+Pkeikgkv3EPOHdH3eJPJ5yckNA4tc67ag==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age16p3h2xu69lpy3f2msfs69q4uhu2hytkqk2p80ss9hxqcwky4cc6ss38x85", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBneUFoZ1FtYmJuRnppRHMx\nQWZQK2xGWmNFMXQvNldNSFVLMUVka1p2MmpNCkFWSHozVGQxeVRiZFVwRnU3RkEv\ncDYxRE1ESVNrcW45c0IxQWwwSlJ2aEUKLS0tIG0veVU3YXJuZURCS2JkOXptV09J\nQzlpNVBqSC9sQVh5dDJpb3c2M3dlOTQKu3PufhYt42QwB1ncc2QjBSdTbJ5EYu2z\nRFrAz2nq0rRDIjL4EFHdlSFWgI2amQwpbgZxy/+YeEpWO/Zd7uGX3w==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-09-03T16:39:42Z", - "mac": "ENC[AES256_GCM,data:DkWLyVJQIhQDOqUD2W61E+dxQVgxwqqJAVuKh6LPMOihj1MbjFDgU1YEf+CJG3sN5iQt9LtshqFZMOpy8NYMBT+8korofuaa3DeAulg3UAb29lkiXNAkrysMFUmtWUEjvKzWNuo7fGzJj0IUzIGi+HRdZXrK8y25XnVv+6bxcmE=,iv:fJjHxGmBvSPMTqwRuP2JJUEdzVPfEvnNbSZgYHTy47E=,tag:HxA6t69e/l7xYBbEiDJ0Xw==,type:str]", - "unencrypted_suffix": "_unencrypted", - "version": "3.10.2" - } -} diff --git a/modules/system/secrets/personal_info.json b/modules/system/secrets/personal_info.json deleted file mode 100644 index a833b81..0000000 --- a/modules/system/secrets/personal_info.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "real_name": "ENC[AES256_GCM,data:R7Kac0dwMbxmCw4hpw==,iv:CijNtk8WiPlEwIg0OLu4ILLE2wh0W9HXm9OK9/Da+ng=,tag:NK2N6faooEknURwLuVP7OQ==,type:str]", - "real_email": "ENC[AES256_GCM,data:wwXcdxZQDxt2gnWP1qf9cw==,iv:fkx0m72FF7pB15fHRxObsTaLdnkOsexCgzOyfpoGFmE=,tag:mj2/4cofrJSIOqdAWiWstg==,type:str]", - "university_email": "ENC[AES256_GCM,data:WPy2AckQPWn+1OHJuTM=,iv:o2AT+RMUfCFVWaoD5D/GV5aq9kOgD/rCaHzwqYFIjig=,tag:KprTGSH2NvsrOCvhxLL/9w==,type:str]", - "organization_short_name": "ENC[AES256_GCM,data:dTVFz51V,iv:5sUc4qUIu+QNzmWihAXgyfRwZAdjEq9/prJCxpB2jbg=,tag:r91kaPi6p4heizRy5duFrw==,type:str]", - "organization_email": "ENC[AES256_GCM,data:GNBt9fXxBkh3z8L+DeD/mhBz14mJjkeX1wk9rHkUTg==,iv:7/VLeL3s9/CL2VtDiWFJNx+VJuGsGamWbcIG/MxNlC8=,tag:/KOXA6gII3Wrmgd9wjhD+g==,type:str]", - "bitwarden_url": "ENC[AES256_GCM,data:vhEVMZwDyQhQtXYR1diLQIDf6urqu03VC+M=,iv:icG6ieX9WjAj5Y4DpmSJaBvcqjksll3tWtWE5psaK08=,tag:+tIURDxZxv6qXR8B/eVyfg==,type:str]", - "sops": { - "age": [ - { - "recipient": "age1a4jv2avdlj5zzq9p7ss9958t4wt3an95c3j86eclge7q2qc6n3wq4ucymc", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5WUlpSkI5dElCVmpzNEw5\nc2pTaFBxWWNoOVJsb0NBWkw4VFQ4aDN4WFU0CjBSKy9oc2pJVzl0M0Z3bUpvNzB4\neU1RT2JWMndHUUFITE03aDBDU1BoUVEKLS0tIC9DNE9ZUnJMb0V0dlpkSUFYNk1K\nTnhRMTl0eENpRmhhYlhKTVg4MGlSS3MKMWY+ezH2HjRd5p/KqUBCFU8sn+FmYd/f\nrHQZhPo481+U6zMyiiu35lcujNRcEtJfcIAL2tobiTDNLQs94re5fg==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age12neldqxts6h3zstmk5hvmn2pq8s9qfhkt7cjcdd9wygekqrmparq6djsff", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqYVZ4THhxVlkzRi9ETTht\nOWtINWUxU0R1SGZhK3FqbHdSWmlhaGc1WGpZCklqL2Jpb2F0bzJqYXZHZVZHS25L\nZVc0dnRBOG9lVTZYQkpkQTVKY04zTjQKLS0tIGdVK1Y2VFFMbTVmVWo2eFpKbFY1\nYU5LaW90eWxDNUlhMmRnTTEvRTA1ZkEKFnX/HzVMIK9XT+cO80cCzVJxIj3dicjG\nbvxz/o7/dVmmx0bUusWIiR/SA5JXPkbi0C8F+llkPoYV3idWUOvnKA==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age18ga6m08fjs2azav73sl8y4xudhld9ger3zwpnc5euy2j3cjam35sstud9w", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwbFBXZFdFQjREeVpaelhQ\nWGVBOWNnNERYT0JGSDNsWDYzcFA1Q1R0ZlVRCjJ4V3R5UU1zT0FJTU5taEgrRmht\nY3J5OG1qREV1a3FTSy9hMmZubXVDMFEKLS0tIFplOHpkTmZkWDBYSUxQVkxjZ215\naS83dUdUMFVhVkZaWW55akxiM2dPaU0KTVp2Bwt9/UD42HJ9UJRYwWQrmbxxXdKF\ngjKHvWNiASiPczj/DDuGDR0tjbYvtS2DTqDLECr3EQYqRIiPW8Lq9g==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age16p3h2xu69lpy3f2msfs69q4uhu2hytkqk2p80ss9hxqcwky4cc6ss38x85", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3SStPblpVVFRpbk9FWGxl\nY25yUXpkUFlxV1lkSjlpZUZlY212L0prN21vCmtlVDJQcWV4TjlYNnFUSmI2Tkxp\nMHYrTi9aMmNlY25penJKR1NQN1VJWW8KLS0tIDNvVUcyUXdCR2xPTkZjWTRqenhm\nMk5oU0tOUHVmbmhUSklHQ2s5dVlLbVkKoRvSoy2BsJaOdCuOW1lD1vGpu8czakmA\nWztrXYqwo57E6z2dPjb0Fo/RJlo4OWQ2/bYOYYpq8aS1HvuRV5096w==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-09-01T21:25:00Z", - "mac": "ENC[AES256_GCM,data:CUMEpOwIw+/RIOyr6aE2YVZiJLGY8FhMv0IOUIFV1kHveOEtAkNWbRzOV1o1cq9pA9ot0dKn4KZRLuUZ+uJzCrxwBHILBZMFksS0czSPgLfg0uz9mJ2u1pPjvoUcQRuIOUN1Id32zQ/W36nPEpR3J/Jomx5nCVNiFmZSteZCx+E=,iv:wGzjsGMJ72ejDCiHN6Xo1ZP5ho1F++WZrwE2YwCN8ns=,tag:Ev1xjuwta6KL8lnPbhliyw==,type:str]", - "unencrypted_suffix": "_unencrypted", - "version": "3.10.2" - } -} diff --git a/modules/system/secrets/secrets.json b/modules/system/secrets/secrets.json deleted file mode 100644 index 694a9a5..0000000 --- a/modules/system/secrets/secrets.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "factorio_token": "ENC[AES256_GCM,data:l6o2LzFRcY43lieDBaFOk5ACqmp408AZNinfF2c7,iv:AiXRw30CZ9dJYP2jBvK89LiwG+d8sbQmyWVMDDUpxYU=,tag:/oHfsW6NFmr2bnH0WXMQWw==,type:str]", - "sops": { - "age": [ - { - "recipient": "age1a4jv2avdlj5zzq9p7ss9958t4wt3an95c3j86eclge7q2qc6n3wq4ucymc", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCWU56Y2ZRaW9BU1Z6ZmFl\nckxqTllsOGl5Rmp0bTNIR0lCWlpDZjlnQnkwCkJzbVJqbUlaUkNINWpuMlNweUJa\nT0FhNFNMMi9OcnBVT0dOM0g2bS9aQTAKLS0tIDN2NXQ4VlFRNjUxRDZkeVNYY3Zo\nSDF2M2dCZGQ3am9MTTErWVlrQVBUM1UKME4+7N01byHhzcH4p1js4RazQtI38bm7\nlSUztxOz/d4g4zt9DcyFQ0z1XobiGPjij7TM5BHkK37c1u2uKdnVwg==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age12neldqxts6h3zstmk5hvmn2pq8s9qfhkt7cjcdd9wygekqrmparq6djsff", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbUkvMmtWcFhsT3hqOTZi\nMGVER0xCRFNrTUJMYm1ud0JwcGVsSXdEd25JCmV6NVJOQ25CbHJybnREZFZlbXd1\nMDBqTXJ6WmVUSlBCMFRQdUVPYml6dWMKLS0tIE9Nd2NFbSttTkZXYUVERzhsL2pn\nai90U0xLYkpNTTBNdW5SOVcxaDlFblEKZ4/9KzcB/z54IUTve3sD7vCV9fzxrNfb\nimtHIsDMS1QAOo/o5B7gqR0OAobQTi34LJmLNKC/b21syo6CUXnbsg==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age16p3h2xu69lpy3f2msfs69q4uhu2hytkqk2p80ss9hxqcwky4cc6ss38x85", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVem9QL3VMSTZDN3VrQ3NN\nZG4wam50Zk1pZGZYOStlZWxwU1B2eEhWMWlrCkcvMU1rUnhJRFdodVkwcTB1MFVI\nZWM3NDJoYTMwamZYdTRXMW5VTE9Xak0KLS0tIHBmVWI2eHdvOFJnSXhYVzFlbUR5\nenFoVTc5SDJJb3hFemlqbGxEVnpLMTQKXOi7TnhFbY2c5yD6UM0be5YhSgmplmgr\nQxXYsqjyPQBRsg7L+R5ZWc1VbtYZpGfsq7z3uaCnLKpJceKyEuVjOg==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age18ga6m08fjs2azav73sl8y4xudhld9ger3zwpnc5euy2j3cjam35sstud9w", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0TjVhaXA4b3RyUWRmVnox\nYVVTbDdzY2wxNDdIb1JBNFFLUVJBQ2RQU2xFCjJvRC9BenJTTFpIL2dSaGxTRXVt\neDhJbHR1WXRlYlVOQmt5Zlk2Z0V1TFUKLS0tIG1DWXFFWDE3ZVgzcEwraVFMNlZB\nQ2VxMnBDazUzUDRtYW5CdnZqUGQzeTQKo8iUBT5Me74N2jtXlZ+/ENwn/sOeOAOi\nyAX0p2M8YOPeQGRFpUGFcL4ww5PP+1VP01i6biJHwG1F90KXH0MLVg==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-09-04T19:38:09Z", - "mac": "ENC[AES256_GCM,data:2QT0gRTp1eiu+ugKJXeLWcw1O+9RElL5R8zl0vUu8gBpR381xW7anQIwpZ1A/3rKnaosD4g/yvsoXioMv6ueeZ66A4HX8gXhQbGt2o4In2rY2/LpXMIG4xS3u380kvaCfU83Aib+rkOKfOyeNaOtN8nNiyIWwZeHzj7AObng+6o=,iv:wZVGSFiFU5ddjw5HMZwYc2khKyTYHVYQD6WOWGcoFxM=,tag:ZDkJsTKQzzb8PyaVOr+TrA==,type:str]", - "unencrypted_suffix": "_unencrypted", - "version": "3.10.2" - } -} diff --git a/modules/system/secrets/server_secrets.json b/modules/system/secrets/server_secrets.json deleted file mode 100644 index ca0cf3f..0000000 --- a/modules/system/secrets/server_secrets.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "tuwunel_token_file": "ENC[AES256_GCM,data:U4zCJdLb2k9Lz4blu0PJnEThODSMr4q8CfxJfV3MnRHzTMBTnUrsoIGe9OLdXKUClbwh,iv:RLJNK2onDbjndnV1dxZP4kDi/4uG+vpJXJEwFfXgX0k=,tag:LnYm++1RRyA6pOgwt3uKnQ==,type:str]", - "sops": { - "age": [ - { - "recipient": "age1a4jv2avdlj5zzq9p7ss9958t4wt3an95c3j86eclge7q2qc6n3wq4ucymc", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6ck51OThhMTdZTU82ZGp1\najZUMGIxcUV1ZG5NNmlPdnhpYU1MVzNkTUFnCmpvcXZhejN6cUFjUFQ4algySWtS\nVjlmbVlqTzdneFU3a1cyb1JaNjNIOFEKLS0tIEh0U1Z4OE1sRjhjSkU0Ymo2NWpm\nbDFkTnlsZG1wWVJxZVE5SlNJK3N0d1EKRofs4HxDqnlNMQ9tSsioL2WBpGkHFGyd\n0PmS3EMzaoC1i+c7iCA4Loa9MboXAaptusU9RwGNNH2brEr/VveyHA==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age12neldqxts6h3zstmk5hvmn2pq8s9qfhkt7cjcdd9wygekqrmparq6djsff", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKa2ZOa1JOM1dwV3RyZGFV\nTWcxdDhVOFN4WXJFWHVGU3lWOUJPTTR6RWlnCjA2ekpjd3Z5QnZRRUJ6NDB6WERw\nV2ZzdnE1OWRrZEJKMWJMK3Yvek9HM3MKLS0tIDdJTVd6NTdsU1EzbmN4ckFNcDhh\ndFoxSXlodkd0eU16TGE1eFMrbUpQaDgKHomclyqK1IfRGC0A22VfSPtL8sgAsgCb\nGyaeimbU+PbJ+ccgOlqHrEFDmvNPoUX4BQpJnNtmRE/0b9vWdmImqA==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age16p3h2xu69lpy3f2msfs69q4uhu2hytkqk2p80ss9hxqcwky4cc6ss38x85", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvaCswRUltdmJGVlJ1bW1Q\nb29OVDAvbTNpTTlmNE9CS0VVRG1tZFdlL1NJCmRMaEpyTnRjWElURk9KdExWL1lj\nRWx1L2szYUNTTkpPL2xUSlVTYjdFYmMKLS0tIHk4eE1WQ0xkanRwN0VHVXZSakd0\nTGt2R01iSWFTQkd3WGZqVlR1TXNTZVUKC37r0ncK4QVlRpdsbY/B4p7dv4pLpU62\nwybk8LbRtnnWClMgnfOqwxf3hmpLPfZbq6frEaxAiJNJ2Im3FDv2EQ==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age18ga6m08fjs2azav73sl8y4xudhld9ger3zwpnc5euy2j3cjam35sstud9w", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWK2F4NzIvTVNTSnFpaDdr\nSXhOL0VuUStTakhlalk5dDNrTjE4OUU5ckFrCmJ5ZzEySHMvT3lEd090bmZKOTBi\nQ0VuS2M2L29pK0tTbzF5NWZQWEVma2MKLS0tIEhFV1ZUNU5YWTliR09mS1FaUmNB\nRlFwbTZGUWh1VXhPU3hOT0N4U2s2RVEK6hlPy0ir3hf9JZ9ZPID3r6W3eewrzLNz\nDFhoK2cH6/2FtcBPLRxQkVRAimeFJrdalv1TJ6BZHUT6bkt7PTlkZQ==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-09-05T14:59:59Z", - "mac": "ENC[AES256_GCM,data:rJpbVc3WQSW9KzxX6fPZoKXf0Gg/nyS5UPRL505tBkzXWvL29K/Q+of5+139Y2vcvLPbWCF8FoOd+BQ0dAh7R3QCUuObjkt6eBqNZN1gxqG1me0NttZxmu3K4doI1uHrN8wSL4frgpMSFS2pAtxivd8Uqs/a32HieQcf1eshqEw=,iv:5vzhK2CucHXrTeux52+8tjaLbL2fvsB1StLHRLDpYuk=,tag:XFSVY6GbCwxxqljYAM8l8Q==,type:str]", - "unencrypted_suffix": "_unencrypted", - "version": "3.10.2" - } -} diff --git a/modules/system/secrets/sops.mod.nix b/modules/system/secrets/sops.mod.nix deleted file mode 100644 index 41be71c..0000000 --- a/modules/system/secrets/sops.mod.nix +++ /dev/null @@ -1,146 +0,0 @@ -{ - config, - inputs, - lib, - pkgs, - ... -}: -let - inherit (lib.attrsets) attrValues attrNames; - inherit (lib.strings) concatStringsSep hasSuffix; - inherit (lib.lists) flatten remove; - inherit (builtins) - fromJSON - listToAttrs - map - readFile - filter - readDir - ; - - fromYAML = (pkgs.formats.yaml { }).generate; - - # get the age key for a machine using - # nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'. - # sops_master_key - master_key = "age1a4jv2avdlj5zzq9p7ss9958t4wt3an95c3j86eclge7q2qc6n3wq4ucymc"; - # tempeance /persist/etc/ssh/ssh_host_ed25519_key - temperance_host_key = "age16p3h2xu69lpy3f2msfs69q4uhu2hytkqk2p80ss9hxqcwky4cc6ss38x85"; - # hermit /etc/ssh/ssh_host_ed25519_key - hermit_host_key = "age12neldqxts6h3zstmk5hvmn2pq8s9qfhkt7cjcdd9wygekqrmparq6djsff"; - - # tower /etc/ssh/ssh_host_ed25519_key - tower_host_key = "age18ga6m08fjs2azav73sl8y4xudhld9ger3zwpnc5euy2j3cjam35sstud9w"; - - sops = pkgs.symlinkJoin { - name = "sops-wrapped"; - paths = [ pkgs.sops ]; - nativeBuildInputs = [ pkgs.makeWrapper ]; - postBuild = '' - wrapProgram $out/bin/sops --add-flags " --config ${sopsConfig}" - ''; - # --age ${keys} - }; - - mkRecipients = list: [ { age = list; } ]; - - sopsConfig = fromYAML ".sops.yaml" { - keys = [ - master_key - hermit_host_key - ]; - creation_rules = [ - { - path_regex = "secrets.json"; - key_groups = mkRecipients [ - master_key - hermit_host_key - temperance_host_key - tower_host_key - ]; - } - { - path_regex = "personal_info.json"; - key_groups = mkRecipients [ - master_key - hermit_host_key - tower_host_key - temperance_host_key - ]; - } - { - path_regex = "server_secrets.json"; - key_groups = mkRecipients [ - master_key - tower_host_key - hermit_host_key - temperance_host_key - ]; - } - { - path_regex = "uni_scope.toml"; - key_groups = mkRecipients [ - master_key - hermit_host_key - temperance_host_key - ]; - } - { - path_regex = "organization_scope.toml"; - key_groups = mkRecipients [ - master_key - hermit_host_key - temperance_host_key - ]; - } - ]; - }; - - secretFiles = filter (file: hasSuffix "json" file) <| attrNames <| readDir ./.; - - secretNames = file: remove "sops" <| attrNames <| fromJSON <| readFile <| ./. + "/${file}"; - fileModes = { - "personal_info.json" = "0444"; - "factorio_token" = "0444"; - }; - - generateSecrets = - file: - map (n: { - name = n; - value = { - sopsFile = ./. + "/${file}"; - mode = fileModes.${file} or "0400"; - }; - }) - <| secretNames file; - -in -{ - imports = [ - inputs.sops-nix.nixosModules.sops - ]; - - config = { - sops = { - defaultSopsFile = ./secrets.json; - defaultSopsFormat = "json"; - age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - secrets = (listToAttrs <| filter (x: x != [ ]) <| flatten <| map generateSecrets secretFiles) // { - uni_scope = { - sopsFile = ./uni_scope.toml; - format = "binary"; - mode = "0444"; - }; - organization_scope = { - sopsFile = ./organization_scope.toml; - format = "binary"; - mode = "0444"; - }; - }; - }; - environment.systemPackages = attrValues { - inherit sops; - }; - }; -} diff --git a/modules/system/secrets/uni_scope.toml b/modules/system/secrets/uni_scope.toml deleted file mode 100644 index 330c167..0000000 --- a/modules/system/secrets/uni_scope.toml +++ /dev/null @@ -1,23 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:l4IvlpDrDVnlArtnixJqwI0Ai3xG5jF5clhLGWOrqywd0lnKFjNDuEMcHlKN6cGmeFwX6i/6qkXcKT//pKNQDUvALzDY8PNp9AKV9/NmnQ7ZWzpyScXNqMnNwgs9+TA5SpKAZseVpEk3Nle29Jbene9BTYL614tlkL/uXO5KLLQAPZ4GGQ==,iv:qmrKAfdaDh3dVY95oKo666Knw7F29hi3O7zDIZFyYbc=,tag:Db54A+7rW7Amctx9lL9yBA==,type:str]", - "sops": { - "age": [ - { - "recipient": "age1a4jv2avdlj5zzq9p7ss9958t4wt3an95c3j86eclge7q2qc6n3wq4ucymc", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlLzZCMVNkcmRMQTIvdk5N\nUVZ6TUVBT2s3RTYxMVlJZHU4RzFjVUdIckVZCks2MDRJSDdYVkpHN3llUXNnZDc5\nV29zMm12TmN6K0t3VmY2MmFBVVdZd1EKLS0tIFNXREFUOUoyZTNuWFdNdXBYY3FT\naTBickFBOUhBUTFvZXhMVHNGRmR0T3MKdSUtmD9xB5qypB+hj62/U57VyOzj5yt7\nhOoNvkOyVJuRWwtwEo8SBMKvFs+mzULqHJh7slFamM6VjEokhDE+zw==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age12neldqxts6h3zstmk5hvmn2pq8s9qfhkt7cjcdd9wygekqrmparq6djsff", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsaXRGOXp5ZEVFcGN5V1JL\nM1NIcEhMUEFOZUJxRi9iYXJSRXhEZHVWZUdBCmxtN00yRXV2U0RlOUhiVU5PS2xz\nUWRYdHltTnlaQmR3SnJpY2VTbThKOGMKLS0tIEZiQlJLRDhvL2pMaEx5ZEpoS2xi\nQmdxcG9lTHVVYUlnY3JyOW1ybnEwc2sKqi80VUMu5lgXPbkQDGp4C7JuWSwESSqy\nVbm4TdvAXEn69t03O4+Vff+Bx5HsAzcWerA1+ZvlLBdkAYcGC2YKIw==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age16p3h2xu69lpy3f2msfs69q4uhu2hytkqk2p80ss9hxqcwky4cc6ss38x85", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkMjJBb3RROUFkWURZejlv\nYXVXK0pkK2ZPTHpSZEJoaTlFY2hYMm1xREQ4Clh1VFFWVkRqTnJoT01EZkg3VytX\nakZ4UUJ4MSt4WVg3R2ZRRXJraUtxWFEKLS0tIHRWNjJYU1QydFZUZ0UzWmoyeU9t\nZ0gyMzRkOEt6TVZQMTZmdGpaUU9rTVkKct5ZlfiPrEJWC3hZsESbEr5ewUWgFL7r\n5WESkGmeA1coph5XzbO+asEfPcs2kRCZcOzRSsU55SNTwloDyCtuWg==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-09-03T16:39:27Z", - "mac": "ENC[AES256_GCM,data:awRHWYorrKxyF1qUIXO6JZ6mVI3iCOSK9eVbltvaO2xCqdlyDEzRR5gvj2IZuK+I9rubPmlgB3/VfIeK/Kn1VbHGuKfRoHId9mwL27VgnOeD6UPQFMkqs0n/vYBydZUcy/U6QUnQnrqTt6V28yzgaqRaj2pR/ipPm7NMDjj1JkI=,iv:6+dmOJOMfkQu44b4T7oYQxh/NnpBTEtgXGnBh+3CpxI=,tag:jdzLQ+74sH6s/Lc2iT5V9g==,type:str]", - "unencrypted_suffix": "_unencrypted", - "version": "3.10.2" - } -} diff --git a/secrets/organization_scope.age b/secrets/organization_scope.age new file mode 100644 index 0000000..1573da0 Binary files /dev/null and b/secrets/organization_scope.age differ diff --git a/secrets/rbw_config.age b/secrets/rbw_config.age new file mode 100644 index 0000000..e33d854 Binary files /dev/null and b/secrets/rbw_config.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..252b087 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,29 @@ +let + faukah = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGGeejxEV2IZyiXKnh4EqfplfBHAAHrfYo7nXqr2MMlZ" ]; + + hermit = ""; + temperance = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJkxWaadx+19Zm4T5ScuNnrBcDvNNke6dUUAdTTJs0wF"; + tower = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBWgQaeT0AVdfDWbOBfjHNW1XVmRbnrJ4SdrDV52LJcZ"; + systems = [ + hermit + temperance + tower + ]; + +in +{ + + "organization_scope.age".publicKeys = faukah ++ [ + hermit + temperance + ]; + "uni_scope.age".publicKeys = faukah ++ [ + hermit + temperance + ]; + "rbw_config.age".publicKeys = faukah ++ [ + hermit + temperance + ]; + "tuwunel_token_file.age".publicKeys = faukah ++ [ tower ]; +} diff --git a/secrets/tuwunel_token_file.age b/secrets/tuwunel_token_file.age new file mode 100644 index 0000000..4befffa --- /dev/null +++ b/secrets/tuwunel_token_file.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 esTGig oxyT3fMRR7TqPGq4sl0OqeaqTlzAxCCeHMsipCUfXkY +IVPz6CQ8QGZcrW/GWdi5AwTL2OCDBgZ6YTOd0RndLxU +-> ssh-ed25519 1m6k0Q XV1LqwhxumepyWsPFaql0KMD69T4HjGSips8VDZaL2o +0M/f1mfyOVt/qzutsKPAyfRDQ+zcGmeRkaMZqo/Yfzw +--- hlUxkTa5TKDRqiJYwHEUIKT5daWAx+cIsGVh952jtDA +U>v6G# ssh-ed25519 esTGig hQGR8v46uXOg6dL7STwden7O6OosaehUZ6J2jFOXRDk +MDRxJNWL9SHT5lW2CTJS4m96Xl9Z6HXQ0xtPcBcqdPY +-> ssh-ed25519 wOh7DA W9VB99g0YQT6HeSiSf79qbL8rxp9hkEPJJJvXfxesxo +vkK+7+/H6GxabsDT3jUMzl6lgUXVfzwXFPGAmoRJ5PI +--- JA3McSNaH9i3nkz/C6TQEW4Stl1UKk2PKufQAp6dWaI +?[k`U c*F2sSw0_.Wg+ {JIMx%a {#och0IqQ ,A#wռ"_L`_ު72{k93XLb?%xN|rcKe F \ No newline at end of file