attempt to get agenix to work
only missing the access step!
This commit is contained in:
parent
2941b52caf
commit
1cb35a78d2
|
|
@ -4,6 +4,8 @@ let
|
|||
keys = import ./authorizedKeys.nix;
|
||||
fetchSSH = (host: lib._.getSSH host keys);
|
||||
fetchSSHKeys = map fetchSSH;
|
||||
|
||||
agenixPkg = inputs.agenix.packages.${pkgs.system}.default;
|
||||
in {
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
|
|
@ -56,7 +58,7 @@ in {
|
|||
# oatmealine ?? is that a reference to jill oatmealine monoids from the beloved videogame franchise "oateamelin jill monoids???" .oat. zone??? from va11hall-a??? video game???? woman????? minecraft???????
|
||||
oatmealine = {
|
||||
conf = {
|
||||
packages = with pkgs; [ bat tmux micro direnv nix-direnv ripgrep ];
|
||||
packages = with pkgs; [ bat tmux micro direnv nix-direnv ripgrep agenixPkg ];
|
||||
shell = pkgs.unstable.fish;
|
||||
extraGroups = [ "wheel" "nix-users" "dotfiles" "yugoslavia" ];
|
||||
initialHashedPassword = "!";
|
||||
|
|
@ -68,6 +70,7 @@ in {
|
|||
|
||||
homeConf.home = {
|
||||
sessionVariables = {
|
||||
#EDITOR = lib.trace (lib.readFile age.secrets.huge-furry-cock.path) "micro";
|
||||
EDITOR = "micro";
|
||||
NIX_REMOTE = "daemon";
|
||||
};
|
||||
|
|
|
|||
Binary file not shown.
|
|
@ -1,6 +1,9 @@
|
|||
let
|
||||
keys = import ../authorizedKeys.nix;
|
||||
|
||||
"subsurface.aether" = keys."aether@subsurface".ssh;
|
||||
in
|
||||
{}
|
||||
userKeys = builtins.catAttrs "ssh" (import ../authorizedKeys.nix);
|
||||
systemKeys = [
|
||||
# /etc/ssh/ssh_host_ed25519_key.pub
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHp0gLv1FiavpvnXinySlZsWrNkAzo4c8GWvN2WRhQqn root@lucent-firepit"
|
||||
];
|
||||
in {
|
||||
"huge-furry-cock.age".publicKeys = userKeys ++ systemKeys;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,17 +8,24 @@ let
|
|||
secretsDir = "${toString ../hosts}/${config.networking.hostName}/secrets";
|
||||
secretsFile = "${secretsDir}/secrets.nix";
|
||||
in {
|
||||
imports = [ agenix.nixosModules.age ];
|
||||
#environment.systemPackages = [ agenix.defaultPackage.x86_64-linux ];
|
||||
imports = [ agenix.nixosModules.default ];
|
||||
|
||||
age = {
|
||||
secrets = mkMerge (map (x: {"x".file = "${secretsDir}/${x}";}) (attrNames (import secretsFile)));
|
||||
identityPaths = options.age.identityPaths.default ++ (foldr (l: r: l ++ r) [] (map (user:
|
||||
age = let
|
||||
# ugly, lazy, but works
|
||||
users = map (user: "/home/${user}/.ssh") (attrNames (readDir "/home/"));
|
||||
|
||||
usersWithKeys = filter (path: pathExists path) users;
|
||||
|
||||
userIdentityPaths = concatLists (map (keysPath:
|
||||
let
|
||||
d = "/home/${user}/.ssh";
|
||||
fs = map (f: d + "/" + f)
|
||||
(filter (f: (f != "known_hosts") && (f != "*.old"))
|
||||
(attrNames (readDir d)));
|
||||
in fs) (attrNames config.defaultUsers)));
|
||||
# find all files that are id_* and not *.pub
|
||||
# todo: maybe make a startsWith / endsWith?
|
||||
files = map (f: keysPath + "/" + f)
|
||||
(filter (f: (substring 0 3 f == "id_") && (substring (stringLength f - 4) 4 f != ".pub"))
|
||||
(attrNames (readDir keysPath)));
|
||||
in files) usersWithKeys);
|
||||
in {
|
||||
secrets = mkMerge (map (x: {"${x}".file = "${secretsDir}/${x}";}) (attrNames (import secretsFile)));
|
||||
identityPaths = options.age.identityPaths.default ++ userIdentityPaths;
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue