From 1cb35a78d2fc299b9d05611110605f2cb1b3a2c4 Mon Sep 17 00:00:00 2001 From: "Jill \"oatmealine\" Monoids" Date: Thu, 18 May 2023 06:11:39 +0200 Subject: [PATCH] attempt to get agenix to work only missing the access step! --- hosts/lucent-firepit/default.nix | 5 +++- .../secrets/huge-furry-cock.age | Bin 0 -> 2221 bytes hosts/lucent-firepit/secrets/secrets.nix | 13 +++++---- modules/agenix.nix | 27 +++++++++++------- 4 files changed, 29 insertions(+), 16 deletions(-) create mode 100644 hosts/lucent-firepit/secrets/huge-furry-cock.age diff --git a/hosts/lucent-firepit/default.nix b/hosts/lucent-firepit/default.nix index 07191fc..237df24 100644 --- a/hosts/lucent-firepit/default.nix +++ b/hosts/lucent-firepit/default.nix @@ -4,6 +4,8 @@ let keys = import ./authorizedKeys.nix; fetchSSH = (host: lib._.getSSH host keys); fetchSSHKeys = map fetchSSH; + + agenixPkg = inputs.agenix.packages.${pkgs.system}.default; in { imports = [ ./hardware-configuration.nix @@ -56,7 +58,7 @@ in { # oatmealine ?? is that a reference to jill oatmealine monoids from the beloved videogame franchise "oateamelin jill monoids???" .oat. zone??? from va11hall-a??? video game???? woman????? minecraft??????? oatmealine = { conf = { - packages = with pkgs; [ bat tmux micro direnv nix-direnv ripgrep ]; + packages = with pkgs; [ bat tmux micro direnv nix-direnv ripgrep agenixPkg ]; shell = pkgs.unstable.fish; extraGroups = [ "wheel" "nix-users" "dotfiles" "yugoslavia" ]; initialHashedPassword = "!"; @@ -68,6 +70,7 @@ in { homeConf.home = { sessionVariables = { + #EDITOR = lib.trace (lib.readFile age.secrets.huge-furry-cock.path) "micro"; EDITOR = "micro"; NIX_REMOTE = "daemon"; }; diff --git a/hosts/lucent-firepit/secrets/huge-furry-cock.age b/hosts/lucent-firepit/secrets/huge-furry-cock.age new file mode 100644 index 0000000000000000000000000000000000000000..487f489eb2052beb4be0007a02af413a559b1cfd GIT binary patch literal 2221 zcmZXVJInM48HQ~Q$Rak{$cu%|@NLeM2`)kolT6O%qk`m|OwP$F_js`z|Xyxg|B&+y6gO0#I0YMBpmKA%Y9^ zvNSB%q^M{4Om4*$U5s-G!U55hgd<8Mu8zd@UE1BHg`Ikd`9&a!Rp!k(7N4vgkdK6f zt)AxGGufZk`y=e7-kRqM12BDevxvQzplq3D2Zji_uBlYDGgmKXt`C(vhdv9T?vrZPRubT^W6E~gMbX@PsvIgyInu+y%pS$hK=Z<&CTU@HK!eCyRGF@ZfCJb9;< zXTsYLcQjoP9M&9~^FmVwClK}EEp3{kmnA7+y#U%=>Y$}nEuq6WHG7Cs>QC^!-|j_- zcvh5SbI%}`UK3Dxg}CXw?RDj}=&7n#<~o3Y??+&C z6tNKgPPl~&UrlL|92iYa(#B-B^P8kN1Kg;~N~wC`cKFuiYL}Alx?VdvzOSd2b6`cj z#XYoLwd~ALj2a4C!tdOKoOo)@oEX3yFZIvk`BaM6c+U9SeN(EtrUoc$+a8C9nH#p6 z>r7j2iAD<@Q(@Z9iZs?~0oS<&T57#wL|g>nWIbL9A|yAfuM60 z%`i?3hL#>m9uR2XrtO;7CXmqZdT(Z8OVAGA)2Sk%Oc`_4sKMn)pifr6!^zX~_2Z#~ zv{{XbRz)n9XSsWbCyfDy=7^Eu2y>HbJKs+rm1*HV>ZF2WlxZ7$%7cTQQ0|r@<1FW$ zFl4i%WwN5N9WWsVN|ghJ!Lkv7lwU=tnc$e<4W0#hU40Te+hViGuDG z#tyR{DZIGn^!Z(ym#(MRjTr7!-(gij7WHbGg^K1XFtesJMv$YXm;zjNm<;`-@gkX&iapzwtiy2kRpgHs<}ui(ggQRU_N}*sf8}ZFrFSt z!!zmB%La($)tRGhcnz;(teu7^(~1z&$QElMK#T5-sTpQqL1-xF*CH5p+9^}RJ;KXc z?8{i;C+Zmx-2ZPY-V{?7&Do3pJqoBfmp;foSdkWel4j?id63w;I1~Ze&4WS0E{Uo4 zKt&(qglLWHIFO=d&fRN;$-ox?yG_AkZA5>VZZ&a3jWl+bh~!D=b^eafmE}t^b`bF9 z&6^iS?c@rPiaB}?AQ}@0Q-O_Y5m-RGF&Df2a~iK5WR)BR93Ox3#V?mXPXc)R)_;Ec z`%nMA%QM;BNo` literal 0 HcmV?d00001 diff --git a/hosts/lucent-firepit/secrets/secrets.nix b/hosts/lucent-firepit/secrets/secrets.nix index 2ab9ede..e31701f 100644 --- a/hosts/lucent-firepit/secrets/secrets.nix +++ b/hosts/lucent-firepit/secrets/secrets.nix @@ -1,6 +1,9 @@ let - keys = import ../authorizedKeys.nix; - - "subsurface.aether" = keys."aether@subsurface".ssh; -in - {} + userKeys = builtins.catAttrs "ssh" (import ../authorizedKeys.nix); + systemKeys = [ + # /etc/ssh/ssh_host_ed25519_key.pub + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHp0gLv1FiavpvnXinySlZsWrNkAzo4c8GWvN2WRhQqn root@lucent-firepit" + ]; +in { + "huge-furry-cock.age".publicKeys = userKeys ++ systemKeys; +} diff --git a/modules/agenix.nix b/modules/agenix.nix index b81195c..3cc8664 100644 --- a/modules/agenix.nix +++ b/modules/agenix.nix @@ -8,17 +8,24 @@ let secretsDir = "${toString ../hosts}/${config.networking.hostName}/secrets"; secretsFile = "${secretsDir}/secrets.nix"; in { - imports = [ agenix.nixosModules.age ]; - #environment.systemPackages = [ agenix.defaultPackage.x86_64-linux ]; + imports = [ agenix.nixosModules.default ]; - age = { - secrets = mkMerge (map (x: {"x".file = "${secretsDir}/${x}";}) (attrNames (import secretsFile))); - identityPaths = options.age.identityPaths.default ++ (foldr (l: r: l ++ r) [] (map (user: + age = let + # ugly, lazy, but works + users = map (user: "/home/${user}/.ssh") (attrNames (readDir "/home/")); + + usersWithKeys = filter (path: pathExists path) users; + + userIdentityPaths = concatLists (map (keysPath: let - d = "/home/${user}/.ssh"; - fs = map (f: d + "/" + f) - (filter (f: (f != "known_hosts") && (f != "*.old")) - (attrNames (readDir d))); - in fs) (attrNames config.defaultUsers))); + # find all files that are id_* and not *.pub + # todo: maybe make a startsWith / endsWith? + files = map (f: keysPath + "/" + f) + (filter (f: (substring 0 3 f == "id_") && (substring (stringLength f - 4) 4 f != ".pub")) + (attrNames (readDir keysPath))); + in files) usersWithKeys); + in { + secrets = mkMerge (map (x: {"${x}".file = "${secretsDir}/${x}";}) (attrNames (import secretsFile))); + identityPaths = options.age.identityPaths.default ++ userIdentityPaths; }; }