attempt to get agenix to work
only missing the access step!
This commit is contained in:
parent
2941b52caf
commit
1cb35a78d2
|
@ -4,6 +4,8 @@ let
|
||||||
keys = import ./authorizedKeys.nix;
|
keys = import ./authorizedKeys.nix;
|
||||||
fetchSSH = (host: lib._.getSSH host keys);
|
fetchSSH = (host: lib._.getSSH host keys);
|
||||||
fetchSSHKeys = map fetchSSH;
|
fetchSSHKeys = map fetchSSH;
|
||||||
|
|
||||||
|
agenixPkg = inputs.agenix.packages.${pkgs.system}.default;
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
|
@ -56,7 +58,7 @@ in {
|
||||||
# oatmealine ?? is that a reference to jill oatmealine monoids from the beloved videogame franchise "oateamelin jill monoids???" .oat. zone??? from va11hall-a??? video game???? woman????? minecraft???????
|
# oatmealine ?? is that a reference to jill oatmealine monoids from the beloved videogame franchise "oateamelin jill monoids???" .oat. zone??? from va11hall-a??? video game???? woman????? minecraft???????
|
||||||
oatmealine = {
|
oatmealine = {
|
||||||
conf = {
|
conf = {
|
||||||
packages = with pkgs; [ bat tmux micro direnv nix-direnv ripgrep ];
|
packages = with pkgs; [ bat tmux micro direnv nix-direnv ripgrep agenixPkg ];
|
||||||
shell = pkgs.unstable.fish;
|
shell = pkgs.unstable.fish;
|
||||||
extraGroups = [ "wheel" "nix-users" "dotfiles" "yugoslavia" ];
|
extraGroups = [ "wheel" "nix-users" "dotfiles" "yugoslavia" ];
|
||||||
initialHashedPassword = "!";
|
initialHashedPassword = "!";
|
||||||
|
@ -68,6 +70,7 @@ in {
|
||||||
|
|
||||||
homeConf.home = {
|
homeConf.home = {
|
||||||
sessionVariables = {
|
sessionVariables = {
|
||||||
|
#EDITOR = lib.trace (lib.readFile age.secrets.huge-furry-cock.path) "micro";
|
||||||
EDITOR = "micro";
|
EDITOR = "micro";
|
||||||
NIX_REMOTE = "daemon";
|
NIX_REMOTE = "daemon";
|
||||||
};
|
};
|
||||||
|
|
Binary file not shown.
|
@ -1,6 +1,9 @@
|
||||||
let
|
let
|
||||||
keys = import ../authorizedKeys.nix;
|
userKeys = builtins.catAttrs "ssh" (import ../authorizedKeys.nix);
|
||||||
|
systemKeys = [
|
||||||
"subsurface.aether" = keys."aether@subsurface".ssh;
|
# /etc/ssh/ssh_host_ed25519_key.pub
|
||||||
in
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHp0gLv1FiavpvnXinySlZsWrNkAzo4c8GWvN2WRhQqn root@lucent-firepit"
|
||||||
{}
|
];
|
||||||
|
in {
|
||||||
|
"huge-furry-cock.age".publicKeys = userKeys ++ systemKeys;
|
||||||
|
}
|
||||||
|
|
|
@ -8,17 +8,24 @@ let
|
||||||
secretsDir = "${toString ../hosts}/${config.networking.hostName}/secrets";
|
secretsDir = "${toString ../hosts}/${config.networking.hostName}/secrets";
|
||||||
secretsFile = "${secretsDir}/secrets.nix";
|
secretsFile = "${secretsDir}/secrets.nix";
|
||||||
in {
|
in {
|
||||||
imports = [ agenix.nixosModules.age ];
|
imports = [ agenix.nixosModules.default ];
|
||||||
#environment.systemPackages = [ agenix.defaultPackage.x86_64-linux ];
|
|
||||||
|
|
||||||
age = {
|
age = let
|
||||||
secrets = mkMerge (map (x: {"x".file = "${secretsDir}/${x}";}) (attrNames (import secretsFile)));
|
# ugly, lazy, but works
|
||||||
identityPaths = options.age.identityPaths.default ++ (foldr (l: r: l ++ r) [] (map (user:
|
users = map (user: "/home/${user}/.ssh") (attrNames (readDir "/home/"));
|
||||||
|
|
||||||
|
usersWithKeys = filter (path: pathExists path) users;
|
||||||
|
|
||||||
|
userIdentityPaths = concatLists (map (keysPath:
|
||||||
let
|
let
|
||||||
d = "/home/${user}/.ssh";
|
# find all files that are id_* and not *.pub
|
||||||
fs = map (f: d + "/" + f)
|
# todo: maybe make a startsWith / endsWith?
|
||||||
(filter (f: (f != "known_hosts") && (f != "*.old"))
|
files = map (f: keysPath + "/" + f)
|
||||||
(attrNames (readDir d)));
|
(filter (f: (substring 0 3 f == "id_") && (substring (stringLength f - 4) 4 f != ".pub"))
|
||||||
in fs) (attrNames config.defaultUsers)));
|
(attrNames (readDir keysPath)));
|
||||||
|
in files) usersWithKeys);
|
||||||
|
in {
|
||||||
|
secrets = mkMerge (map (x: {"${x}".file = "${secretsDir}/${x}";}) (attrNames (import secretsFile)));
|
||||||
|
identityPaths = options.age.identityPaths.default ++ userIdentityPaths;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue