From 11dfa3cc1ae1b140af70268eb20244fb3c692b8f Mon Sep 17 00:00:00 2001
From: Nettika <git@nettika.cat>
Date: Wed, 2 Jul 2025 00:13:24 -0700
Subject: [PATCH] Use agenix for secrets

---
 .gitattributes              |   1 -
 backup.nix                  |  30 ++++++-------
 configuration.nix           |   8 ++--
 flake.lock                  |  84 +++++++++++++++++++++++++++++++++++-
 flake.nix                   |  16 ++++---
 secrets.json                | Bin 278 -> 0 bytes
 secrets/restic-env.age      |   5 +++
 secrets/restic-password.age | Bin 0 -> 246 bytes
 secrets/secrets.nix         |   8 ++++
 9 files changed, 124 insertions(+), 28 deletions(-)
 delete mode 100755 .gitattributes
 delete mode 100755 secrets.json
 create mode 100644 secrets/restic-env.age
 create mode 100644 secrets/restic-password.age
 create mode 100644 secrets/secrets.nix

diff --git a/.gitattributes b/.gitattributes
deleted file mode 100755
index e155600..0000000
--- a/.gitattributes
+++ /dev/null
@@ -1 +0,0 @@
-secrets.json filter=git-crypt diff=git-crypt
diff --git a/backup.nix b/backup.nix
index a358e2a..be777d8 100755
--- a/backup.nix
+++ b/backup.nix
@@ -1,4 +1,4 @@
-{ pkgs, config, secrets, ... }: {
+{ pkgs, config, ... }: {
   systemd.services = {
     notify-backup-b2-failed = {
       description = "Notify on failed backup to B2";
@@ -16,27 +16,25 @@
     restic-backups-b2 = { onFailure = [ "notify-backup-b2-failed.service" ]; };
   };
 
-  environment.etc = {
-    "restic-env".text = ''
-      B2_ACCOUNT_ID="${secrets.b2.accountId}"
-      B2_ACCOUNT_KEY="${secrets.b2.accountKey}"
-    '';
-    "restic-password".text = secrets.restic.password;
+  age.secrets = {
+    restic-env.file = ./secrets/restic-env.age;
+    restic-password.file = ./secrets/restic-password.age;
   };
 
   services.restic.backups = {
     b2 = {
       initialize = true;
-      environmentFile = "/etc/restic-env";
+      environmentFile = config.age.secrets.restic-env.path;
+      passwordFile = config.age.secrets.restic-password.path;
       repository = "b2:marauder-backup";
-      passwordFile = "/etc/restic-password";
-      paths = [
-        "${config.users.users.nettika.home}/Artwork"
-        "${config.users.users.nettika.home}/Documents"
-        "${config.users.users.nettika.home}/Music"
-        "${config.users.users.nettika.home}/Pictures"
-        "${config.users.users.nettika.home}/Projects"
-        "${config.users.users.nettika.home}/Videos"
+      paths = let home = config.users.users.nettika.home;
+      in [
+        "${home}/Artwork"
+        "${home}/Documents"
+        "${home}/Music"
+        "${home}/Pictures"
+        "${home}/Projects"
+        "${home}/Videos"
       ];
       pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" ];
     };
diff --git a/configuration.nix b/configuration.nix
index 9134aad..2a5baa2 100755
--- a/configuration.nix
+++ b/configuration.nix
@@ -1,4 +1,4 @@
-{ pkgs, secrets, phps, ... }:
+{ pkgs, phps, agenix, ... }:
 let
   fortune = pkgs.writeShellScript "cgi" ''
     echo "Content-type: text/html"
@@ -31,6 +31,8 @@ in {
 
   environment.variables.VISUAL = "code --wait";
 
+  age.identityPaths = [ "/home/nettika/.ssh/id_ed25519" ];
+
   networking = {
     hostName = "marauder";
     firewall.enable = false;
@@ -127,7 +129,6 @@ in {
     php
 
     # Command line
-    git-crypt
     htop
     jq
 
@@ -139,6 +140,7 @@ in {
     mullvad-vpn
     qbittorrent
     system-config-printer
+    agenix.packages.${system}.default
   ];
 
   programs.steam = {
@@ -205,7 +207,7 @@ in {
 
   services.zerotierone = {
     enable = true;
-    joinNetworks = secrets.zerotier.networks;
+    joinNetworks = [ "8056c2e21c0b1a53" ];
   };
 
   services.mullvad-vpn = {
diff --git a/flake.lock b/flake.lock
index 3972ea6..2ef6b7d 100755
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,28 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1750173260,
+        "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "common": {
       "locked": {
         "lastModified": 1750666369,
@@ -15,6 +38,28 @@
         "url": "https://git.uninsane.org/nettika/nettika-common"
       }
     },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -31,6 +76,27 @@
         "type": "github"
       }
     },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1748437600,
@@ -71,6 +137,7 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "common": "common",
         "nixpkgs": "nixpkgs",
         "phps": "phps"
@@ -91,9 +158,24 @@
         "type": "github"
       }
     },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "utils": {
       "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
       },
       "locked": {
         "lastModified": 1731533236,
diff --git a/flake.nix b/flake.nix
index 2aa7c0f..2c97c1d 100755
--- a/flake.nix
+++ b/flake.nix
@@ -7,17 +7,19 @@
       url = "github:fossar/nix-phps";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     common.url = "git+https://git.uninsane.org/nettika/nettika-common";
   };
 
-  outputs = { nixpkgs, phps, common, ... }: {
-    nixosConfigurations.marauder = nixpkgs.lib.nixosSystem {
+  outputs = { nixpkgs, phps, common, agenix, ... }: {
+    nixosConfigurations.marauder = nixpkgs.lib.nixosSystem rec {
       system = "x86_64-linux";
-      modules = [ ./configuration.nix common.nixosModule ];
-      specialArgs = {
-        inherit phps;
-        secrets = builtins.fromJSON (builtins.readFile ./secrets.json);
-      };
+      modules =
+        [ ./configuration.nix common.nixosModule agenix.nixosModules.default ];
+      specialArgs = { inherit phps agenix; };
     };
   };
 }
diff --git a/secrets.json b/secrets.json
deleted file mode 100755
index 6e240ec9133fc827010d308db31a5539ef8519cb..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 278
zcmZQ@_Y83kiVO&0_?owfLn$X~I@g;FMxKjzo7Y*e&3@9dYpXHGyzpz;adoaLSvUO|
zN`F>tTeJDruFh|!MuPdrqYgQyauw(>oK3htZC2T~<EK6aeBH2kw}-%=&?L6nb8btn
zehuvS6fLR!>i(V-ugosC{)M-5Tt2#}vHm_k_lnqsD{|3m_quOYF1}SbK_Kyd!L67L
z{(R+|C$@ChxjbO;s{c1@+1!k2{ETdqvWjm+o%eA%u<I6oMBC5%TXt=o`G14mgO%$(
zi)w3DXx8*~esWqbDN{Mw+)d|I=<@W2$VZp^^EZTCvu@sPX}fs$gY#eNQnUoG3SKsy
owrbK5RkiIGFFoIQ>D~R#vT0p!Lbe{@QWqCCHa(yEXggm70C78t;{X5v

diff --git a/secrets/restic-env.age b/secrets/restic-env.age
new file mode 100644
index 0000000..1d93a5d
--- /dev/null
+++ b/secrets/restic-env.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 f+PJrQ qccE2xAzfBZ3DCRQtQDgwS1UzjlZx44oUrYjcDfMfDk
+I2l6xRJsdQLYB2cMo0Kfi6mVyhZsuSPFG574P8pl12Y
+--- WoBlo7fqYRkiBYPoLpa3wHB8ZPCVy32a4aL5UswCHJc
+L£æΚÈ[¤Nî<#Õ]ˆ
Ÿ�üBÄ}–×fË%P„ôxK±Û¨þkI½©”<§V�Ÿ…¶YÄ5#å±ð÷û”qE³4’­®¶l—ËøF¾“8ukȨ�ûÂ%À´U53yìû"�g\ªZæÙC®õW¥²g­z
\ No newline at end of file
diff --git a/secrets/restic-password.age b/secrets/restic-password.age
new file mode 100644
index 0000000000000000000000000000000000000000..58bbd5c66d43e5ccf66e1e1bcd8d3e55b07de816
GIT binary patch
literal 246
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSn(+=<|3RLh7bJjNq
zi_CQPN;b-l3Mq(iDb98?Pd6;iG0qFiH3~B+*3T(2D9ko-Pv>&WDNXnH^KtXYNHq0L
z3Muv|EzSw{DKQW7PR|c_GI0+#EzKz`^zzeoG~v?K)m6xFck_vIbqhCli}Lr6swxi;
ztjJ0!a4q!6G0!QEbTc;gO)L(za4{`U$>uun@Ba1Dx4eE#oJw**QYX_>mP}o0d9*9h
wE9Hjy1(~$4%w$d>{Z~pC#Cg^;NWN}oaNm(M>&}l`c4z8->{_ZfH}%O{08;r`0ssI2

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..5e3f402
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,8 @@
+let
+  nettika =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHopty1QG8P+OfGxQ9CV0BI1IRB/q6yITzMZaZ6Zspid";
+in {
+  "restic-env.age".publicKeys = [ nettika ];
+  "restic-password.age".publicKeys = [ nettika ];
+  "zerotier-networks.age".publicKeys = [ nettika ];
+}