nettika/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Use agenix for secrets

Browse source
This commit is contained in:
Nettika 2025-07-02 00:13:24 -07:00
parent e6ad5687d0
commit 11dfa3cc1a
9 changed files with 124 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitattributes vendored
View file

@ -1 +0,0 @@
secrets.json filter=git-crypt diff=git-crypt

30
backup.nix
View file

@ -1,4 +1,4 @@
{ pkgs, config, secrets, ... }: { { pkgs, config, ... }: {
systemd.services = { systemd.services = {
notify-backup-b2-failed = { notify-backup-b2-failed = {
description = "Notify on failed backup to B2"; description = "Notify on failed backup to B2";
@ -16,27 +16,25 @@
restic-backups-b2 = { onFailure = [ "notify-backup-b2-failed.service" ]; }; restic-backups-b2 = { onFailure = [ "notify-backup-b2-failed.service" ]; };
}; };
environment.etc = { age.secrets = {
"restic-env".text = '' restic-env.file = ./secrets/restic-env.age;
B2_ACCOUNT_ID="${secrets.b2.accountId}" restic-password.file = ./secrets/restic-password.age;
B2_ACCOUNT_KEY="${secrets.b2.accountKey}"
'';
"restic-password".text = secrets.restic.password;
}; };
services.restic.backups = { services.restic.backups = {
b2 = { b2 = {
initialize = true; initialize = true;
environmentFile = "/etc/restic-env"; environmentFile = config.age.secrets.restic-env.path;
passwordFile = config.age.secrets.restic-password.path;
repository = "b2:marauder-backup"; repository = "b2:marauder-backup";
passwordFile = "/etc/restic-password"; paths = let home = config.users.users.nettika.home;
paths = [ in [
"${config.users.users.nettika.home}/Artwork" "${home}/Artwork"
"${config.users.users.nettika.home}/Documents" "${home}/Documents"
"${config.users.users.nettika.home}/Music" "${home}/Music"
"${config.users.users.nettika.home}/Pictures" "${home}/Pictures"
"${config.users.users.nettika.home}/Projects" "${home}/Projects"
"${config.users.users.nettika.home}/Videos" "${home}/Videos"
]; ];
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" ]; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" ];
}; };

8
configuration.nix
View file

@ -1,4 +1,4 @@
{ pkgs, secrets, phps, ... }: { pkgs, phps, agenix, ... }:
let let
fortune = pkgs.writeShellScript "cgi" '' fortune = pkgs.writeShellScript "cgi" ''
echo "Content-type: text/html" echo "Content-type: text/html"
@ -31,6 +31,8 @@ in {
environment.variables.VISUAL = "code --wait"; environment.variables.VISUAL = "code --wait";
age.identityPaths = [ "/home/nettika/.ssh/id_ed25519" ];
networking = { networking = {
hostName = "marauder"; hostName = "marauder";
firewall.enable = false; firewall.enable = false;
@ -127,7 +129,6 @@ in {
php php
# Command line # Command line
git-crypt
htop htop
jq jq
@ -139,6 +140,7 @@ in {
mullvad-vpn mullvad-vpn
qbittorrent qbittorrent
system-config-printer system-config-printer
agenix.packages.${system}.default
]; ];
programs.steam = { programs.steam = {
@ -205,7 +207,7 @@ in {
services.zerotierone = { services.zerotierone = {
enable = true; enable = true;
joinNetworks = secrets.zerotier.networks; joinNetworks = [ "8056c2e21c0b1a53" ];
}; };
services.mullvad-vpn = { services.mullvad-vpn = {

84
flake.lock generated
View file

@ -1,5 +1,28 @@
{ {
"nodes": { "nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1750173260,
"narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
"owner": "ryantm",
"repo": "agenix",
"rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"common": { "common": {
"locked": { "locked": {
"lastModified": 1750666369, "lastModified": 1750666369,
@ -15,6 +38,28 @@
"url": "https://git.uninsane.org/nettika/nettika-common" "url": "https://git.uninsane.org/nettika/nettika-common"
} }
}, },
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1744478979,
"narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -31,6 +76,27 @@
"type": "github" "type": "github"
} }
}, },
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1745494811,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1748437600, "lastModified": 1748437600,
@ -71,6 +137,7 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix",
"common": "common", "common": "common",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"phps": "phps" "phps": "phps"
@ -91,9 +158,24 @@
"type": "github" "type": "github"
} }
}, },
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": { "utils": {
"inputs": { "inputs": {
"systems": "systems" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1731533236, "lastModified": 1731533236,

16
flake.nix
View file

@ -7,17 +7,19 @@
url = "github:fossar/nix-phps"; url = "github:fossar/nix-phps";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
};
common.url = "git+https://git.uninsane.org/nettika/nettika-common"; common.url = "git+https://git.uninsane.org/nettika/nettika-common";
}; };
outputs = { nixpkgs, phps, common, ... }: { outputs = { nixpkgs, phps, common, agenix, ... }: {
nixosConfigurations.marauder = nixpkgs.lib.nixosSystem { nixosConfigurations.marauder = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ ./configuration.nix common.nixosModule ]; modules =
specialArgs = { [ ./configuration.nix common.nixosModule agenix.nixosModules.default ];
inherit phps; specialArgs = { inherit phps agenix; };
secrets = builtins.fromJSON (builtins.readFile ./secrets.json);
};
}; };
}; };
} }

BIN
secrets.json
View file

Binary file not shown.

5
secrets/restic-env.age Normal file
View file

@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 f+PJrQ qccE2xAzfBZ3DCRQtQDgwS1UzjlZx44oUrYjcDfMfDk
I2l6xRJsdQLYB2cMo0Kfi6mVyhZsuSPFG574P8pl12Y
--- WoBlo7fqYRkiBYPoLpa3wHB8ZPCVy32a4aL5UswCHJc
L£æΚÈ[¤Nî<#Õ]ˆ Ÿ<>üBÄ}×fË%P„ôxK±Û¨þkI½©”<§V<C2A7>Ÿ…¶YÄ5#å±ð÷û”qE³4­®¶l—ËøF¾“8ukȨ<C388>ûÂ%À´U53yìû"<22>g\ªZæÙC®õW¥²g­z

BIN
secrets/restic-password.age Normal file
View file

Binary file not shown.

8
secrets/secrets.nix Normal file
View file

@ -0,0 +1,8 @@
let
nettika =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHopty1QG8P+OfGxQ9CV0BI1IRB/q6yITzMZaZ6Zspid";
in {
"restic-env.age".publicKeys = [ nettika ];
"restic-password.age".publicKeys = [ nettika ];
"zerotier-networks.age".publicKeys = [ nettika ];
}