feat: add agenix for secrets management

2026-04-24 17:08:25 +02:00 · 2023-05-21 00:56:37 +08:00
parent 32d6353cdc
commit 6710f34e50
15 changed files with 303 additions and 56 deletions
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -0,0 +1,32 @@
+{ config, pkgs, agenix, ... }:
+
+{
+  imports = [
+     agenix.nixosModules.default
+  ];
+
+  environment.systemPackages = [
+    agenix.packages."${pkgs.system}".default 
+  ];
+
+  # # wireguard config used with `wg-quick up wg-business`  
+  age.secrets."wg-business.conf" = {
+    # wether secrets are symlinked to age.secrets.<name>.path
+    symlink = true;
+    # target path for decrypted file
+    path = "/etc/wireguard/";
+    # encrypted file path
+    file = ./encrypt/wg-business.conf.age;
+    mode = "0400";
+    owner = "root";
+    group = "root";
+  };
+
+  # smb-credentials is referenced in /etc/fstab, by ../hosts/msi-rtx4090/cifs-mount.nix
+  age.secrets."smb-credentials" = {
+    # wether secrets are symlinked to age.secrets.<name>.path
+    symlink = true;
+    # encrypted file path
+    file = ./encrypt/smb-credentials.age;
+  };
+}