starred/nix-config
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-04-28 11:47:04 +02:00
Code Issues Packages Projects Releases 10 Wiki Activity

feat: add distributed-builds & many hosts

Browse Source 
feat: remove nur & devenv
feat: adjust the structure to make it suitable for servers
feat: add iso/proxmox generators and add docs about it
feat: update ryan's openssh keys & add hashedPassword
feat: add proxmox's nodes into ssh_config, with alias
This commit is contained in:
Ryan Yin
2023-06-17 03:07:59 +08:00
parent a5f0922ba7
commit 45a7973553
48 changed files with 736 additions and 685 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
secrets/README.md
View File

@@ -22,36 +22,41 @@ Pretend you want to add a new secret file `xxx.age`, then:
1. `cd` to this directory
1. edit `secrets.nix`, add a new entry for `xxx.age`, which defines the
encryption keys and the secret file path, e.g.
```nix
# This file is not imported into your NixOS configuration. It is only used for the agenix CLI.
# agenix use the public keys defined in this file to encrypt the secrets.
# and users can decrypt the secrets by any of the corresponding private keys.
let
# get user's ssh public key by command:
# cat ~/.ssh/id_ed25519.pub
# if you do not have one, you can generate it by command:
# ssh-keygen -t ed25519
ryan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj";
users = [ ryan ];
```nix
# This file is not imported into your NixOS configuration. It is only used for the agenix CLI.
# agenix use the public keys defined in this file to encrypt the secrets.
# and users can decrypt the secrets by any of the corresponding private keys.
let
# get user's ssh public key by command:
# cat ~/.ssh/id_ed25519.pub
# if you do not have one, you can generate it by command:
# ssh-keygen -t ed25519
ryan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj";
users = [ ryan ];
# get system's ssh public key by command:
# cat /etc/ssh/ssh_host_ed25519_key.pub
ai = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGeXNCazqiqxn8TmbCRjA+pLWrxwenn+CFhizBMP6en root@ai";
systems = [ ai ];
in
{
"./encrypt/xxx.age".publicKeys = users ++ systems;
}
```
# get system's ssh public key by command:
# cat /etc/ssh/ssh_host_ed25519_key.pub
msi-rtx4090 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGeXNCazqiqxn8TmbCRjA+pLWrxwenn+CFhizBMP6en root@msi-rtx4090";
systems = [ msi-rtx4090 ];
in
{
"./encrypt/xxx.age".publicKeys = users ++ systems;
}
```
2. create and edit the secret file `xxx.age` interactively by command:
```shell
agenix -e ./encrypt/xxx.age
```
```shell
agenix -e ./encrypt/xxx.age
```
3. or you can also encrypt an existing file to `xxx.age` by command:
```shell
cat /path/to/xxx | agenix -e ./encrypt/xxx.age
```
```shell
cat /path/to/xxx | agenix -e ./encrypt/xxx.age
```
the agenix use `~/.ssh/id_ed25519.pub` or `~/.ssh/id_rsa.pub` as encrypt key by default, you need to pass `--identity /path/to/key` to use a custom `/path/to/key.pub` for enctypt.
@@ -70,7 +75,7 @@ An nixos module exmaple(need to set agenix as flake inputs first...):
];
environment.systemPackages = [
agenix.packages."${pkgs.system}".default
agenix.packages."${pkgs.system}".default
];
age.secrets."xxx" = {