fix: secrets for work

flake.lock

@@ -67,11 +67,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1689116343,
-        "narHash": "sha256-eaYfwQTSEbuB7rs5/W227SbVeDP9cbcoT1TEbnmOgOk=",
+        "lastModified": 1689281837,
+        "narHash": "sha256-msgwgot2/hxXzlpYltIZ7boAqBkN8XejNOhBJ07q3FY=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "eb22022ba8faeeb7a9be8afe925511b88ad12ca5",
+        "rev": "c806a73609e77f0c446fdad5d3ea6ca3b7ae6e5f",
         "type": "github"
       },
       "original": {
@@ -242,10 +242,10 @@
     "mysecrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1689326736,
-        "narHash": "sha256-wVfvr9bEDkuivJbdtbLC6l82QZnc2dW4Nl3ExY6/oaA=",
+        "lastModified": 1689338661,
+        "narHash": "sha256-yRWO66sDXWYMKgGVHQ5KmzaOQbgFdKpfikHVi/OLioM=",
         "ref": "refs/heads/main",
-        "rev": "cd37f1a4f8543b6e272809c75f84ed674ac0e4d3",
+        "rev": "e468b93e6d92c5398e55d30f1ec9752030308035",
         "shallow": true,
         "type": "git",
         "url": "ssh://git@github.com/ryan4yin/nix-secrets.git"
@@ -262,11 +262,11 @@
         "nixpkgs": "nixpkgs_4"
       },
       "locked": {
-        "lastModified": 1688953990,
-        "narHash": "sha256-835HVBBkaumj8b098dC7u4fOGBMsIsnYitRYNQkb+jA=",
+        "lastModified": 1689318580,
+        "narHash": "sha256-ccMZzE0Du6I7RtAuDZbERsBZRGnFcwXTAnSQqGd7mOY=",
         "owner": "nix-community",
         "repo": "nix-eval-jobs",
-        "rev": "4006da54d54e1243da26ad4d75d6b4c9f7a456ba",
+        "rev": "f88571cfc9132e8f2768aa41d57f5f471941d4b6",
         "type": "github"
       },
       "original": {
@@ -329,11 +329,11 @@
     },
     "nixpkgs-darwin": {
       "locked": {
-        "lastModified": 1689048911,
-        "narHash": "sha256-pODI2CkjWbSLo5nPMZoLtkRNJU/Nr3VSITXZqqmNtIk=",
+        "lastModified": 1689326639,
+        "narHash": "sha256-79zi0t83Dcc2dE0NuYZ+2hqtKXZN1yWVq5mtx8D2d7Y=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "8163a64662b43848802092d52015ef60777d6129",
+        "rev": "9fdfaeb7b96f05e869f838c73cde8d98c640c649",
         "type": "github"
       },
       "original": {
@@ -360,11 +360,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1689008574,
-        "narHash": "sha256-VFMgyHDiqsGDkRg73alv6OdHJAqhybryWHv77bSCGIw=",
+        "lastModified": 1689192006,
+        "narHash": "sha256-QM0f0d8oPphOTYJebsHioR9+FzJcy1QNIzREyubB91U=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "4a729ce4b1fe5ec4fffc71c67c96aa5184ebb462",
+        "rev": "2de8efefb6ce7f5e4e75bdf57376a96555986841",
         "type": "github"
       },
       "original": {
@@ -382,11 +382,11 @@
         "nixpkgs": "nixpkgs_5"
       },
       "locked": {
-        "lastModified": 1689102834,
-        "narHash": "sha256-V+KktXbks2Z3FGuGcxc90NdKmKgAU53CHPSZ7OFm1P0=",
+        "lastModified": 1689333233,
+        "narHash": "sha256-MRJcuia/nnpN4rigEOZTgDKPjNfaiqr8LfLdqcTJmdc=",
         "owner": "nix-community",
         "repo": "nixpkgs-wayland",
-        "rev": "98aac0e8605837c4544707296680e94716bd0d20",
+        "rev": "62657e12fcad6f4e1180f87031c718787faf8fb1",
         "type": "github"
       },
       "original": {
@@ -413,11 +413,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1689048911,
-        "narHash": "sha256-pODI2CkjWbSLo5nPMZoLtkRNJU/Nr3VSITXZqqmNtIk=",
+        "lastModified": 1689209875,
+        "narHash": "sha256-8AVcBV1DiszaZzHFd5iLc8HSLfxRAuqcU0QdfBEF3Ag=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "8163a64662b43848802092d52015ef60777d6129",
+        "rev": "fcc147b1e9358a8386b2c4368bd928e1f63a7df2",
         "type": "github"
       },
       "original": {
@@ -445,11 +445,11 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1689008574,
-        "narHash": "sha256-VFMgyHDiqsGDkRg73alv6OdHJAqhybryWHv77bSCGIw=",
+        "lastModified": 1689192006,
+        "narHash": "sha256-QM0f0d8oPphOTYJebsHioR9+FzJcy1QNIzREyubB91U=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "4a729ce4b1fe5ec4fffc71c67c96aa5184ebb462",
+        "rev": "2de8efefb6ce7f5e4e75bdf57376a96555986841",
         "type": "github"
       },
       "original": {

home/base/desktop/default.nix

@@ -6,6 +6,7 @@
     
     ./development.nix
     ./media.nix
+    ./shell.nix
   ];
 
 }

home/base/desktop/shell.nix

@@ -0,0 +1,17 @@
+
+{ ... }: {
+  programs.bash = {
+    # load the alias file for work
+    bashrcExtra = ''
+      source /run/agenix/alias-for-work.bash
+    '';
+  };
+
+  programs.nushell = {
+    # load the alias file for work
+    extraConfig = ''
+      source /run/agenix/alias-for-work.nushell
+    '';
+  };
+
+}

home/base/server/bash.nix

@@ -1,11 +1,10 @@
-{ config, builtins, ... }: {
+{ ... }: {
   programs.bash = {
     enable = true;
     enableCompletion = true;
     bashrcExtra = ''
       export PATH="$PATH:$HOME/bin:$HOME/.local/bin:$HOME/go/bin"
     '';
-    # ++ (builtins.readFile config.age.secrets."alias-for-work.bash".path);
 
     shellAliases = {
       k = "kubectl";

home/base/server/nushell/default.nix

@@ -1,4 +1,4 @@
-{ config, builtins, ... }: {
+{ ... }: {
   programs.nushell = {
     enable = true;
     configFile.source = ./config.nu;
@@ -9,8 +9,6 @@
     # envFile.source = ./env.nu;
     # environmentVariables = { FOO="bar"; };
 
-    # extraConfig = builtins.readFile config.age.secrets."alias-for-work.nushell".path;
-
     shellAliases = {
       k = "kubectl";
 

secrets/default.nix

@@ -2,7 +2,7 @@
 
 {
   imports = [
-    agenix.nixosModules.default
+    (agenix.nixosModules.default)
   ];
 
   environment.systemPackages = [
@@ -12,9 +12,17 @@
   # if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
   age.identityPaths = [ "/home/ryan/.ssh/juliet-age" ];
 
+  age.secretsDir = "/run/agenix/";
+
+  ############################################################################
+  #
+  # The following secrets are used by NixOS Modules
+  #
+  ############################################################################
+
   # wireguard config used with `wg-quick up wg-business`  
   age.secrets."wg-business.conf" = {
-    # wether secrets are symlinked to age.secrets.<name>.path
+    # wether secrets are symlinked to age.secrets.<name>.path(default to true)
     symlink = true;
     # target path for decrypted file
     path = "/etc/wireguard/";
@@ -27,22 +35,29 @@
 
   # smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
   age.secrets."smb-credentials" = {
-    # wether secrets are symlinked to age.secrets.<name>.path
-    symlink = true;
-    # encrypted file path
     file = "${mysecrets}/smb-credentials.age";
   };
 
+
+  ############################################################################
+  #
+  # The following secrets are used by home-manager modules
+  # So they should be readable by the user `ryan`
+  #
+  ############################################################################
+
   age.secrets."alias-for-work.nushell" = {
-    # wether secrets are symlinked to age.secrets.<name>.path
-    symlink = false;
-    # encrypted file path
+    # path = "/etc/agenix/";
     file = "${mysecrets}/alias-for-work.nushell.age";
+    mode = "0600";
+    owner = "ryan";
+    group = "ryan";
   };
   age.secrets."alias-for-work.bash" = {
-    # wether secrets are symlinked to age.secrets.<name>.path
-    symlink = false;
-    # encrypted file path
+    # path = "/etc/agenix/";
     file = "${mysecrets}/alias-for-work.bash.age";
+    mode = "0600";
+    owner = "ryan";
+    group = "ryan";
   };
 }