From 5ed0ece058209f640343bfb3a6a2901e4c142282 Mon Sep 17 00:00:00 2001 From: Ryan Yin Date: Fri, 14 Jul 2023 20:16:31 +0800 Subject: [PATCH] fix: secrets for work --- flake.lock | 48 ++++++++++++++-------------- home/base/desktop/default.nix | 1 + home/base/desktop/shell.nix | 17 ++++++++++ home/base/server/bash.nix | 3 +- home/base/server/nushell/default.nix | 4 +-- secrets/default.nix | 37 ++++++++++++++------- 6 files changed, 70 insertions(+), 40 deletions(-) create mode 100644 home/base/desktop/shell.nix diff --git a/flake.lock b/flake.lock index e3a3e09c..55e549ff 100644 --- a/flake.lock +++ b/flake.lock @@ -67,11 +67,11 @@ ] }, "locked": { - "lastModified": 1689116343, - "narHash": "sha256-eaYfwQTSEbuB7rs5/W227SbVeDP9cbcoT1TEbnmOgOk=", + "lastModified": 1689281837, + "narHash": "sha256-msgwgot2/hxXzlpYltIZ7boAqBkN8XejNOhBJ07q3FY=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "eb22022ba8faeeb7a9be8afe925511b88ad12ca5", + "rev": "c806a73609e77f0c446fdad5d3ea6ca3b7ae6e5f", "type": "github" }, "original": { @@ -242,10 +242,10 @@ "mysecrets": { "flake": false, "locked": { - "lastModified": 1689326736, - "narHash": "sha256-wVfvr9bEDkuivJbdtbLC6l82QZnc2dW4Nl3ExY6/oaA=", + "lastModified": 1689338661, + "narHash": "sha256-yRWO66sDXWYMKgGVHQ5KmzaOQbgFdKpfikHVi/OLioM=", "ref": "refs/heads/main", - "rev": "cd37f1a4f8543b6e272809c75f84ed674ac0e4d3", + "rev": "e468b93e6d92c5398e55d30f1ec9752030308035", "shallow": true, "type": "git", "url": "ssh://git@github.com/ryan4yin/nix-secrets.git" @@ -262,11 +262,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1688953990, - "narHash": "sha256-835HVBBkaumj8b098dC7u4fOGBMsIsnYitRYNQkb+jA=", + "lastModified": 1689318580, + "narHash": "sha256-ccMZzE0Du6I7RtAuDZbERsBZRGnFcwXTAnSQqGd7mOY=", "owner": "nix-community", "repo": "nix-eval-jobs", - "rev": "4006da54d54e1243da26ad4d75d6b4c9f7a456ba", + "rev": "f88571cfc9132e8f2768aa41d57f5f471941d4b6", "type": "github" }, "original": { @@ -329,11 +329,11 @@ }, "nixpkgs-darwin": { "locked": { - "lastModified": 1689048911, - "narHash": "sha256-pODI2CkjWbSLo5nPMZoLtkRNJU/Nr3VSITXZqqmNtIk=", + "lastModified": 1689326639, + "narHash": "sha256-79zi0t83Dcc2dE0NuYZ+2hqtKXZN1yWVq5mtx8D2d7Y=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8163a64662b43848802092d52015ef60777d6129", + "rev": "9fdfaeb7b96f05e869f838c73cde8d98c640c649", "type": "github" }, "original": { @@ -360,11 +360,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1689008574, - "narHash": "sha256-VFMgyHDiqsGDkRg73alv6OdHJAqhybryWHv77bSCGIw=", + "lastModified": 1689192006, + "narHash": "sha256-QM0f0d8oPphOTYJebsHioR9+FzJcy1QNIzREyubB91U=", "owner": "nixos", "repo": "nixpkgs", - "rev": "4a729ce4b1fe5ec4fffc71c67c96aa5184ebb462", + "rev": "2de8efefb6ce7f5e4e75bdf57376a96555986841", "type": "github" }, "original": { @@ -382,11 +382,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1689102834, - "narHash": "sha256-V+KktXbks2Z3FGuGcxc90NdKmKgAU53CHPSZ7OFm1P0=", + "lastModified": 1689333233, + "narHash": "sha256-MRJcuia/nnpN4rigEOZTgDKPjNfaiqr8LfLdqcTJmdc=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "98aac0e8605837c4544707296680e94716bd0d20", + "rev": "62657e12fcad6f4e1180f87031c718787faf8fb1", "type": "github" }, "original": { @@ -413,11 +413,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1689048911, - "narHash": "sha256-pODI2CkjWbSLo5nPMZoLtkRNJU/Nr3VSITXZqqmNtIk=", + "lastModified": 1689209875, + "narHash": "sha256-8AVcBV1DiszaZzHFd5iLc8HSLfxRAuqcU0QdfBEF3Ag=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8163a64662b43848802092d52015ef60777d6129", + "rev": "fcc147b1e9358a8386b2c4368bd928e1f63a7df2", "type": "github" }, "original": { @@ -445,11 +445,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1689008574, - "narHash": "sha256-VFMgyHDiqsGDkRg73alv6OdHJAqhybryWHv77bSCGIw=", + "lastModified": 1689192006, + "narHash": "sha256-QM0f0d8oPphOTYJebsHioR9+FzJcy1QNIzREyubB91U=", "owner": "nixos", "repo": "nixpkgs", - "rev": "4a729ce4b1fe5ec4fffc71c67c96aa5184ebb462", + "rev": "2de8efefb6ce7f5e4e75bdf57376a96555986841", "type": "github" }, "original": { diff --git a/home/base/desktop/default.nix b/home/base/desktop/default.nix index c8198154..25e0171a 100644 --- a/home/base/desktop/default.nix +++ b/home/base/desktop/default.nix @@ -6,6 +6,7 @@ ./development.nix ./media.nix + ./shell.nix ]; } diff --git a/home/base/desktop/shell.nix b/home/base/desktop/shell.nix new file mode 100644 index 00000000..85f2f6df --- /dev/null +++ b/home/base/desktop/shell.nix @@ -0,0 +1,17 @@ + +{ ... }: { + programs.bash = { + # load the alias file for work + bashrcExtra = '' + source /run/agenix/alias-for-work.bash + ''; + }; + + programs.nushell = { + # load the alias file for work + extraConfig = '' + source /run/agenix/alias-for-work.nushell + ''; + }; + +} diff --git a/home/base/server/bash.nix b/home/base/server/bash.nix index 53827dad..80faca62 100644 --- a/home/base/server/bash.nix +++ b/home/base/server/bash.nix @@ -1,11 +1,10 @@ -{ config, builtins, ... }: { +{ ... }: { programs.bash = { enable = true; enableCompletion = true; bashrcExtra = '' export PATH="$PATH:$HOME/bin:$HOME/.local/bin:$HOME/go/bin" ''; - # ++ (builtins.readFile config.age.secrets."alias-for-work.bash".path); shellAliases = { k = "kubectl"; diff --git a/home/base/server/nushell/default.nix b/home/base/server/nushell/default.nix index 3d37f1a7..41fa49ec 100644 --- a/home/base/server/nushell/default.nix +++ b/home/base/server/nushell/default.nix @@ -1,4 +1,4 @@ -{ config, builtins, ... }: { +{ ... }: { programs.nushell = { enable = true; configFile.source = ./config.nu; @@ -9,8 +9,6 @@ # envFile.source = ./env.nu; # environmentVariables = { FOO="bar"; }; - # extraConfig = builtins.readFile config.age.secrets."alias-for-work.nushell".path; - shellAliases = { k = "kubectl"; diff --git a/secrets/default.nix b/secrets/default.nix index 9b1af0a7..7dd58ed6 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -2,7 +2,7 @@ { imports = [ - agenix.nixosModules.default + (agenix.nixosModules.default) ]; environment.systemPackages = [ @@ -12,9 +12,17 @@ # if you changed this key, you need to regenerate all encrypt files from the decrypt contents! age.identityPaths = [ "/home/ryan/.ssh/juliet-age" ]; + age.secretsDir = "/run/agenix/"; + + ############################################################################ + # + # The following secrets are used by NixOS Modules + # + ############################################################################ + # wireguard config used with `wg-quick up wg-business` age.secrets."wg-business.conf" = { - # wether secrets are symlinked to age.secrets..path + # wether secrets are symlinked to age.secrets..path(default to true) symlink = true; # target path for decrypted file path = "/etc/wireguard/"; @@ -27,22 +35,29 @@ # smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix age.secrets."smb-credentials" = { - # wether secrets are symlinked to age.secrets..path - symlink = true; - # encrypted file path file = "${mysecrets}/smb-credentials.age"; }; + + ############################################################################ + # + # The following secrets are used by home-manager modules + # So they should be readable by the user `ryan` + # + ############################################################################ + age.secrets."alias-for-work.nushell" = { - # wether secrets are symlinked to age.secrets..path - symlink = false; - # encrypted file path + # path = "/etc/agenix/"; file = "${mysecrets}/alias-for-work.nushell.age"; + mode = "0600"; + owner = "ryan"; + group = "ryan"; }; age.secrets."alias-for-work.bash" = { - # wether secrets are symlinked to age.secrets..path - symlink = false; - # encrypted file path + # path = "/etc/agenix/"; file = "${mysecrets}/alias-for-work.bash.age"; + mode = "0600"; + owner = "ryan"; + group = "ryan"; }; }