Remove agenix

2026-01-27 18:57:15 +08:00 · 2023-03-27 13:03:31 -04:00 · 2023-03-27 13:03:31 -04:00 · 776b75847f
commit 776b75847f
parent 6a8141ad5e
12 changed files with 46 additions and 153 deletions
--- a/README.md
+++ b/README.md
@ -38,7 +38,7 @@ Start from `flake.nix` (see [Flakes](https://nixos.wiki/wiki/Flakes)). [`flake-p
 - `nixos`: nixos modules for Linux
 - `nix-darwin`: nix-darwin modules for macOS
 - `users`: user information
- `secrets`: agenix secrets (encrypted using ssh keys)
+- `secrets.yaml` (and `.sops.yaml`):  sops-nix secrets
 - `systems`: top-level configuration.nix('ish) for various systems

 ## Tips
--- a/flake.lock
+++ b/flake.lock
@ -1,23 +1,5 @@
 {
  "nodes": {
-    "agenix": {
-      "inputs": {
-        "nixpkgs": "nixpkgs"
-      },
-      "locked": {
-        "lastModified": 1665870395,
-        "narHash": "sha256-Tsbqb27LDNxOoPLh0gw2hIb6L/6Ow/6lIBvqcHzEKBI=",
-        "owner": "ryantm",
-        "repo": "agenix",
-        "rev": "a630400067c6d03c9b3e0455347dc8559db14288",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ryantm",
-        "repo": "agenix",
-        "type": "github"
-      }
-    },
    "check-flake": {
      "locked": {
        "lastModified": 1662502605,
@ -75,7 +57,7 @@
    "deploy-rs": {
      "inputs": {
        "flake-compat": "flake-compat_2",
-        "nixpkgs": "nixpkgs_5",
+        "nixpkgs": "nixpkgs_4",
        "utils": "utils_3"
      },
      "locked": {
@ -111,7 +93,7 @@
    "emacs-overlay": {
      "inputs": {
        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs"
      },
      "locked": {
        "lastModified": 1672630914,
@ -136,7 +118,7 @@
        "haskell-flake": "haskell-flake",
        "heist": "heist",
        "heist-extra": "heist-extra",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_2",
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
@ -447,7 +429,7 @@
      "inputs": {
        "flake-parts": "flake-parts_3",
        "nix-darwin": "nix-darwin",
-        "nixpkgs": "nixpkgs_4",
+        "nixpkgs": "nixpkgs_3",
        "pre-commit-hooks-nix": "pre-commit-hooks-nix"
      },
      "locked": {
@ -524,7 +506,7 @@
        "flake-root": "flake-root_3",
        "jenkinsPlugins2nix": "jenkinsPlugins2nix",
        "nixos-flake": "nixos-flake",
-        "nixpkgs": "nixpkgs_7",
+        "nixpkgs": "nixpkgs_6",
        "sops-nix": "sops-nix"
      },
      "locked": {
@ -546,7 +528,7 @@
      "inputs": {
        "flake-compat": "flake-compat_3",
        "flake-utils": "flake-utils_3",
-        "nixpkgs": "nixpkgs_6"
+        "nixpkgs": "nixpkgs_5"
      },
      "locked": {
        "lastModified": 1629079129,
@ -566,7 +548,7 @@
      "inputs": {
        "flake-compat": "flake-compat_4",
        "flake-utils": "flake-utils_4",
-        "nixpkgs": "nixpkgs_9"
+        "nixpkgs": "nixpkgs_8"
      },
      "locked": {
        "lastModified": 1629079129,
@ -649,7 +631,7 @@
    "nix-serve-ng": {
      "inputs": {
        "flake-compat": "flake-compat_5",
-        "nixpkgs": "nixpkgs_10",
+        "nixpkgs": "nixpkgs_9",
        "utils": "utils_4"
      },
      "locked": {
@ -713,7 +695,7 @@
    },
    "nixos-shell": {
      "inputs": {
-        "nixpkgs": "nixpkgs_11"
+        "nixpkgs": "nixpkgs_10"
      },
      "locked": {
        "lastModified": 1646257415,
@ -747,18 +729,14 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1665732960,
-        "narHash": "sha256-WBZ+uSHKFyjvd0w4inbm0cNExYTn8lpYFcHEes8tmec=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "4428e23312933a196724da2df7ab78eb5e67a88e",
-        "type": "github"
+        "lastModified": 0,
+        "narHash": "sha256-mZfzDyzojwj6I0wyooIjGIn81WtGVnx6+avU5Wv+VKU=",
+        "path": "/nix/store/2n3ykdi3lamr8gn2if8wkf0px0kg1bnp-source",
+        "type": "path"
      },
      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
+        "id": "nixpkgs",
+        "type": "indirect"
      }
    },
    "nixpkgs-lib": {
@ -854,7 +832,7 @@
    "nixpkgs-match": {
      "inputs": {
        "flake-parts": "flake-parts_5",
-        "nixpkgs": "nixpkgs_13"
+        "nixpkgs": "nixpkgs_12"
      },
      "locked": {
        "lastModified": 1672924430,
@ -903,22 +881,6 @@
      }
    },
    "nixpkgs_10": {
-      "locked": {
-        "lastModified": 1669391192,
-        "narHash": "sha256-f/2TqduZWcdq/pPddu1E7plNmcOuzt1IN4Fh3LSUKmM=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "ce1f9354959ae1493916f2e551ecc32e79b4a473",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "master",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_11": {
      "locked": {
        "lastModified": 1628465643,
        "narHash": "sha256-QSNw9bDq9uGUniQQtakRuw4m21Jxugm23SXLVgEV4DM=",
@ -933,7 +895,7 @@
        "type": "indirect"
      }
    },
-    "nixpkgs_12": {
+    "nixpkgs_11": {
      "locked": {
        "lastModified": 1678819893,
        "narHash": "sha256-lfA6WGdxPsPkBK5Y19ltr5Sn7v7MlT+jpZ4nUgco0Xs=",
@ -949,7 +911,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_13": {
+    "nixpkgs_12": {
      "locked": {
        "lastModified": 1672756850,
        "narHash": "sha256-Smbq3+fitwA13qsTMeaaurv09/KVbZfW7m7lINwzDGA=",
@ -965,7 +927,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_14": {
+    "nixpkgs_13": {
      "locked": {
        "lastModified": 1679734080,
        "narHash": "sha256-z846xfGLlon6t9lqUzlNtBOmsgQLQIZvR6Lt2dImk1M=",
@ -982,18 +944,6 @@
      }
    },
    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 0,
-        "narHash": "sha256-mZfzDyzojwj6I0wyooIjGIn81WtGVnx6+avU5Wv+VKU=",
-        "path": "/nix/store/2n3ykdi3lamr8gn2if8wkf0px0kg1bnp-source",
-        "type": "path"
-      },
-      "original": {
-        "id": "nixpkgs",
-        "type": "indirect"
-      }
-    },
-    "nixpkgs_3": {
      "locked": {
        "lastModified": 1668443372,
        "narHash": "sha256-lXNlVyNWwO22/JUdBtUWz68jZB3DM+Jq/irlsbwncI0=",
@ -1009,7 +959,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_4": {
+    "nixpkgs_3": {
      "locked": {
        "lastModified": 1670495322,
        "narHash": "sha256-PYwHXymeQZBrTylwDd4LgozTAgrJmp3UGf3mgnKPRr0=",
@ -1025,7 +975,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_5": {
+    "nixpkgs_4": {
      "locked": {
        "lastModified": 1671417167,
        "narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=",
@ -1041,7 +991,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_6": {
+    "nixpkgs_5": {
      "locked": {
        "lastModified": 1622516815,
        "narHash": "sha256-ZjBd81a6J3TwtlBr3rHsZspYUwT9OdhDk+a/SgSEf7I=",
@ -1057,7 +1007,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_7": {
+    "nixpkgs_6": {
      "locked": {
        "lastModified": 1679172431,
        "narHash": "sha256-XEh5gIt5otaUbEAPUY5DILUTyWe1goAyeqQtmwaFPyI=",
@ -1073,7 +1023,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_8": {
+    "nixpkgs_7": {
      "locked": {
        "lastModified": 1679734080,
        "narHash": "sha256-z846xfGLlon6t9lqUzlNtBOmsgQLQIZvR6Lt2dImk1M=",
@ -1089,7 +1039,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_9": {
+    "nixpkgs_8": {
      "locked": {
        "lastModified": 1622516815,
        "narHash": "sha256-ZjBd81a6J3TwtlBr3rHsZspYUwT9OdhDk+a/SgSEf7I=",
@ -1105,6 +1055,22 @@
        "type": "github"
      }
    },
+    "nixpkgs_9": {
+      "locked": {
+        "lastModified": 1669391192,
+        "narHash": "sha256-f/2TqduZWcdq/pPddu1E7plNmcOuzt1IN4Fh3LSUKmM=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ce1f9354959ae1493916f2e551ecc32e79b4a473",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "master",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "pre-commit-hooks-nix": {
      "inputs": {
        "flake-utils": "flake-utils_2",
@ -1129,7 +1095,6 @@
    },
    "root": {
      "inputs": {
-        "agenix": "agenix",
        "coc-rust-analyzer": "coc-rust-analyzer",
        "comma": "comma",
        "emacs-overlay": "emacs-overlay",
@ -1146,7 +1111,7 @@
        "nixos-hardware": "nixos-hardware",
        "nixos-shell": "nixos-shell",
        "nixos-vscode-server": "nixos-vscode-server",
-        "nixpkgs": "nixpkgs_12",
+        "nixpkgs": "nixpkgs_11",
        "nixpkgs-match": "nixpkgs-match",
        "sops-nix": "sops-nix_2",
        "zk-nvim": "zk-nvim"
@ -1154,7 +1119,7 @@
    },
    "sops-nix": {
      "inputs": {
-        "nixpkgs": "nixpkgs_8",
+        "nixpkgs": "nixpkgs_7",
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
@ -1173,7 +1138,7 @@
    },
    "sops-nix_2": {
      "inputs": {
-        "nixpkgs": "nixpkgs_14",
+        "nixpkgs": "nixpkgs_13",
        "nixpkgs-stable": "nixpkgs-stable_2"
      },
      "locked": {
--- a/flake.nix
+++ b/flake.nix
@ -9,7 +9,6 @@
    nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
    home-manager.url = "github:nix-community/home-manager";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
-    agenix.url = "github:ryantm/agenix";
    sops-nix.url = "github:Mic92/sops-nix";
    nixos-hardware.url = "github:NixOS/nixos-hardware";
    nixos-flake.url = "github:srid/nixos-flake";
@ -109,7 +108,6 @@
            pkgs.nixpkgs-fmt
            pkgs.sops
            pkgs.ssh-to-age
-            inputs'.agenix.packages.agenix
          ];
        };
        formatter = pkgs.nixpkgs-fmt;
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -20,7 +20,6 @@ in
      default.imports = [
        self.nixosModules.home-manager
        self.nixosModules.myself
-        inputs.agenix.nixosModule
        ./caches
        ./self-ide.nix
        ./ssh-authorize.nix
--- a/nixos/hercules.nix
+++ b/nixos/hercules.nix
@ -1,7 +1,7 @@
 { pkgs, flake, ... }:

 {
-  # TODO: use agenix to manage
+  # TODO: use sops-nix to manage
  # - secrets
  # - ssh keys
  services.hercules-ci-agent = {
--- a/secrets/cache-priv-key.age
+++ b/secrets/cache-priv-key.age
@ -1,17 +0,0 @@
-age-encryption.org/v1
-> ssh-rsa sNTFlg
-HWFakDSoNvKBX7RqqrIY49zYgBqaTvbvGJRaWyuWzTH4EiFaYQqRtAvPJEwzMcua
-Sy7Nn7cXLdO85KLyl39MUMhYt9Umxkzear3bF8kuNEq/PWXh6psct4EjZC8iqP4c
-qY8rPWpfGtKaoKTv8Qo1Av1XatbvO+1ZZe38u1dA8heUbHJA0xWYs+bg44AyNjSf
-n3IpA/0q2QAZ5GcXLG8M6Z5qdFOOO3t06Cgt5ToTGpPCX0GuhmVi/Bf9XLJOgJZC
-ueJUdG4Ctycej4TtSPcilB1XCuMXcfGpUgli+ZPBU/shrP2Gb5Cndh1tCHPATyd0
-4DZdK8ZO1WlmP3yTkXvbLg
-> ssh-ed25519 96IXNQ pV7u4NPPBnvKbI93pQKyMb7hemjrK0SU/GQBA077FgA
-KNlyHMFfpcTuDJQtffXmXjDIehj6uDoZ+Br1ZfmoKrI
-> ssh-ed25519 Zqspmg /2xD3Na+3D3nDkI/6cTHPqIs8SN2ev/7npSIJt+sMjU
-v6ZX2+9cDfWG0L0CKm0y5GSAFx4nX/rfM2feW1dJrcs
-> *UHS;-grease )Ca :hs `=rg-!V3 5(3P
-478tjrnP5M2HByuEGLsJ72ZodUni2ZpT62qPPRISjgRL0QZl64GrBa3WCGkfpkhx
-qtPFTTImOHTPHxZNHky6Tv1xYnGiFOs1eg
--- DvwqPtRSqjFLcGi0SCqtOJnPWIQ9V6dFuUJ2DeXL4qg
-€–X¥Û#¬Õùìß34\Ø=WW†ÄáLMËº]é(v™‡ž²¶¹ê¬˜Óvo+ö”À<²øAÓÀ…Àw…³1<>TÙ=ƒ<>ê®˜nÜ=•Ôï¸v}!Á¿eø¯	MÈgÁI¸<49>n«'éñöMÆ·dsT-7bÊòJ]=?t<óˆŒ*<âã
--- a/secrets/cache-pub-key
+++ b/secrets/cache-pub-key
@ -1 +0,0 @@
-cache.srid.ca:8sQkbPrOIoXktIwI0OucQBXod2e9fDjjoEZWn8OXbdo=
--- a/secrets/jenkins-github-app-privkey.age
+++ b/secrets/jenkins-github-app-privkey.age
--- a/secrets/jenkins-ssh-privkey.age
+++ b/secrets/jenkins-ssh-privkey.age
@ -1,18 +0,0 @@
-age-encryption.org/v1
-> ssh-rsa sNTFlg
-debFJnMQu6VYOy3GKosgCg3+qoc/9E2Al1jmOfrYCdir/0MVRBYEDgmSzB2SJll4
-65Poa9RZqBpPZ2g6xTKpa7VotQxhdGDWa0GXLyj8JawqCg7slBSMhp/ixw8bY7jA
-W0M+pfCBhgebhl/77CHcPuM+ZJ5SyTaRh2tgDKaTEOcHvvh6E+TVlIn45gUuzx+b
-TAaAgzYyHG56MCwF054easEkss/cdQaIz02rlWqgJYDf0SGd1IjCaiQl8f+ZgM4j
-W8mgmaOqKTtsgh+ykqoFP6tbV5+L3AelbZ3cYi/0dDCk2k6SRy1O8i6wbUMvmrQI
-N+N/YdecVkWynIePujLQLQ
-> ssh-ed25519 96IXNQ 6kNGDSEsoEV42FKppOrHmsLbt1lTv1Th0V3Y/62FAys
-8TiQJnkvER6stps/B9H4+wH2ZbRFLWnAJLJNiuKS4lU
-> ssh-ed25519 Zqspmg bCy5N9RCiE5PMGmxfhQPxoArq+OmvHEagiyuRM3ZryE
-zW056z0XFGm06Sx158vnhwLagTn0og8tN5WQYOyHFGA
-> ^kTdp*-grease w $063GJO# &'? :#x
-1mlqmNmBfDGFqH9v82rSxBDq2oDOTqQGQQ/pL/0PfBufbXqKMcjX4F8xhXaacBr1
-wrKLiA
--- DPmB1o/bO+UXSiPm/SEPKZOuGy7JE2I08SuZWQMb8mc
-pgGžquÍôÎ‚5Íz’YžD+†;qÇÁ¢•T¨—H6Z·<C2AD>VNBO#Œ0&¦¤—«ªcp¶±jSÊuH.N!H±‹e6˜U…– N7'¥¦si¶öùlç×Žâ'¥6d"$ÉåÙöœr˜Ÿ›•2\Ó<>ßfÉ6Cå¹
-	:àa[»Ù<C2BB>°Øt¹LªšaØ“Á‰{¬Ò—Œ"ß¿ß1¶
ê^^r?Êù˜&ÄHqnÜÊr)&æo–~_™ø5?NóŒ¹<.ŽÀ«°çä-CÛšÕØÝKˆJÃFýîÜHcmþ·¤<C2B7>|SØc¡„‘MVR@Ÿ/èuáÀ<3Þi„šDžãÎñpuÍF×ëIÕƒ÷þ Ôr|Š“ƒ³ÚAØ.ê/Žaå¯Üa³D‡
Ä®äÌ÷~yqÿ<71>Þ«P[]êsrbOÐŸ%pŠú¥V:6Â”PZ¨}™h7¬}¦'nîéÃêÏêVð8poèžFÎY*EÒâé’¨–ÚYò·u_¨MvÖÚ3ÏwM mÃMšãd¦öÁX™
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -1,16 +0,0 @@
-let
-  keys =
-    (import ../users/config.nix).users.srid.sshKeys
-    ++ [
-      (import ../systems/hetzner/ax101.info.nix).hostKeyPub
-    ];
-in
-# How I rekey on macOS:
-  # agenix  -r -i =(op read 'op://Personal/id_rsa/private key')
-{
-  "cache-priv-key.age".publicKeys = keys;
-  "jenkins-ssh-privkey.age".publicKeys = keys;
-  "jenkins-github-app-privkey.age".publicKeys = keys;
-  "srid-cachix-auth-token.age".publicKeys = keys;
-  "srid-docker-pass.age".publicKeys = keys;
-}
--- a/secrets/srid-cachix-auth-token.age
+++ b/secrets/srid-cachix-auth-token.age
--- a/secrets/srid-docker-pass.age
+++ b/secrets/srid-docker-pass.age
@ -1,17 +0,0 @@
-age-encryption.org/v1
-> ssh-rsa sNTFlg
-M9Dt+kUeZ6dbQ8a/cOpZSXgw5dATlt5G4jE2on2rS0K+IGteHvq5bPkYSH9dWeIr
-giT3LM8FARKLsXgGOxsIxu0bgwUmp2qoc1fMaDroW7wVwFL+ly8Dl1a9of4V8XC2
-8/K/Mm2HubZJe3L/15u2CQ6IDH5JoZF+ckV/mA4G56CCByjAkn/KVwynuqNeLWq7
-iczpuDbI9re/nChLXZ4Gm/nCl9iwFfSwaZIBAeeKiJ9vJPOFJOiSj8l8OUlNHpyl
-3Uj/AeFgxpmjJvuaZjRAjuikeIVNDQpW3xslx2+lKP8K78fv0/ZELzhJYY0m3qEx
-8ooqYf7Qg3pAjx9/QuxzOw
-> ssh-ed25519 96IXNQ fN4mSlev/oFwGFB25V+PLAhdQVQYzOftPdNwgJv/2FA
-TEYYqD14vgIkj6yP1bKkrSpmkrq8wJoR/Y9ooBRZSgo
-> ssh-ed25519 Zqspmg br8SoJ3Fp5AogfTVWXOk0r4gkjnNYPx6lz7gwVxD41E
-nCkvAGK2lD69n05sGQ2ouGgPsiFd7cnrFh7uJ+nzsC8
-> d.p/,a}J-grease
-DoAgE6jK3hDAAlqvG+SSJiO4SG0X7Qi4KSqvwvDd6EiDKOrBTYl20k1vKa6tXJ+0
-MHEGNxUSiNmuApzthOo99U9sCCUxJ/i3lI9tz9PpYDr0p71/HnxUMhg0EW4
--- LevtDUV5O/eoOQLCyfFA0OVgKpognIa+UhwV96l6XhM
-Ž·3K\I2äuü¸[žšå<C5A1>³¡»•}Ø=ÕMß-Ò<>ñÔ"ê…2;[ÕšrØ©WÅ1j+ÓÂ¤URKn
				`@ -1 +0,0 @@`
				`cache.srid.ca:8sQkbPrOIoXktIwI0OucQBXod2e9fDjjoEZWn8OXbdo=`