diff --git a/README.md b/README.md index 935c9df..67a9d1d 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,7 @@ Start from `flake.nix` (see [Flakes](https://nixos.wiki/wiki/Flakes)). [`flake-p - `nixos`: nixos modules for Linux - `nix-darwin`: nix-darwin modules for macOS - `users`: user information -- `secrets`: agenix secrets (encrypted using ssh keys) +- `secrets.yaml` (and `.sops.yaml`): sops-nix secrets - `systems`: top-level configuration.nix('ish) for various systems ## Tips diff --git a/flake.lock b/flake.lock index 5083d43..29c0eb3 100644 --- a/flake.lock +++ b/flake.lock @@ -1,23 +1,5 @@ { "nodes": { - "agenix": { - "inputs": { - "nixpkgs": "nixpkgs" - }, - "locked": { - "lastModified": 1665870395, - "narHash": "sha256-Tsbqb27LDNxOoPLh0gw2hIb6L/6Ow/6lIBvqcHzEKBI=", - "owner": "ryantm", - "repo": "agenix", - "rev": "a630400067c6d03c9b3e0455347dc8559db14288", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, "check-flake": { "locked": { "lastModified": 1662502605, @@ -75,7 +57,7 @@ "deploy-rs": { "inputs": { "flake-compat": "flake-compat_2", - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_4", "utils": "utils_3" }, "locked": { @@ -111,7 +93,7 @@ "emacs-overlay": { "inputs": { "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs" }, "locked": { "lastModified": 1672630914, @@ -136,7 +118,7 @@ "haskell-flake": "haskell-flake", "heist": "heist", "heist-extra": "heist-extra", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_2", "treefmt-nix": "treefmt-nix" }, "locked": { @@ -447,7 +429,7 @@ "inputs": { "flake-parts": "flake-parts_3", "nix-darwin": "nix-darwin", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_3", "pre-commit-hooks-nix": "pre-commit-hooks-nix" }, "locked": { @@ -524,7 +506,7 @@ "flake-root": "flake-root_3", "jenkinsPlugins2nix": "jenkinsPlugins2nix", "nixos-flake": "nixos-flake", - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_6", "sops-nix": "sops-nix" }, "locked": { @@ -546,7 +528,7 @@ "inputs": { "flake-compat": "flake-compat_3", "flake-utils": "flake-utils_3", - "nixpkgs": "nixpkgs_6" + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1629079129, @@ -566,7 +548,7 @@ "inputs": { "flake-compat": "flake-compat_4", "flake-utils": "flake-utils_4", - "nixpkgs": "nixpkgs_9" + "nixpkgs": "nixpkgs_8" }, "locked": { "lastModified": 1629079129, @@ -649,7 +631,7 @@ "nix-serve-ng": { "inputs": { "flake-compat": "flake-compat_5", - "nixpkgs": "nixpkgs_10", + "nixpkgs": "nixpkgs_9", "utils": "utils_4" }, "locked": { @@ -713,7 +695,7 @@ }, "nixos-shell": { "inputs": { - "nixpkgs": "nixpkgs_11" + "nixpkgs": "nixpkgs_10" }, "locked": { "lastModified": 1646257415, @@ -747,18 +729,14 @@ }, "nixpkgs": { "locked": { - "lastModified": 1665732960, - "narHash": "sha256-WBZ+uSHKFyjvd0w4inbm0cNExYTn8lpYFcHEes8tmec=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "4428e23312933a196724da2df7ab78eb5e67a88e", - "type": "github" + "lastModified": 0, + "narHash": "sha256-mZfzDyzojwj6I0wyooIjGIn81WtGVnx6+avU5Wv+VKU=", + "path": "/nix/store/2n3ykdi3lamr8gn2if8wkf0px0kg1bnp-source", + "type": "path" }, "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" + "id": "nixpkgs", + "type": "indirect" } }, "nixpkgs-lib": { @@ -854,7 +832,7 @@ "nixpkgs-match": { "inputs": { "flake-parts": "flake-parts_5", - "nixpkgs": "nixpkgs_13" + "nixpkgs": "nixpkgs_12" }, "locked": { "lastModified": 1672924430, @@ -903,22 +881,6 @@ } }, "nixpkgs_10": { - "locked": { - "lastModified": 1669391192, - "narHash": "sha256-f/2TqduZWcdq/pPddu1E7plNmcOuzt1IN4Fh3LSUKmM=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "ce1f9354959ae1493916f2e551ecc32e79b4a473", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "master", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_11": { "locked": { "lastModified": 1628465643, "narHash": "sha256-QSNw9bDq9uGUniQQtakRuw4m21Jxugm23SXLVgEV4DM=", @@ -933,7 +895,7 @@ "type": "indirect" } }, - "nixpkgs_12": { + "nixpkgs_11": { "locked": { "lastModified": 1678819893, "narHash": "sha256-lfA6WGdxPsPkBK5Y19ltr5Sn7v7MlT+jpZ4nUgco0Xs=", @@ -949,7 +911,7 @@ "type": "github" } }, - "nixpkgs_13": { + "nixpkgs_12": { "locked": { "lastModified": 1672756850, "narHash": "sha256-Smbq3+fitwA13qsTMeaaurv09/KVbZfW7m7lINwzDGA=", @@ -965,7 +927,7 @@ "type": "github" } }, - "nixpkgs_14": { + "nixpkgs_13": { "locked": { "lastModified": 1679734080, "narHash": "sha256-z846xfGLlon6t9lqUzlNtBOmsgQLQIZvR6Lt2dImk1M=", @@ -982,18 +944,6 @@ } }, "nixpkgs_2": { - "locked": { - "lastModified": 0, - "narHash": "sha256-mZfzDyzojwj6I0wyooIjGIn81WtGVnx6+avU5Wv+VKU=", - "path": "/nix/store/2n3ykdi3lamr8gn2if8wkf0px0kg1bnp-source", - "type": "path" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, - "nixpkgs_3": { "locked": { "lastModified": 1668443372, "narHash": "sha256-lXNlVyNWwO22/JUdBtUWz68jZB3DM+Jq/irlsbwncI0=", @@ -1009,7 +959,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_3": { "locked": { "lastModified": 1670495322, "narHash": "sha256-PYwHXymeQZBrTylwDd4LgozTAgrJmp3UGf3mgnKPRr0=", @@ -1025,7 +975,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_4": { "locked": { "lastModified": 1671417167, "narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=", @@ -1041,7 +991,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_5": { "locked": { "lastModified": 1622516815, "narHash": "sha256-ZjBd81a6J3TwtlBr3rHsZspYUwT9OdhDk+a/SgSEf7I=", @@ -1057,7 +1007,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_6": { "locked": { "lastModified": 1679172431, "narHash": "sha256-XEh5gIt5otaUbEAPUY5DILUTyWe1goAyeqQtmwaFPyI=", @@ -1073,7 +1023,7 @@ "type": "github" } }, - "nixpkgs_8": { + "nixpkgs_7": { "locked": { "lastModified": 1679734080, "narHash": "sha256-z846xfGLlon6t9lqUzlNtBOmsgQLQIZvR6Lt2dImk1M=", @@ -1089,7 +1039,7 @@ "type": "github" } }, - "nixpkgs_9": { + "nixpkgs_8": { "locked": { "lastModified": 1622516815, "narHash": "sha256-ZjBd81a6J3TwtlBr3rHsZspYUwT9OdhDk+a/SgSEf7I=", @@ -1105,6 +1055,22 @@ "type": "github" } }, + "nixpkgs_9": { + "locked": { + "lastModified": 1669391192, + "narHash": "sha256-f/2TqduZWcdq/pPddu1E7plNmcOuzt1IN4Fh3LSUKmM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ce1f9354959ae1493916f2e551ecc32e79b4a473", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, "pre-commit-hooks-nix": { "inputs": { "flake-utils": "flake-utils_2", @@ -1129,7 +1095,6 @@ }, "root": { "inputs": { - "agenix": "agenix", "coc-rust-analyzer": "coc-rust-analyzer", "comma": "comma", "emacs-overlay": "emacs-overlay", @@ -1146,7 +1111,7 @@ "nixos-hardware": "nixos-hardware", "nixos-shell": "nixos-shell", "nixos-vscode-server": "nixos-vscode-server", - "nixpkgs": "nixpkgs_12", + "nixpkgs": "nixpkgs_11", "nixpkgs-match": "nixpkgs-match", "sops-nix": "sops-nix_2", "zk-nvim": "zk-nvim" @@ -1154,7 +1119,7 @@ }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_8", + "nixpkgs": "nixpkgs_7", "nixpkgs-stable": "nixpkgs-stable" }, "locked": { @@ -1173,7 +1138,7 @@ }, "sops-nix_2": { "inputs": { - "nixpkgs": "nixpkgs_14", + "nixpkgs": "nixpkgs_13", "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { diff --git a/flake.nix b/flake.nix index f2ccfc5..64a7077 100644 --- a/flake.nix +++ b/flake.nix @@ -9,7 +9,6 @@ nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; home-manager.url = "github:nix-community/home-manager"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; - agenix.url = "github:ryantm/agenix"; sops-nix.url = "github:Mic92/sops-nix"; nixos-hardware.url = "github:NixOS/nixos-hardware"; nixos-flake.url = "github:srid/nixos-flake"; @@ -109,7 +108,6 @@ pkgs.nixpkgs-fmt pkgs.sops pkgs.ssh-to-age - inputs'.agenix.packages.agenix ]; }; formatter = pkgs.nixpkgs-fmt; diff --git a/nixos/default.nix b/nixos/default.nix index 0e5b209..a8d3af0 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -20,7 +20,6 @@ in default.imports = [ self.nixosModules.home-manager self.nixosModules.myself - inputs.agenix.nixosModule ./caches ./self-ide.nix ./ssh-authorize.nix diff --git a/nixos/hercules.nix b/nixos/hercules.nix index f7be881..a89e6f7 100644 --- a/nixos/hercules.nix +++ b/nixos/hercules.nix @@ -1,7 +1,7 @@ { pkgs, flake, ... }: { - # TODO: use agenix to manage + # TODO: use sops-nix to manage # - secrets # - ssh keys services.hercules-ci-agent = { diff --git a/secrets/cache-priv-key.age b/secrets/cache-priv-key.age deleted file mode 100644 index 9be9b81..0000000 --- a/secrets/cache-priv-key.age +++ /dev/null @@ -1,17 +0,0 @@ -age-encryption.org/v1 --> ssh-rsa sNTFlg -HWFakDSoNvKBX7RqqrIY49zYgBqaTvbvGJRaWyuWzTH4EiFaYQqRtAvPJEwzMcua -Sy7Nn7cXLdO85KLyl39MUMhYt9Umxkzear3bF8kuNEq/PWXh6psct4EjZC8iqP4c -qY8rPWpfGtKaoKTv8Qo1Av1XatbvO+1ZZe38u1dA8heUbHJA0xWYs+bg44AyNjSf -n3IpA/0q2QAZ5GcXLG8M6Z5qdFOOO3t06Cgt5ToTGpPCX0GuhmVi/Bf9XLJOgJZC -ueJUdG4Ctycej4TtSPcilB1XCuMXcfGpUgli+ZPBU/shrP2Gb5Cndh1tCHPATyd0 -4DZdK8ZO1WlmP3yTkXvbLg --> ssh-ed25519 96IXNQ pV7u4NPPBnvKbI93pQKyMb7hemjrK0SU/GQBA077FgA -KNlyHMFfpcTuDJQtffXmXjDIehj6uDoZ+Br1ZfmoKrI --> ssh-ed25519 Zqspmg /2xD3Na+3D3nDkI/6cTHPqIs8SN2ev/7npSIJt+sMjU -v6ZX2+9cDfWG0L0CKm0y5GSAFx4nX/rfM2feW1dJrcs --> *UHS;-grease )Ca :hs `=rg-!V3 5(3P -478tjrnP5M2HByuEGLsJ72ZodUni2ZpT62qPPRISjgRL0QZl64GrBa3WCGkfpkhx -qtPFTTImOHTPHxZNHky6Tv1xYnGiFOs1eg ---- DvwqPtRSqjFLcGi0SCqtOJnPWIQ9V6dFuUJ2DeXL4qg -X#34 \=WWLM˺](v꬘vo+ ssh-rsa sNTFlg -debFJnMQu6VYOy3GKosgCg3+qoc/9E2Al1jmOfrYCdir/0MVRBYEDgmSzB2SJll4 -65Poa9RZqBpPZ2g6xTKpa7VotQxhdGDWa0GXLyj8JawqCg7slBSMhp/ixw8bY7jA -W0M+pfCBhgebhl/77CHcPuM+ZJ5SyTaRh2tgDKaTEOcHvvh6E+TVlIn45gUuzx+b -TAaAgzYyHG56MCwF054easEkss/cdQaIz02rlWqgJYDf0SGd1IjCaiQl8f+ZgM4j -W8mgmaOqKTtsgh+ykqoFP6tbV5+L3AelbZ3cYi/0dDCk2k6SRy1O8i6wbUMvmrQI -N+N/YdecVkWynIePujLQLQ --> ssh-ed25519 96IXNQ 6kNGDSEsoEV42FKppOrHmsLbt1lTv1Th0V3Y/62FAys -8TiQJnkvER6stps/B9H4+wH2ZbRFLWnAJLJNiuKS4lU --> ssh-ed25519 Zqspmg bCy5N9RCiE5PMGmxfhQPxoArq+OmvHEagiyuRM3ZryE -zW056z0XFGm06Sx158vnhwLagTn0og8tN5WQYOyHFGA --> ^kTdp*-grease w $063GJO# &'? :#x -1mlqmNmBfDGFqH9v82rSxBDq2oDOTqQGQQ/pL/0PfBufbXqKMcjX4F8xhXaacBr1 -wrKLiA ---- DPmB1o/bO+UXSiPm/SEPKZOuGy7JE2I08SuZWQMb8mc -pgGqu΂5zYD+;qTH6ZVNBO#0&cpjSuH.N!He6U N7'sil׎'6d"$r2\Ӂf6C - :a[فtLaؓ{җ"߿1 ^^r?&Hqnr)&o~_5?N<.-CۚKJFHcm|ScMVR@/u<3iDpuFIՃr|A./aaD Į~yqP[]srbOП%pV:6”PZ}h7}'nV8poFY*EYu_Mv3wMmMdX \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix deleted file mode 100644 index 03186a8..0000000 --- a/secrets/secrets.nix +++ /dev/null @@ -1,16 +0,0 @@ -let - keys = - (import ../users/config.nix).users.srid.sshKeys - ++ [ - (import ../systems/hetzner/ax101.info.nix).hostKeyPub - ]; -in -# How I rekey on macOS: - # agenix -r -i =(op read 'op://Personal/id_rsa/private key') -{ - "cache-priv-key.age".publicKeys = keys; - "jenkins-ssh-privkey.age".publicKeys = keys; - "jenkins-github-app-privkey.age".publicKeys = keys; - "srid-cachix-auth-token.age".publicKeys = keys; - "srid-docker-pass.age".publicKeys = keys; -} diff --git a/secrets/srid-cachix-auth-token.age b/secrets/srid-cachix-auth-token.age deleted file mode 100644 index d686402..0000000 Binary files a/secrets/srid-cachix-auth-token.age and /dev/null differ diff --git a/secrets/srid-docker-pass.age b/secrets/srid-docker-pass.age deleted file mode 100644 index 01d53e5..0000000 --- a/secrets/srid-docker-pass.age +++ /dev/null @@ -1,17 +0,0 @@ -age-encryption.org/v1 --> ssh-rsa sNTFlg -M9Dt+kUeZ6dbQ8a/cOpZSXgw5dATlt5G4jE2on2rS0K+IGteHvq5bPkYSH9dWeIr -giT3LM8FARKLsXgGOxsIxu0bgwUmp2qoc1fMaDroW7wVwFL+ly8Dl1a9of4V8XC2 -8/K/Mm2HubZJe3L/15u2CQ6IDH5JoZF+ckV/mA4G56CCByjAkn/KVwynuqNeLWq7 -iczpuDbI9re/nChLXZ4Gm/nCl9iwFfSwaZIBAeeKiJ9vJPOFJOiSj8l8OUlNHpyl -3Uj/AeFgxpmjJvuaZjRAjuikeIVNDQpW3xslx2+lKP8K78fv0/ZELzhJYY0m3qEx -8ooqYf7Qg3pAjx9/QuxzOw --> ssh-ed25519 96IXNQ fN4mSlev/oFwGFB25V+PLAhdQVQYzOftPdNwgJv/2FA -TEYYqD14vgIkj6yP1bKkrSpmkrq8wJoR/Y9ooBRZSgo --> ssh-ed25519 Zqspmg br8SoJ3Fp5AogfTVWXOk0r4gkjnNYPx6lz7gwVxD41E -nCkvAGK2lD69n05sGQ2ouGgPsiFd7cnrFh7uJ+nzsC8 --> d.p/,a}J-grease -DoAgE6jK3hDAAlqvG+SSJiO4SG0X7Qi4KSqvwvDd6EiDKOrBTYl20k1vKa6tXJ+0 -MHEGNxUSiNmuApzthOo99U9sCCUxJ/i3lI9tz9PpYDr0p71/HnxUMhg0EW4 ---- LevtDUV5O/eoOQLCyfFA0OVgKpognIa+UhwV96l6XhM -3K\I2u[偳}=M-ҝ"2;[՚rةW1j+ ¤URKn \ No newline at end of file