Merge pull request #57 from srid/ragenix

Go back to `agenix` (via `ragenix`)
2025-12-31 19:47:15 +08:00 · 2024-06-21 19:32:37 -04:00 · 2024-06-21 19:32:37 -04:00 · e99d1579bc
commit e99d1579bc
parent 81602e895a 8f6dd1dcc5
7 changed files with 243 additions and 6 deletions
--- a/flake.lock
+++ b/flake.lock
@ -24,6 +24,30 @@
        "type": "github"
      }
    },
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager_3",
+        "nixpkgs": [
+          "ragenix",
+          "nixpkgs"
+        ],
+        "systems": "systems_8"
+      },
+      "locked": {
+        "lastModified": 1707830867,
+        "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "cargo-doc-live": {
      "locked": {
        "lastModified": 1713493311,
@ -115,6 +139,50 @@
        "type": "github"
      }
    },
+    "crane_3": {
+      "inputs": {
+        "nixpkgs": [
+          "ragenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1708794349,
+        "narHash": "sha256-jX+B1VGHT0ruHHL5RwS8L21R6miBn4B6s9iVyUJsJJY=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "2c94ff9a6fbeb9f3ea0107f28688edbe9c81deaa",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "ragenix",
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
    "devour-flake": {
      "flake": false,
      "locked": {
@ -384,6 +452,24 @@
        "type": "github"
      }
    },
+    "flake-utils_6": {
+      "inputs": {
+        "systems": "systems_9"
+      },
+      "locked": {
+        "lastModified": 1705309234,
+        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
    "git-hooks": {
      "inputs": {
        "flake-compat": "flake-compat_3",
@ -496,6 +582,28 @@
        "type": "github"
      }
    },
+    "home-manager_3": {
+      "inputs": {
+        "nixpkgs": [
+          "ragenix",
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
    "just-flake": {
      "locked": {
        "lastModified": 1713316411,
@ -801,6 +909,22 @@
      }
    },
    "nixpkgs_8": {
+      "locked": {
+        "lastModified": 1708655239,
+        "narHash": "sha256-ZrP/yACUvDB+zbqYJsln4iwotbH6CTZiTkANJ0AgDv4=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "cbc4211f0afffe6dfd2478a62615dd5175a13f9a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_9": {
      "locked": {
        "lastModified": 1680945546,
        "narHash": "sha256-8FuaH5t/aVi/pR1XxnF0qi4WwMYC+YxlfdsA0V+TEuQ=",
@ -901,6 +1025,28 @@
        "type": "github"
      }
    },
+    "ragenix": {
+      "inputs": {
+        "agenix": "agenix",
+        "crane": "crane_3",
+        "flake-utils": "flake-utils_6",
+        "nixpkgs": "nixpkgs_8",
+        "rust-overlay": "rust-overlay_3"
+      },
+      "locked": {
+        "lastModified": 1718869541,
+        "narHash": "sha256-smhpGh1x/8mNl+sFL8SbeWnx0bK4HWjmdRA3mIwGjPU=",
+        "owner": "yaxitech",
+        "repo": "ragenix",
+        "rev": "8a254bbaa93fbd38e16f70fa81af6782794e046e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "yaxitech",
+        "repo": "ragenix",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
        "actualism-app": "actualism-app",
@ -916,6 +1062,7 @@
        "nixos-vscode-server": "nixos-vscode-server",
        "nixpkgs": "nixpkgs_7",
        "nixvim": "nixvim",
+        "ragenix": "ragenix",
        "treefmt-nix": "treefmt-nix_4"
      }
    },
@ -1004,6 +1151,31 @@
        "type": "github"
      }
    },
+    "rust-overlay_3": {
+      "inputs": {
+        "flake-utils": [
+          "ragenix",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "ragenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1708740535,
+        "narHash": "sha256-NCTw235XwSDbeTAtAwg/hOeNOgwYhVq7JjDdbkOgBeA=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "9b24383d77f598716fa0cbb8b48c97249f5ee1af",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
@ -1109,6 +1281,36 @@
        "type": "github"
      }
    },
+    "systems_8": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_9": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
@ -1171,7 +1373,7 @@
    },
    "treefmt-nix_4": {
      "inputs": {
-        "nixpkgs": "nixpkgs_8"
+        "nixpkgs": "nixpkgs_9"
      },
      "locked": {
        "lastModified": 1689243103,
--- a/flake.nix
+++ b/flake.nix
@ -14,6 +14,7 @@
    disko.url = "github:nix-community/disko";
    disko.inputs.nixpkgs.follows = "nixpkgs";
    colmena-flake.url = "github:juspay/colmena-flake";
+    ragenix.url = "github:yaxitech/ragenix";

    # Software inputs
    nixos-vscode-server.flake = false;
@ -98,7 +99,7 @@
            ./systems/ax41.nix;
      };

-      perSystem = { self', pkgs, system, config, ... }: {
+      perSystem = { self', inputs', pkgs, system, config, ... }: {
        # Flake inputs we want to update periodically
        # Run: `nix run .#update`.
        nixos-flake = {
@ -126,6 +127,7 @@
            just
            colmena
            nixd
+            inputs'.ragenix.packages.default
          ];
        };
        # Make our overlay available to the devShell
--- a/nix-darwin/default.nix
+++ b/nix-darwin/default.nix
@ -1,4 +1,4 @@
-{ self, config, ... }:
+{ self, inputs, config, ... }:
 {
  # Configuration common to all macOS systems
  flake = {
@ -15,6 +15,7 @@
        self.darwinModules_.home-manager
        self.darwinModules.my-home
        self.nixosModules.common
+        inputs.ragenix.darwinModules.default
      ];
    };
  };
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -1,4 +1,4 @@
-{ self, config, ... }:
+{ self, inputs, config, ... }:

 {
  # Configuration common to all Linux systems
@ -24,6 +24,7 @@
        self.nixosModules.home-manager
        self.nixosModules.my-home
        self.nixosModules.common
+        inputs.ragenix.nixosModules.default
        ./self/self-ide.nix
        ./current-location.nix
      ];
--- a/nixos/hedgedoc.nix
+++ b/nixos/hedgedoc.nix
@ -1,13 +1,18 @@
+{ config, ... }:
+
 let
  domain = "pad.srid.ca";
  port = 9112;
 in
 {
+  age.secrets."hedgedoc.env" = {
+    file = ../secrets/hedgedoc.env.age;
+    owner = "hedgedoc";
+  };
  services.hedgedoc = {
    enable = true;

-    # GitHub secrets set in colmena (see flake.nix)
-    environmentFile = "/run/keys/hedgedoc.env";
+    environmentFile = config.age.secrets."hedgedoc.env".path;

    settings = {
      # URL config
--- a/secrets/hedgedoc.env.age
+++ b/secrets/hedgedoc.env.age
@ -0,0 +1,15 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDk2SVhOUSA5TFpV
+TEEzeG02SUtkU2UxOXZuRlFTaldORTFNVi9SUlJaOGIwb1dpYUJBCm84NjZZaTNY
+amRwVlFIaXUvaVVaaFNxSTNUcWJRbEdMRXdoeUdvMUV6ZjQKLT4gc3NoLWVkMjU1
+MTkgTlVtMHJRIGlEOGo5bGdYN0FjSEtsd0RkMFBHenpkYnZTUmExblI2bVFUNW82
+WmY3QXcKOSttZXJsalllQ0QwN0JVcndhRFN2enpiYUNhVmNzM2JLRTQ1Z1l5c0Vt
+RQotPiBzc2gtZWQyNTUxOSAwWkxINncgajlZYlhhVFJpd041cXE1bXhjaC82ditT
+YWFlT2JybkVOU2k4NEcyTXBUcwo4SDMzd3RNRGJDN3gzUzdMcE5VakNwQTNQRFls
+a05PdnNYUUxpNUYyQU5NCi0+IDpUOC1ncmVhc2UgWH1kdwozN0xJOCsxaHJKNUJx
+cFloTzZTNllDdzNUa1NVVjlRdE9xOVYKLS0tIEx0UjZaaVFFRlhVRXlQZ1oyTVRp
+NklTcHl2dC94TDVRZ2M0RGdpZ1ppT2sK5NgtzlMUj6tqCqc9aIgJCc57UZEanqMG
+0P4sp71YjhA5LqscekVw74siwZlq5jUoK/Ai74Wyz4nqvKsys3t2BOkXmJeeCAdp
+ChIFP5Soe/ZX/u8N4VxGdrRL/kp+aIX12bEtoXalm9n4RsVbTpNp65ecR6JTGcDW
+Pgh9/s7MTJutezTUb3e3rY7v
+-----END AGE ENCRYPTED FILE-----
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,11 @@
+let
+  config = import ../users/config.nix;
+  users = [ config.users.srid.sshKey ];
+
+  appreciate = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICra+ZidiwrHGjcGnyqPvHcZDvnGivbLMayDyecPYDh0";
+  immediacy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKZALEiJIrH1Kj10u+WshkQXr5NHmszza8wNLqW+2fB0";
+  systems = [ appreciate immediacy ];
+in
+{
+  "hedgedoc.env.age".publicKeys = users ++ systems;
+}