From d9b560153425df742bdb89487e227a60692fe03b Mon Sep 17 00:00:00 2001 From: Sridhar Ratnakumar Date: Fri, 21 Jun 2024 19:00:18 -0400 Subject: [PATCH 1/4] Install ragenix - add flake input - import nixos and nix-darwin module --- flake.lock | 204 ++++++++++++++++++++++++++++++++++++++++- flake.nix | 1 + nix-darwin/default.nix | 3 +- nixos/default.nix | 3 +- 4 files changed, 208 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 58ab691..ce5bdac 100644 --- a/flake.lock +++ b/flake.lock @@ -24,6 +24,30 @@ "type": "github" } }, + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager_3", + "nixpkgs": [ + "ragenix", + "nixpkgs" + ], + "systems": "systems_8" + }, + "locked": { + "lastModified": 1707830867, + "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=", + "owner": "ryantm", + "repo": "agenix", + "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "cargo-doc-live": { "locked": { "lastModified": 1713493311, @@ -115,6 +139,50 @@ "type": "github" } }, + "crane_3": { + "inputs": { + "nixpkgs": [ + "ragenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1708794349, + "narHash": "sha256-jX+B1VGHT0ruHHL5RwS8L21R6miBn4B6s9iVyUJsJJY=", + "owner": "ipetkov", + "repo": "crane", + "rev": "2c94ff9a6fbeb9f3ea0107f28688edbe9c81deaa", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "ragenix", + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "devour-flake": { "flake": false, "locked": { @@ -384,6 +452,24 @@ "type": "github" } }, + "flake-utils_6": { + "inputs": { + "systems": "systems_9" + }, + "locked": { + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "git-hooks": { "inputs": { "flake-compat": "flake-compat_3", @@ -496,6 +582,28 @@ "type": "github" } }, + "home-manager_3": { + "inputs": { + "nixpkgs": [ + "ragenix", + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "just-flake": { "locked": { "lastModified": 1713316411, @@ -801,6 +909,22 @@ } }, "nixpkgs_8": { + "locked": { + "lastModified": 1708655239, + "narHash": "sha256-ZrP/yACUvDB+zbqYJsln4iwotbH6CTZiTkANJ0AgDv4=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "cbc4211f0afffe6dfd2478a62615dd5175a13f9a", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_9": { "locked": { "lastModified": 1680945546, "narHash": "sha256-8FuaH5t/aVi/pR1XxnF0qi4WwMYC+YxlfdsA0V+TEuQ=", @@ -901,6 +1025,28 @@ "type": "github" } }, + "ragenix": { + "inputs": { + "agenix": "agenix", + "crane": "crane_3", + "flake-utils": "flake-utils_6", + "nixpkgs": "nixpkgs_8", + "rust-overlay": "rust-overlay_3" + }, + "locked": { + "lastModified": 1718869541, + "narHash": "sha256-smhpGh1x/8mNl+sFL8SbeWnx0bK4HWjmdRA3mIwGjPU=", + "owner": "yaxitech", + "repo": "ragenix", + "rev": "8a254bbaa93fbd38e16f70fa81af6782794e046e", + "type": "github" + }, + "original": { + "owner": "yaxitech", + "repo": "ragenix", + "type": "github" + } + }, "root": { "inputs": { "actualism-app": "actualism-app", @@ -916,6 +1062,7 @@ "nixos-vscode-server": "nixos-vscode-server", "nixpkgs": "nixpkgs_7", "nixvim": "nixvim", + "ragenix": "ragenix", "treefmt-nix": "treefmt-nix_4" } }, @@ -1004,6 +1151,31 @@ "type": "github" } }, + "rust-overlay_3": { + "inputs": { + "flake-utils": [ + "ragenix", + "flake-utils" + ], + "nixpkgs": [ + "ragenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1708740535, + "narHash": "sha256-NCTw235XwSDbeTAtAwg/hOeNOgwYhVq7JjDdbkOgBeA=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "9b24383d77f598716fa0cbb8b48c97249f5ee1af", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -1109,6 +1281,36 @@ "type": "github" } }, + "systems_8": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_9": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ @@ -1171,7 +1373,7 @@ }, "treefmt-nix_4": { "inputs": { - "nixpkgs": "nixpkgs_8" + "nixpkgs": "nixpkgs_9" }, "locked": { "lastModified": 1689243103, diff --git a/flake.nix b/flake.nix index d07ae1d..45fc917 100644 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,7 @@ disko.url = "github:nix-community/disko"; disko.inputs.nixpkgs.follows = "nixpkgs"; colmena-flake.url = "github:juspay/colmena-flake"; + ragenix.url = "github:yaxitech/ragenix"; # Software inputs nixos-vscode-server.flake = false; diff --git a/nix-darwin/default.nix b/nix-darwin/default.nix index af2dad3..acd8b77 100644 --- a/nix-darwin/default.nix +++ b/nix-darwin/default.nix @@ -1,4 +1,4 @@ -{ self, config, ... }: +{ self, inputs, config, ... }: { # Configuration common to all macOS systems flake = { @@ -15,6 +15,7 @@ self.darwinModules_.home-manager self.darwinModules.my-home self.nixosModules.common + inputs.ragenix.darwinModules.default ]; }; }; diff --git a/nixos/default.nix b/nixos/default.nix index 33d6f32..203d2f8 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -1,4 +1,4 @@ -{ self, config, ... }: +{ self, inputs, config, ... }: { # Configuration common to all Linux systems @@ -24,6 +24,7 @@ self.nixosModules.home-manager self.nixosModules.my-home self.nixosModules.common + inputs.ragenix.nixosModules.default ./self/self-ide.nix ./current-location.nix ]; From d17234e94e784b9928794bc84fac5a43408eeff5 Mon Sep 17 00:00:00 2001 From: Sridhar Ratnakumar Date: Fri, 21 Jun 2024 19:16:14 -0400 Subject: [PATCH 2/4] Add ragenix to devShell --- flake.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 45fc917..8f586f1 100644 --- a/flake.nix +++ b/flake.nix @@ -99,7 +99,7 @@ ./systems/ax41.nix; }; - perSystem = { self', pkgs, system, config, ... }: { + perSystem = { self', inputs', pkgs, system, config, ... }: { # Flake inputs we want to update periodically # Run: `nix run .#update`. nixos-flake = { @@ -127,6 +127,7 @@ just colmena nixd + inputs'.ragenix.packages.default ]; }; # Make our overlay available to the devShell From 3a21580be0f4642f16ced1e676aa5350fdd21d5b Mon Sep 17 00:00:00 2001 From: Sridhar Ratnakumar Date: Fri, 21 Jun 2024 19:17:06 -0400 Subject: [PATCH 3/4] Add secrets.nix w/ a secret (hedgehog) --- secrets/hedgedoc.env.age | 15 +++++++++++++++ secrets/secrets.nix | 11 +++++++++++ 2 files changed, 26 insertions(+) create mode 100644 secrets/hedgedoc.env.age create mode 100644 secrets/secrets.nix diff --git a/secrets/hedgedoc.env.age b/secrets/hedgedoc.env.age new file mode 100644 index 0000000..7c051f2 --- /dev/null +++ b/secrets/hedgedoc.env.age @@ -0,0 +1,15 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDk2SVhOUSA5TFpV +TEEzeG02SUtkU2UxOXZuRlFTaldORTFNVi9SUlJaOGIwb1dpYUJBCm84NjZZaTNY +amRwVlFIaXUvaVVaaFNxSTNUcWJRbEdMRXdoeUdvMUV6ZjQKLT4gc3NoLWVkMjU1 +MTkgTlVtMHJRIGlEOGo5bGdYN0FjSEtsd0RkMFBHenpkYnZTUmExblI2bVFUNW82 +WmY3QXcKOSttZXJsalllQ0QwN0JVcndhRFN2enpiYUNhVmNzM2JLRTQ1Z1l5c0Vt +RQotPiBzc2gtZWQyNTUxOSAwWkxINncgajlZYlhhVFJpd041cXE1bXhjaC82ditT +YWFlT2JybkVOU2k4NEcyTXBUcwo4SDMzd3RNRGJDN3gzUzdMcE5VakNwQTNQRFls +a05PdnNYUUxpNUYyQU5NCi0+IDpUOC1ncmVhc2UgWH1kdwozN0xJOCsxaHJKNUJx +cFloTzZTNllDdzNUa1NVVjlRdE9xOVYKLS0tIEx0UjZaaVFFRlhVRXlQZ1oyTVRp +NklTcHl2dC94TDVRZ2M0RGdpZ1ppT2sK5NgtzlMUj6tqCqc9aIgJCc57UZEanqMG +0P4sp71YjhA5LqscekVw74siwZlq5jUoK/Ai74Wyz4nqvKsys3t2BOkXmJeeCAdp +ChIFP5Soe/ZX/u8N4VxGdrRL/kp+aIX12bEtoXalm9n4RsVbTpNp65ecR6JTGcDW +Pgh9/s7MTJutezTUb3e3rY7v +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..f7c7b76 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,11 @@ +let + config = import ../users/config.nix; + users = [ config.users.srid.sshKey ]; + + appreciate = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICra+ZidiwrHGjcGnyqPvHcZDvnGivbLMayDyecPYDh0"; + immediacy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKZALEiJIrH1Kj10u+WshkQXr5NHmszza8wNLqW+2fB0"; + systems = [ appreciate immediacy ]; +in +{ + "hedgedoc.env.age".publicKeys = users ++ systems; +} From 8f6dd1dcc50d80d4697c2c6a1c3b37aa9b57df08 Mon Sep 17 00:00:00 2001 From: Sridhar Ratnakumar Date: Fri, 21 Jun 2024 19:20:27 -0400 Subject: [PATCH 4/4] Reference the secret in hedgedoc service --- nixos/hedgedoc.nix | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/nixos/hedgedoc.nix b/nixos/hedgedoc.nix index 5f80166..91a1a1d 100644 --- a/nixos/hedgedoc.nix +++ b/nixos/hedgedoc.nix @@ -1,13 +1,18 @@ +{ config, ... }: + let domain = "pad.srid.ca"; port = 9112; in { + age.secrets."hedgedoc.env" = { + file = ../secrets/hedgedoc.env.age; + owner = "hedgedoc"; + }; services.hedgedoc = { enable = true; - # GitHub secrets set in colmena (see flake.nix) - environmentFile = "/run/keys/hedgedoc.env"; + environmentFile = config.age.secrets."hedgedoc.env".path; settings = { # URL config