From 1d9dad78ee1f96cfae09e4d006f25cf0ddf76c48 Mon Sep 17 00:00:00 2001
From: Yorick van Pelt <yorick@yorickvanpelt.nl>
Date: Sun, 16 Oct 2022 13:50:43 +0200
Subject: [PATCH] remove move root passwords to agenix

---
 .gitattributes                             |   1 -
 nixos/machines/pennyworth/hetznercloud.nix |   3 +--
 nixos/roles/default.nix                    |  11 +++++++----
 nixos/secrets.nix                          | Bin 489 -> 0 bytes
 nixos/services/email.nix                   |   3 ++-
 secrets/root-user-pass.age                 |  17 +++++++++++++++++
 secrets/secrets.nix                        | Bin 1271 -> 1520 bytes
 secrets/yorick-mail-pass.age               | Bin 0 -> 442 bytes
 secrets/yorick-user-pass.age               |  18 ++++++++++++++++++
 9 files changed, 45 insertions(+), 8 deletions(-)
 delete mode 100644 .gitattributes
 delete mode 100644 nixos/secrets.nix
 create mode 100644 secrets/root-user-pass.age
 create mode 100644 secrets/yorick-mail-pass.age
 create mode 100644 secrets/yorick-user-pass.age

diff --git a/.gitattributes b/.gitattributes
deleted file mode 100644
index f0bd4f3..0000000
--- a/.gitattributes
+++ /dev/null
@@ -1 +0,0 @@
-secrets.nix filter=git-crypt diff=git-crypt
diff --git a/nixos/machines/pennyworth/hetznercloud.nix b/nixos/machines/pennyworth/hetznercloud.nix
index be46f96..af776ca 100644
--- a/nixos/machines/pennyworth/hetznercloud.nix
+++ b/nixos/machines/pennyworth/hetznercloud.nix
@@ -1,6 +1,5 @@
 { config, lib, pkgs, modulesPath, ... }:
-let ipconf = (import ../../secrets.nix).ipconf.${config.networking.hostName};
-in {
+{
   imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
 
   boot.kernelPackages = pkgs.linuxPackages_latest;
diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix
index f0e41a9..af1e4f0 100644
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@@ -1,5 +1,4 @@
-let secrets = import ../secrets.nix;
-in { config, pkgs, lib, name, inputs, ... }:
+{ config, pkgs, lib, name, inputs, ... }:
 let
   machine = name;
   vpn = import ../vpn.nix;
@@ -14,6 +13,10 @@ in {
     ../modules/muflax-blog.nix
     ../services
   ];
+  age.secrets = {
+    root-user-pass.file = ../../secrets/root-user-pass.age;
+    yorick-user-pass.file = ../../secrets/yorick-user-pass.age;
+  };
 
   nix.nixPath = [];# "nixpkgs=${pkgs.path}" ];
   nix.registry.nixpkgs.flake = inputs.nixpkgs;
@@ -26,7 +29,7 @@ in {
     openssh.authorizedKeys.keys =
       config.users.users.yorick.openssh.authorizedKeys.keys;
     # root password is useful from console, ssh has password logins disabled
-    hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own
+    passwordFile = config.age.secrets.root-user-pass.path; # TODO: generate own
 
   };
   services.timesyncd.enable = true;
@@ -36,7 +39,7 @@ in {
     extraGroups = [ "wheel" ];
     group = "users";
     openssh.authorizedKeys.keys = with (import ../sshkeys.nix); yorick;
-    hashedPassword = secrets.yorick_hashedPassword;
+    passwordFile = config.age.secrets.yorick-user-pass.path;
     createHome = true;
   };
 
diff --git a/nixos/secrets.nix b/nixos/secrets.nix
deleted file mode 100644
index 0fa5e7401c8036f04593520b4628e51e1f609710..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 489
zcmV<F0T%uMM@dveQdv+`0PX0i1HCSNgINnqYz>~{KaMIM9w!N#FippZFsnJrZ!-uD
zZY*$pD@*L|iwgK|9co2bn?C;VJ9yXyoP==E&xYjT(J9|@Qh7}F{V5BxQ~ChCnx{r)
zGjH|yPYKv}nq4)Dkq^Uz&i$v<q|FxP9|v~r56bkR!Qo*SR5quSoMuXsB}B&OOq)go
zqc{_I$M4yvSv*-Sg#Zo#qin%u$nW1TdJ!QpK`7SxL+!L55PP<8g(a_Kcc_Lzx9omU
zq6^vi!q)veJZ+Fu2-p6P+-SB5U%ltX4)qxBaWJ0D=LTsvi){M|9RlN49y$x3cP;^F
zIxUToe4<wjyQ}e!qy4=XhU93>kd~j>mwdknS61LwMgP!<QbkwC(vH@OaIo?LiW<^l
z<);Bj)+qJT-?nMrefWB*v3mx|O*_G3o=UXAQ;lKO^XXL54l>vUrhV+h+H_ZfjnE;=
zG@OqMw&U$H8w|&T><gwh;i8MEz~v#*UDAEkqg|s!S=(B<rqb2E$hzS^=J2(i!awy;
z8Zic?5>qaS^9~;#l>S4OEE}Z)2dGqhmF?=4%uz9j;xP0*vB-8NPOJI<DP%I?c&^a%
f#y+1TYtvF0?UT4lx@K#Hc?j3^$#Z+(r<I+VsgU<5

diff --git a/nixos/services/email.nix b/nixos/services/email.nix
index a153f1a..e41a1dd 100644
--- a/nixos/services/email.nix
+++ b/nixos/services/email.nix
@@ -1,6 +1,7 @@
 { config, pkgs, lib, inputs, ... }:
 {
   imports = [ inputs.nixos-mailserver.nixosModule ];
+  age.secrets.yorick-mail-pass.file = ../../secrets/yorick-mail-pass.age;
 
   mailserver = rec {
     enable = true;
@@ -8,7 +9,7 @@
     domains = [ "yori.cc" "yorickvanpelt.nl" ];
     loginAccounts = {
       "yorick@yori.cc" = {
-        hashedPassword = (import ../secrets.nix).yorick_mailPassword;
+        hashedPasswordFile = config.age.secrets.yorick-mail-pass.path;
         catchAll = domains;
         aliases = [ "@yori.cc" "@yorickvanpelt.nl" ];
       };
diff --git a/secrets/root-user-pass.age b/secrets/root-user-pass.age
new file mode 100644
index 0000000..721f40f
--- /dev/null
+++ b/secrets/root-user-pass.age
@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> X25519 gPpu3IUM4XCFLGCw0g01q4SLCR8Y06X0RUKcxw3qCWY
+tif176GtYNaHhKRTcA/5mWJtagrXnKjB+aWB3RhkDy4
+-> ssh-ed25519 4Ui0LA Z8AR/i/rCXoHsgCcA+qJ7OUCIljG9u9s1AvHeosCziI
+l/kblqmAyuZuofz2csDaLIOjsc9qGDZW4zbC54lgJnE
+-> ssh-ed25519 ZzuO9Q Ae1zb6275GCkj2y3eZDO/R35OaH/AYGpZN9jY7BCT2o
+ULdKtq4v4H7C3/h1/GN1ZobLtgiXnepjIRUk/AeQD04
+-> ssh-ed25519 n7yA6g BRIx6Nvp9S6XLKWOok4UM06LxFSP9aSXDtfyECncYGY
+lL0sEX9hQ3spt12KA5ubQu1zzbaMrY1XqlWPfB2Sv+s
+-> ssh-ed25519 dY0yIg oG+tsYKk9TrcMzy0P1571mvS8J8UspfutBo7int0uF0
+suWCupM+FkKeKVDRd3ptHybUAVqnYMwXch4C0pwCYak
+-> ssh-ed25519 6AxuSw oWDbYV22o2ygCa5k7KgweCOiPCpAITlz7+1x3nNmwno
+TDFCdFLEGtyCEJBZnEniwbDQeEr/Vk+MjwYuILFO/OY
+-> pdIe+-grease s7,&$< 8t"N$R! &y~Q( ?
+GM8wkE42tIdCNDsc7pnPVhVnXqckaAQE5jF8qM2zug
+--- 4mXrKFGwxnRIfetWC8pOPEiQEOImCfD2/Mox+Mz7OkU
+AöÛE�R¸Ù8è½`Ó«¼0{�<¢D÷»4³n�È«ß6uí+Â?!ÉŒŠörQî^} ¨ª‡õ
AbÝ<©s•A‚èªäz¸+yÖÁj¹ÕA�Iæ�†q|ìÁšë‚û×Xå—#úËuV6cOm]ô_M]ªœê•h”ªÌ?…,
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index b81407f30a151e8886dc73bf8d96ff127dfd8056..82e5c592a2f7d1fa97d8e15ab92c2255c72cb350 100644
GIT binary patch
literal 1520
zcmV<M1rPcFM@dveQdv+`0J!Y5p1u6I!1jWsn+;-X$Vf_*zTK`37;6$^OOy-7K<5sh
z3>)I%<%t)EDQ{*Q&wpG9iNRx|9C66KOd}16`M$7cExGe?CPOPE8|>#IwO}cupXPLE
z2i}7^niV5jU^}2^cRPe+_nxa`6HG$`4%~GK1<E^Eq?FbpRqId7z?r;I;u;VBUvstY
zA)dy3<%Bj9N5~=w=2omB)?EMm^M3~25WP;$w;}NG{t+=z2#osZ0ATCgK6CAQ#|&pk
z^NrTg#X^sn36+!Pr;_9g&Sg5gXXX5tQo-Q4!>9!L&%LQbL$1I442q*WJRmI~uW}?;
z;504CD?g5dF=xLj>5ee=@PHWh<=QS*k!2tJ^~RLNp999Yxzio7<xy+$wR_aML4LSo
zD$lBHBVmgiaIfNdZag9Oj!@9^6$ozvA;mbfF~+5=8q|~eix!YC@pYEGz=J$o0INC4
ztS3292Qgl%O4W>5SF`8Gx}0HX{!YR9cp`LnaAH$BdHYuV4}9Pcak8VmzGciu)mwxO
zY{n(bfK~=7iLU{`_nkHuYbRt_FurHJRs<7CEGBS<2jyf=Fwh2^`lwf!CiDoXnwZEF
zroA4788L!EVIe+z%r`1SOguuNqK8C7{4(3zI(zwRSw^vTW61@EIl+F93Wd;EVbCBR
z2+jH&3o?QbRoI@nrsOz;C@8rUxzX!jOM)GeJ9&4*6mr37m1t6a>{S7jzOVx+d~*Zh
zx`j%G5TzSB;m_U&QXWgl@^v@ch$G&y0a?Sl8Q}v&)T_SgF#2d&vCxcsIH>LdRL-M*
z{R@znWK@~g9$O(JqQ92j*}Lv@Dp2Z;Og2i;m_?6*9j6b02TBvo{o^;^ydX#z<EZFM
z9IGu}jq;w*&)+C>7o8PK2->%7S)Gns^4c?>!3baz9jzFsXWEu6jE=_mrNg?Wzo%e(
z9Jn;hQQ&d$)kv<Cs~{`Y{ESdyg>qW1)9|tY?A<Mgj<QKI=tBF#n_%HPECg_LFm&MZ
zLu5cb!b6~OQ`KY&mZU7)4>vehJZ{mJvU`vMrsl$*14yLOhqHH_lUnuCHHPJdUpy#K
z+!2ohyv3j|lXGr>9;q#|8lT_vzKJsc*5AC7=?E)E5N%;&V{+&ed~uv!D>;_gMQrRC
z21qKL2Z!dd2Vsa@qzU;|)b*ID44=*ZU?fWIr(^1WFko~*ng(rt^ECRT6-2H4pw=bn
zu3EC;5iRmovozK;!+?^v!UYZQ2^ukr+$ndXsR&o?GB;)`+o`7}e&C}}!sJQ1oLL_T
z|L7L$RA=@)H#~Sqb|3)P?22EPT>I3sW{LH2XH|cxsg(*7AZMjt>%Sqx=u&VPFCS_W
zPM`&W*7#PkA%_pyf~KuGvC7PoX<7H6hnKZgYNTF@Ommr4o|e7MH}#A-Y)?B3WDJ~a
zOL604ft-}K{EluVW;k0x`Cg^}v(=&8<HSXgZgW=mv}A`1cuZ6*hEDVYsKh?wEMG9}
zV^rS6l39Z-vpC9U>p<HUFfz&_o>C~oJ2$}FK}EJs3}uQYArr{zE!r`5e;;wsQJA(H
zxfe!$$iy--UY(FYxhvlM^faW(z0%6<q!jSmo5GP~Srt?9zfv*e(A%9FYX?xSwvQm5
zkYqa15KS_0lyRgHE=Ab-R-FxbRa3S`;~X0+Ep65&l`v3Ns)ioeOtJ>QRs?44VWFN*
zkKggif6k&sHS@bPhheo2op`VO2KG8{hK4kdy>}@@StvjR1bf6CEms)33TCU$Pjca&
zZ*+mH4JmV|9$rHVwTsxXf4kS2>Z-3mW0ShQA`2L5e$PD^ak(i5Ftwk8wI<|5Kc5}f
z{VO8N`*dF&EQp0B1yycD5|O1}x)#V-1J1U21HWi->`{)H7&V$;L5R3ye8>T!Fya?<
zyRs$NpVSYWE1&tR=&4@I4Cu~08e5chMBSaB8CgZ2Y!rx(vl>nk-V+(C(aAC;s~#X6
W*mh=xyBu$zxFS$ux19L3PNyVf&fz8i

literal 1271
zcmV<T1PJ>8M@dveQdv+`0Kc)?djdmNC^(z+U934`s=$wtiy(-y^Cp6`C)GXI-q3~_
z%o%wf@u6WLu8xBWEI9*PH_@$N_otmu6EI%Yn4O^txum1CJM5ze6}~4AUrn&X>g$Mi
z@qcDgET`>!U}7!3e;78S{Z2=cR@`7*dsiPA^B;z75%_iyxV%vRT)iFCll)=j#w;Y?
z=Xan@Di#bRkjMO=R;a33X#vl|N!6N}n7X?-KXOyH{M*1R1w;pprA8bpQl=C<5C1Hx
zgtE$7Y{6=)%jQ*4xCMOMXo?zQGiF@zIU<WRF5innHBlM9=T-?|2L=(B$GC3^%2oVT
z(5sPD5q8=P%Q)?>Vej4S)gC3i^Msy}@!;Lt^)vT>#UDBZlf42)YC<$UpIGIC$erIh
zH{CZS-{wR;(^>L&R<NLW%%@9%$e+}ZT~oZSC?UFepzw25vf8S7%Bt|*vV(o(v7Mod
z;gd2u70CB5;4f&g!lJsHKwO|*C7xAgJo8t74xhfDPOvZPz!VsM^E@s+z0|e(-(1J6
zac;$PLQjbFD;RD^|K#FfMNsrQJArB>Am8dP>E|Uu7yCG>E?=h=Za=UKD9sb(It&S9
z*HV>WqG;PdwK62ylSLAY%LAHv&rcFo-EMl)rgUQ&9gGeRTn!~Im&Y3|63Yv!As?q|
zZ8S*ZgbGHQt^)2KMO^P3sy;@Ghe@lEqJMT5NwlUT3mLZH_7{x}cguPUsexQ#^hdY?
z#ajAuf70NNK%x_k08QX|#qJDL+B`TDDq!k&o}pA0$Obv~);qtrkK+clPSn`S3ZLs|
zJ#Tuk%r4d6oqlq7T@w#icM|M-P(c5=&$d+>YFe^Tnow4{e>JgIXKWa_5_*5IB~Nec
zjppx^`tD_^8omqEQ>TEiH@8+{kFy~ji%qqG=OwzCEvy}%1Ja+}s?At(BbEYKV%bbS
zdr{1pnCM%pcf&ZcYfvT*+}vp6A6K?B5RGX!*(AWZ_kFjIG`S5fs#lcUmgx6+(4A`P
z`{`=Q&6U{HnVcm6sW^HYtmhuZuI6<Rt3FC@4>m-B{JN0KGhnu5foun`KDc#34JL--
zY}oer`iA)mN4briQ2sF5aR$glSkMO#TB0PVZK5#9<QUu@3w5B|Ve_iJ*y&x+p);c;
zjnmL$=EfC0PAHz&Un+rCOTjSIvosYvhsPON8OP+<f7vN>SnbT}n<aI|UtAujunemi
zELnnLtK*H{xLxxXT!eAP_A8xVCrr@mvhqc0IpWo<YgL9F_?-Q~8%zSm`1PnSX<k=#
zWIJsHGY^@(Q@3Y59!~6<U<CL>)Bl!-+~;+q;)D0s>9g!xb79&rN{74+l(N}wD0$EF
z6Fh2iU_I~TB}&DJ`Q6b8A9fofy$}FmMy0@vtAL5@UnHdSP@TcpY$zasz`NfF?Hteg
zMR*s$AVZ)zMQaHB8k{o3Xug9JFsn^nY+z5Fm^KE37rx%X0q(Ch`W;k~&7GH;jX+;$
zetR+%lY~seR7@3&vpQmM@~YgzSUx%bC@c&l-r$b8pu2WTMQJu?Q7bbI>{tNuQ*q+K
zL{~ew54SHngAwN^RWSdbz`#=*k`#UXYh2x}Ez|PsNJT5SSBVY;V{X<;j#Wp%0F@O7
h7qL@nsq*+er@r83YNn?ABJzq<II+#+K|)p1eCAlYaPt5F

diff --git a/secrets/yorick-mail-pass.age b/secrets/yorick-mail-pass.age
new file mode 100644
index 0000000000000000000000000000000000000000..90a358ac95f37d04ffd570d7f503fd7795b0f24e
GIT binary patch
literal 442
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR2FFfuhYv{VQU$@WY&DzPXx2@5jFb#(QQ
zGK_T3OO6QlFbGO6j>>mQ^$HBlPEK*oaOKJmEAjP7HuLcJEq5$6N_P!)El4*nEv?k|
zsLU)5bWDzN$xqBH&kry)NCw$ZT%4hsngX#Vs;boAGEl)V)XXm=FvB&}EjP<B#4*dV
zxWF$sxGb>LD=RX~$k3_4(9%5EDKaoUB$6w_&ELn%q&U~dP~XQh)y=2eJg_V%v)s|C
z(67MQQajPu(c391-6=RH*A--2S*mV&QEFmwDp$T&p+}{cVMMZPAeXMLu7Y1hc15PM
zVPT%HrFo#cXOz2#M^KcHWvQccS$RpOXMRqFd4PveL0+X%GMDV>C0C}dO80;DxJ>xt
z8NM~sgJ!fp>)ULmaV>mn`K7XG-N`4*UIip9c>Q3r?anHPSs{JAU+0HDQxb1j6W6!s
zONVKr*)}eNy3c18EQz~z_mfWLBU_ck@->a+oF_yxI#*1#zy3~bGQ&dcUCv8SS6t%|
h+c;Nyi>t_fmxd@6WflJ2%#war7Jj-}%Utu!0|2-vrK<n{

literal 0
HcmV?d00001

diff --git a/secrets/yorick-user-pass.age b/secrets/yorick-user-pass.age
new file mode 100644
index 0000000..ebba97c
--- /dev/null
+++ b/secrets/yorick-user-pass.age
@@ -0,0 +1,18 @@
+age-encryption.org/v1
+-> X25519 igjeVk7K5wMss9d8iN2VMGKzfyA8YGbw/ivdRre+mlc
+PyTIOfIsw/lMTWE7boTfhcU3ptMyc/YEMNC4gc9VXwc
+-> ssh-ed25519 4Ui0LA tAap3xK2PMYD/l63tSCr8RAuMgEhn27ttvLD6rOwLhk
+3KHv27a82wBlFkBxjGpoRnSl6AlAVp3l5aigHLzYFv8
+-> ssh-ed25519 ZzuO9Q P3oDE31Cr5ql9D1qQIL8uJfPVz8Z34nI1WRR+r3eSFs
+a+vYQu6gia+k5MsVBVhfAXNdK/Pt4IxKmL+sTamq0Ls
+-> ssh-ed25519 n7yA6g HdhF4DdyYUxRRzRBiafAiDal6WrP7DKlzg3t2IaL8z4
+6GacnfLEbzlea8kreVbuLT+Tb14gNWhcp1mY6RUvkM4
+-> ssh-ed25519 dY0yIg 6/yte4riBsTStcfe6dC/rsHDDt9FkYo3dGDXfNTN6mc
+243hlNW1NMytmUaqIdFxKVbGCE9OE+Z52xmXAY7Gw+c
+-> ssh-ed25519 6AxuSw sgXEUYw26qprK1UqqmSSCH3d6wSTx36tXchnvHyKsQs
+kBr7+RpIvcpiLcdu+dev9JIud5fR20TEKH+DsTh+wgY
+-> esWzRZ6-grease ?.lfCo <`o0)Ty Z]mJ
+SvD8QrEVlF4Npprb6An3L0QBUOqb8RACypF4EcYFweoHY6JG2Y+aDnl3ua0t+0Ax
+wFFo3nOCoyXiXckyo/53PNl+jp7JwS3BqHowihtn3TO9ZcLHch9vIbQVpTAezw
+--- XRCsY00QWQn6g6+wP1QSL8in7DIaks72mgA3awvmPEc
+¸mntÊ1¨ÒÌD±*_÷Ò,/¢Ã+”Ï«âÜ—t8Åq¯lÝ3˜zïg
I3¼¯WD$uaòŒ’GIR0b ºu<ÒßwJ‚]±«²¨m‘»ó°Ærÿ
¹oCbݳ蘬iMפf	(Ô~Ä@Nêð)&·íö‡ŸwÛ�¯gç3XN
\ No newline at end of file