switch to agenix

.gitattributes

@@ -1,4 +1 @@
 secrets.nix filter=git-crypt diff=git-crypt
-*.key filter=git-crypt diff=git-crypt
-deploy_key filter=git-crypt diff=git-crypt
-keys/** filter=git-crypt diff=git-crypt

flake.lock

@@ -1,5 +1,25 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1652712410,
+        "narHash": "sha256-hMJ2TqLt0DleEnQFGUHK9sV2aAzJPU8pZeiZoqRozbE=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "blobs": {
       "flake": false,
       "locked": {
@@ -259,6 +279,7 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "emacs-overlay": "emacs-overlay",
         "home-manager": "home-manager",
         "nixos-hardware": "nixos-hardware",

flake.nix

@@ -10,14 +10,17 @@
     nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-21.05";
     nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
     nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
+    agenix.url = "github:ryantm/agenix";
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
 
   };
   outputs = inputs@{ nixpkgs, home-manager, nixpkgs-mozilla, emacs-overlay
-    , nixpkgs-wayland, nixpkgs-stable, nixos-hardware, self, ... }: {
+    , nixpkgs-wayland, nixpkgs-stable, nixos-hardware, agenix, self, ... }: {
       overlay = nixpkgs.lib.composeManyExtensions [
         nixpkgs-wayland.overlay
         #nixpkgs-mozilla.overlay
         emacs-overlay.overlay
+        agenix.overlay
         (import ./fixups.nix)
         (import ./pkgs)
         (import ./pkgs/mdr.nix)

nixos/conf

@@ -4,12 +4,6 @@ cd "$( dirname "${BASH_SOURCE[0]}" )"
 export NIX_PATH=
 host=$1
 COPY_USER=yorick
-decrypt() {
-    if ! [ -e secrets.nix ]
-    then
-        git crypt unlock
-    fi
-}
 get_target_host() {
     TARGET_HOST=$(nix eval --raw -f vpn.nix ips.$host)
     TARGET_HOST=$(ssh $TARGET_HOST ip --json r get 1.1.1.1 | jq -r '.[0].prefsrc')
@@ -19,20 +13,12 @@ peek() {
     command "$@"
 }
 nix() {
-    decrypt
+    peek nix --extra-experimental-features "nix-command flakes" "$@"
-    peek nix --extra-experimental-features nix-command "$@"
 }
 nix-build() {
-    decrypt
     peek nix-build "$@"
 }
 case $2 in
-    copy-keys)
-        nix build -f ../. yorick.machine."$host".config.deployment.keys-copy --out-link copy-keys
-        get_target_host
-        peek ./copy-keys/bin/copy-keys "$TARGET_HOST"
-        # rm ./copy-keys
-        ;;
     ssh)
         get_target_host
         peek ssh root@"$TARGET_HOST"

nixos/deploy/keys.nix

@@ -1,23 +0,0 @@
-{ pkgs, lib, config, ... }:
-with lib;
-let cfg = config.deployment.keyys;
-in {
-  options.deployment.keyys = mkOption {
-    type = types.listOf types.path;
-    default = [ ];
-  };
-  options.deployment.keys-copy = mkOption { type = types.package; };
-  config = {
-    deployment.keys-copy = pkgs.writeShellScriptBin "copy-keys"
-      (if cfg != [ ] then ''
-        set -e
-        ssh root@$1 "mkdir -p /root/keys"
-        scp ${concatMapStringsSep " " toString cfg} root@$1:/root/keys
-        echo "uploaded keys"
-      '' else ''
-        echo "no keys to upload"
-      '');
-
-  };
-
-}

nixos/logical/frumar.nix

@@ -6,8 +6,6 @@
     ../services/torrent-wg.nix
   ];
 
-  deployment.keyys = [ ../keys/grafana.env ];
-
   system.stateVersion = "15.09";
   networking.hostId = "0702dbe9";
 
@@ -88,8 +86,8 @@
       AUTH_GOOGLE_ALLOW_SIGN_UP = "false";
     };
   };
-  systemd.services.grafana.serviceConfig.EnvironmentFile =
+  age.secrets.grafana.file = ../../secrets/grafana.env.age;
-    "/root/keys/grafana.env";
+  systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secrets.grafana.path;
   services.zfs = {
     trim.enable = false; # no ssd's
     autoScrub = {

nixos/logical/jarvis.nix

@@ -4,4 +4,5 @@
   system.stateVersion = "17.09";
 
   yorick.lumi-vpn.name = "yorick";
+  yorick.lumi-vpn.ip = "10.109.0.10";
 }

nixos/logical/pennyworth.nix

@@ -44,12 +44,13 @@ in {
     };
   };
 
+  age.secrets.muflax.file = ../../secrets/http.muflax.age;
   services.muflax-blog = {
     enable = true;
     web-server = { port = 9001; };
     hidden-service = {
       hostname = "muflax65ngodyewp.onion";
-      private_key = "/root/keys/http.muflax.key";
+      private_key = config.age.secrets.muflax.path;
     };
   };
   services.nginx.commonHttpConfig = ''
@@ -89,7 +90,6 @@ in {
     };
     "media.yori.cc" = sslforward "http://${vpn.ips.frumar}:32001";
   };
-  deployment.keyys = [ ../keys/http.muflax.key ];
   networking.firewall.allowedUDPPorts = [ 31790 ]; # wg
   networking.wireguard.interfaces.wg-y.peers = lib.mkForce (lib.mapAttrsToList
     (machine: publicKey: {

nixos/logical/zazu.nix

@@ -1,5 +1,5 @@
 # Edit this configuration file to define what should be installed on your system.  Help is available in the configuration.nix(5) man page and in the NixOS manual (accessible by running ‘nixos-help’).
-{ config, lib, pkgs, inputs, ... }:
+{ config, lib, pkgs, inputs, modulesPath, ... }:
 
 {
   imports = [ # Include the results of the hardware scan.
@@ -7,7 +7,7 @@
     #<yori-nix/roles/homeserver.nix>
     ../roles
     inputs.nixos-hardware.nixosModules.pcengines-apu
-    <nixpkgs/nixos/modules/profiles/minimal.nix>
+    "${modulesPath}/profiles/minimal.nix"
   ];
 
   boot.loader.grub.enable = true;

nixos/modules/lumi-cache.nix

@@ -1,27 +1,15 @@
 { config, lib, pkgs, ... }:
 let
   cfg = config.yorick.lumi-cache;
-  nixNetrcFile = pkgs.runCommand "nix-netrc-file" {
-    hostname = "cache.lumi.guide";
-    username = "lumi";
-  } ''
-    cat > $out <<EOI
-    machine $hostname
-    login $username
-    password ${
-      builtins.readFile
-      /home/yorick/engineering/lumi/secrets/shared/passwords/nix-serve-password
-    }
-    EOI
-  '';
 in {
   options.yorick.lumi-cache = with lib; {
     enable = mkEnableOption "lumi cache";
   };
   config = lib.mkIf cfg.enable {
+    age.secrets.nix-netrc.file = ../../secrets/nix-netrc.age;
     nix = {
       settings.substituters = [ "https://cache.lumi.guide/" ];
-      settings.netrc-file = nixNetrcFile;
+      settings.netrc-file = config.age.secrets.nix-netrc.path;
       settings.trusted-public-keys = [
         "cache.lumi.guide-1:z813xH+DDlh+wvloqEiihGvZqLXFmN7zmyF8wR47BHE="
       ];

nixos/roles/default.nix

@@ -5,11 +5,11 @@ let
   vpn = import ../vpn.nix;
 in {
   imports = [
+    inputs.agenix.nixosModule
     ../modules/tor-hidden-service.nix
     ../modules/nginx.nix
     ../modules/lumi-cache.nix
     ../modules/lumi-vpn.nix
-    ../deploy/keys.nix
     ../services
   ];
 
@@ -106,9 +106,9 @@ in {
     ipv6 = true;
     hostName = machine;
   };
-  deployment.keyys = [ (../keys + "/wg.${machine}.key") ];
+  age.secrets.wg.file = ../../secrets/wg.${machine}.age;
   networking.wireguard.interfaces.wg-y = {
-    privateKeyFile = "/root/keys/wg.${machine}.key";
+    privateKeyFile = config.age.secrets.wg.path;
     ips = [ vpn.ips.${machine} ];
     listenPort = 31790;
     peers = [{

nixos/services/backup.nix

@@ -1,22 +1,20 @@
-{ name, ... }: {
+{ name, config, ... }: {
-  deployment.keyys = [
+  age.secrets.backup_repo.file = ../../secrets/${name}_borg_repo.age;
-    (../keys + "/${name}_borg_repo.key")
+  age.secrets.backup_ssh.file = ../../secrets/${name}_borg_ssh.age;
-    (../keys + "/${name}_borg_ssh.key")
-  ];
   services.borgbackup.jobs.backup = {
     encryption = {
       # Keep the encryption key in the repo itself
       mode = "repokey-blake2";
 
       # Password is used to decrypt the encryption key from the repo
-      passCommand = "cat /root/keys/${name}_borg_repo.key";
+      passCommand = "cat ${config.age.secrets.backup_repo.path}";
     };
     environment = {
       # Make sure we're using Borg >= 1.0
       BORG_REMOTE_PATH = "borg1";
 
       # SSH key is specific to the subaccount defined in the repo username
-      BORG_RSH = "ssh -i /root/keys/${name}_borg_ssh.key";
+      BORG_RSH = "ssh -i ${config.age.secrets.backup_ssh.path}";
     };
 
     # Define schedule

nixos/services/torrent-wg.nix

@@ -7,11 +7,11 @@ in {
     namespace = mkOption { type = types.str; };
   };
   config = {
-    deployment.keyys = [ (../keys + "/wg.${cfg.name}.key") ];
+    age.secrets.wg-torrent.file = ../../secrets/wg.${cfg.name}.age;
     networking.wireguard.interfaces.${cfg.name} = {
       # curl -s https://api.mullvad.net/www/relays/all/ | jq '.[] | select(.type == "wireguard" and .country_code == "nl")'
       ips = [ "10.66.30.26/32" "fc00:bbbb:bbbb:bb01::3:1e19/128" ];
-      privateKeyFile = "/root/keys/wg.${cfg.name}.key";
+      privateKeyFile = config.age.secrets.wg-torrent.path;
       peers = [{
         publicKey = "hnRyse6QxPPcZOoSwRsHUtK1W+APWXnIoaDTmH6JsHQ=";
         allowedIPs = [ "0.0.0.0/0" "::0/0" ];

secrets/pennyworth_borg_repo.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 lYFcsw HsqJA3brEYXwaJT7VjTassnpzZSBsa+968Oe6BC7FFA
+rwqKJVSh2BkXpUbnkegEOKMWV68CXZnOg5HJlFhGWmY
+-> ssh-ed25519 ZzuO9Q SbeT6ExvwzTog2HXThI8OOgJQoMqWOOtU6gmU+v/x28
+pgEYyg6EuRsIW1shMlvQfTGxwyq0/uFHQumDmB0QzZM
+-> P*s7TnXP-grease C O$
+KXqmSEK5b3oWErBT6A5w5A
+--- 7XjRgeS86xeERnenf8zSZPb47lV2GiSa55ZPKEvjJBc
+äx6
+ú
KOŠ+<2B>S¬öíUaH r»-A<>C<EFBFBD>M·nˆfà<66>Ós;
bB»dñé©ù;üL9à2¼ÛLSRÓ÷Ï<06>ÍžÜtÑ¿ônnÊN

secrets/wg.blackadder.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 lYFcsw v6eGXaE307KPZGNPiZizSUSiJ4om5/igqveCtyXJpVA
+7tJ+o/YBYrHF+DeLaHeBdV6ZVPEV7w9Dxq/4HcpGdDc
+-> ssh-ed25519 4Ui0LA 2gDiPTnSkhgMySIeIITAUmTRzCDHwFH73BKayFzIBmE
+mc8SgUhs7WSR9sl+Y1ZkQahwJ2zXdbkEekZkGXiL7ss
+-> !ff-grease BK qoe krs&bJ
+pKON54F5tCt2T9YGQM920TxaK+l08X/1xCSIpSLy0WwpzJYeFu6XRT6VoPTga/hG
+tDqS6PvXw12729k5JH7qMS2XzDEuh+6NIRnDuwGC/ttfk+2HJe25FifbZhE+1YNC
+9A
+--- BxJEHO4W1sUHQ2pk8CZViEDCy+WhyzVdWlZUZHIHlBE
+-
fV‚7½O²9Ÿò_Bí?Z	/ìá¨çÛTQ¡ Åû–ì+í3ÓBº*«•…wÿvûá/í©^™@Xè¥çÿ!¨/ñžuÒª

secrets/wg.frumar.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 lYFcsw vv0M0zAhNZ8dsIuOI6p1Y++WusqBwdYJqzXuK4IXflo
+MERLtcazm/pWBSvyISDLoil5eiNDDwAYDY+H1pTrYN4
+-> ssh-ed25519 n7yA6g dV0UCZeAfZIxaoNYM5OZnbLRHiad1XJdYcidUCa6qj8
+7PJAgRS4r+oQiQAM4Lt+yvQXRZzrOEMp0RwlwTge6Ic
+-> D-grease 9p~L6^ #_8k_6RW <A:we
+g88QsMIGbjOJjIvb9WjroQaPCN9YWHNaK7icMSAEf6xJE1V3a9Bu/7v0JqgZGV8f
+szEC2UtY6bUYdRPUhwsS0V2N9lds7Gg65kYrAHylRL8w9uFJJmydcb9Bgw
+--- ZWYEvPCTLh1Vh05yX4zmH+YOjlW6yaaAQZcp1WeAUnA
+<EFBFBD>†(çäEÍHëŐEEôjśW˛mÓrţ<72>ń›tęO
+ďf<­Ă"o˝=+Ň ˛†+<2B>sĂ/Ł×_3]Ź
˝›“wŻ[ţÍĘÇ5Ź<35>öa"ş

secrets/wg.mullvad-nl4.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 lYFcsw TtNKEpF1PW3hFdAR6yvwlppBsb4aS8G7GxpBhtpwvVQ
+p4VgueR9Evc7lxckk9psbD/i0su9XSzfns8/YnroKVY
+-> ssh-ed25519 n7yA6g YRrCJZMq/Rz3VRlOXSM6QFsRLK+S7H/ThVigcin21Gk
+S4X0SNQUtxLpsDei6PkzQm+cFxL9cyLubTlVXrdZmHE
+-> 6LOV|>L-grease ;6R Kod}I/ bmRbO|
+SPzo5pVPaREotXuB0w
+--- UfqolORCJHBYP9FQU/cxuRbPuQBWAX8bqUWrrUx3GTQ
+¤ù¥ß†À›C=%Ý‹Ôuƒ¥Äk±Ê˜säx.öC㤼ð5~d Íù<C38D>åôcå4Ìè¢åð Ã$§†üáyV)æ÷–æq