encryption bitch

2025-03-28 00:10:28 +01:00 · 2025-03-28 00:10:28 +01:00 · 908d10be5d
commit 908d10be5d
parent 4508333405
11 changed files with 168 additions and 31 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,26 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs",
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1736955230,
+        "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "base16": {
      "inputs": {
        "fromYaml": "fromYaml"
@ -67,6 +88,28 @@
        "type": "github"
      }
    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
    "firefox-gnome-theme": {
      "flake": false,
      "locked": {
@ -172,7 +215,7 @@
    },
    "flake-utils": {
      "inputs": {
-        "systems": "systems_2"
+        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1731533236,
@ -190,7 +233,7 @@
    },
    "flake-utils_2": {
      "inputs": {
-        "systems": "systems_4"
+        "systems": "systems_5"
      },
      "locked": {
        "lastModified": 1731533236,
@ -330,6 +373,27 @@
      }
    },
    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "stylix",
@ -367,7 +431,7 @@
    },
    "naersk": {
      "inputs": {
-        "nixpkgs": "nixpkgs_4"
+        "nixpkgs": "nixpkgs_5"
      },
      "locked": {
        "lastModified": 1739824009,
@ -412,8 +476,8 @@
    "nixcord": {
      "inputs": {
        "flake-compat": "flake-compat",
-        "nixpkgs": "nixpkgs",
-        "systems": "systems",
+        "nixpkgs": "nixpkgs_2",
+        "systems": "systems_2",
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
@ -432,16 +496,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1737003892,
-        "narHash": "sha256-RCzJE9wKByLCXmRBp+z8LK9EgdW+K+W/DXnJS4S/NVo=",
+        "lastModified": 1703013332,
+        "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "ae06b9c2d83cb5c8b12d7d0e32692e93d1379713",
+        "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
+        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -474,6 +538,22 @@
      }
    },
    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1737003892,
+        "narHash": "sha256-RCzJE9wKByLCXmRBp+z8LK9EgdW+K+W/DXnJS4S/NVo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ae06b9c2d83cb5c8b12d7d0e32692e93d1379713",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
      "locked": {
        "lastModified": 1735554305,
        "narHash": "sha256-zExSA1i/b+1NMRhGGLtNfFGXgLtgo+dcuzHzaWA6w3Q=",
@ -489,7 +569,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_3": {
+    "nixpkgs_4": {
      "locked": {
        "lastModified": 1741516043,
        "narHash": "sha256-Hv0S630U4GVZBM1Q+NCEwyN5ct7cic+8r6qLIaUaVqI=",
@ -505,7 +585,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_4": {
+    "nixpkgs_5": {
      "locked": {
        "lastModified": 1741516043,
        "narHash": "sha256-Hv0S630U4GVZBM1Q+NCEwyN5ct7cic+8r6qLIaUaVqI=",
@ -518,7 +598,7 @@
        "type": "indirect"
      }
    },
-    "nixpkgs_5": {
+    "nixpkgs_6": {
      "locked": {
        "lastModified": 1742707865,
        "narHash": "sha256-RVQQZy38O3Zb8yoRJhuFgWo/iDIDj0hEdRTVfhOtzRk=",
@ -534,7 +614,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_6": {
+    "nixpkgs_7": {
      "locked": {
        "lastModified": 1740367490,
        "narHash": "sha256-WGaHVAjcrv+Cun7zPlI41SerRtfknGQap281+AakSAw=",
@ -599,7 +679,7 @@
          "nixpkgs"
        ],
        "nmd": "nmd",
-        "systems": "systems_3"
+        "systems": "systems_4"
      },
      "locked": {
        "lastModified": 1741477095,
@ -617,10 +697,11 @@
    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "flake-parts": "flake-parts",
        "hm": "hm",
        "nixcord": "nixcord",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_4",
        "nvf": "nvf",
        "somcli": "somcli",
        "stylix": "stylix"
@ -652,7 +733,7 @@
      "inputs": {
        "flake-utils": "flake-utils_2",
        "naersk": "naersk",
-        "nixpkgs": "nixpkgs_5"
+        "nixpkgs": "nixpkgs_6"
      },
      "locked": {
        "lastModified": 1743031501,
@ -679,10 +760,10 @@
        "flake-utils": "flake-utils_3",
        "git-hooks": "git-hooks",
        "gnome-shell": "gnome-shell",
-        "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs_6",
+        "home-manager": "home-manager_2",
+        "nixpkgs": "nixpkgs_7",
        "nur": "nur",
-        "systems": "systems_5",
+        "systems": "systems_6",
        "tinted-foot": "tinted-foot",
        "tinted-kitty": "tinted-kitty",
        "tinted-schemes": "tinted-schemes",
@ -713,8 +794,9 @@
        "type": "github"
      },
      "original": {
-        "id": "systems",
-        "type": "indirect"
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
      }
    },
    "systems_2": {
@ -727,9 +809,8 @@
        "type": "github"
      },
      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
+        "id": "systems",
+        "type": "indirect"
      }
    },
    "systems_3": {
@ -777,6 +858,21 @@
        "type": "github"
      }
    },
+    "systems_6": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "tinted-foot": {
      "flake": false,
      "locked": {
@ -861,7 +957,7 @@
    },
    "treefmt-nix": {
      "inputs": {
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
        "lastModified": 1737103437,
--- a/flake.nix
+++ b/flake.nix
@ -46,5 +46,7 @@

    nixcord.url = "github:kaylorben/nixcord";
    somcli.url = "github:jsw08/somcli";
+
+    agenix.url = "github:ryantm/agenix";
  };
 }
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -9,8 +9,10 @@
  specialArgs = {inherit inputs self;};
  modules = [
    inputs.hm.nixosModules.home-manager
+    inputs.agenix.nixosModules.default

    ../system
+    ../secrets
  ];
 in {
  flake = let
--- a/hosts/laptop/default.nix
+++ b/hosts/laptop/default.nix
@ -11,7 +11,6 @@
    desktop = true;
    portable = true;
    neovim = true;
-    server = true;
  };

  home-manager.users.jsw.wayland.windowManager.hyprland.settings.monitor = ["eDP-1,2880x1920@120,0x0,1.5,vrr,1"];
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -0,0 +1,6 @@
+{
+  age.secrets = {
+    transferSh.file = ./transfer-sh.age;
+    password.file = ./password.age;
+  };
+}
--- a/secrets/password.age
+++ b/secrets/password.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 GQzYWA T2tf/5zlOEUtq3E9hcOfGfV3T0SoJi9fPu3wO3gSqnQ
+uiu/dIhoCfQG5NGzrkmqgndPOety048r6muc+x7M3Ks
+--- kn3Gvkl870rhV0Nf6EURV2kMWEzx5WMqJ2QZisgeCfI
+ì‰Î	Ôxú’¢UÂyò½ƒŸ#ç’:&1Sß<>åo/¹Ò3å[Û–&ïÍµ¡¹Úêª+@
©G¬é~+Ù,oMøQ¬æÄ<C3A6>BÖ6ÍwÔ'€X9¹+üz|ñ$¯Þ<C2AF>úÎ¯Xž,ý'ÝŠ-<2D>ÊU„Pë¹jJNÛbYÿÊð<C38A>ðÄ[ûpŒÁÎ¾'Ofk#Ê>íK×û
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,8 @@
+let
+  laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHB3qkRCskSMiAs2kLTsG+ruESK4h1pP1FHm+rVnKWx4";
+
+  systems = [laptop];
+in {
+  "transfer-sh.age".publicKeys = systems;
+  "password.age".publicKeys = systems;
+}
--- a/secrets/transfer-sh.age
+++ b/secrets/transfer-sh.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 GQzYWA xjixbP+i0eov3HgpjCdBJuboEZ39ZTrfL1UgSewMQ3Y
+ByXb8aKlgNaWeeUmCTppYN1h4gEPO5dvvXexxAN70AY
+--- PJkB6ivTLCMx4ny0olODmbZDsppm7LKJLHorowjxtEI
+ä<>üÉC\y¯Ñ>¯?È\á„€h{TæŸmvìÆ¼ýsŒþZ³¯µâb«¡tõxÝC¿%×ÁQt»
--- a/system/core/defaultPackages.nix
+++ b/system/core/defaultPackages.nix
@ -1,3 +1,10 @@
-{pkgs,...}: {
-  environment.defaultPackages = [pkgs.neovim]; # Still have to be able to edit configs.
+{
+  pkgs,
+  inputs,
+  ...
+}: {
+  environment.defaultPackages = [
+    pkgs.neovim
+    inputs.agenix.packages.${pkgs.system}.default
+  ]; # Still have to be able to edit configs.
 }
--- a/system/core/users.nix
+++ b/system/core/users.nix
@ -1,8 +1,12 @@
-{pkgs, ...}: {
+{
+  config,
+  pkgs,
+  ...
+}: {
  users.users.jsw = {
    isNormalUser = true;
    shell = pkgs.fish;
-    initialPassword = "changeme";
+    hashedPasswordFile = config.age.secrets.password.path;
    extraGroups = [
      "libvirtd"
      "NetworkManager"
--- a/system/server/transfer-sh.nix
+++ b/system/server/transfer-sh.nix
@ -3,11 +3,14 @@
    enable = config.niksos.server;
    settings = {
      PURGE_DAYS = 7;
-      MAX_UPLOAD_SIZE = 4 * 1000 * 1000; # 2gb
+      MAX_UPLOAD_SIZE = 4 * 1000 * 1000; # 4gb
      # CORS_DOMAINS = "transfer.jsw.tf"; #FIXME: open it to the world wide web.
      BASEDIR = "/var/lib/transfer.sh";
      LISTENER = ":9000";
+      HTTP_AUTH_USER = "jsw";
+      EMAIL_CONTACT = "jurnwubben@gmail.com";
    };
+    secretFile = config.age.secrets.transferSh.path;
  };
  systemd.services.transfer-sh.serviceConfig = {
    StateDirectory = "transfer.sh";