From b3f08ef7c33b12271610ed0cc19f966287ac8641 Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 24 Sep 2023 18:12:04 +0200 Subject: [PATCH] chore: update agenix-rekey --- flake.lock | 218 ++++++++++++++++++++------ flake.nix | 30 ++-- modules/config/secrets.nix | 1 + users/modules/config/impermanence.nix | 1 + users/myuser/graphical/default.nix | 1 + 5 files changed, 193 insertions(+), 58 deletions(-) diff --git a/flake.lock b/flake.lock index 8505fdd..cbd5186 100644 --- a/flake.lock +++ b/flake.lock @@ -42,17 +42,22 @@ }, "agenix-rekey": { "inputs": { + "devshell": "devshell", + "flake-utils": [ + "flake-utils" + ], "nixpkgs": [ "nixpkgs" - ] + ], + "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1692783612, - "narHash": "sha256-Mz1xv45Rjzet1D2bMGKapgw1JCHaD60dBs4sE6Dz2+A=", - "owner": "oddlama", - "repo": "agenix-rekey", - "rev": "52695865488742e0b34a56111cd40e229b3ab90a", - "type": "github" + "dirtyRev": "8e853a2094472ac2665b453de41832f0f6cf0aa9-dirty", + "dirtyShortRev": "8e853a2-dirty", + "lastModified": 1695571453, + "narHash": "sha256-Qws2IEoO/L7YGzXyweL5VlgHaTWR4UY7Apkbxhihrzg=", + "type": "git", + "url": "file:///home/malte/projects/agenix-rekey" }, "original": { "owner": "oddlama", @@ -80,7 +85,7 @@ }, "colmena": { "inputs": { - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "flake-utils": [ "flake-utils" ], @@ -105,7 +110,7 @@ }, "crane": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "flake-utils": "flake-utils", "nixpkgs": [ "elewrap", @@ -173,10 +178,32 @@ "devshell": { "inputs": { "nixpkgs": [ + "agenix-rekey", "nixpkgs" ], "systems": "systems" }, + "locked": { + "lastModified": 1695195896, + "narHash": "sha256-pq9q7YsGXnQzJFkR5284TmxrLNFc0wo4NQ/a5E93CQU=", + "owner": "numtide", + "repo": "devshell", + "rev": "05d40d17bf3459606316e3e9ec683b784ff28f16", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "devshell", + "type": "github" + } + }, + "devshell_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems_2" + }, "locked": { "lastModified": 1694435990, "narHash": "sha256-yLQPD2eZGepu3yvdwABXrR3GhAqWRWTj9rn3a4knYuk=", @@ -219,7 +246,7 @@ "nixpkgs": [ "nixpkgs" ], - "pre-commit-hooks": "pre-commit-hooks" + "pre-commit-hooks": "pre-commit-hooks_2" }, "locked": { "lastModified": 1688574676, @@ -238,11 +265,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1650374568, - "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", "owner": "edolstra", "repo": "flake-compat", - "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", "type": "github" }, "original": { @@ -254,11 +281,11 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", "owner": "edolstra", "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", "type": "github" }, "original": { @@ -284,21 +311,6 @@ } }, "flake-compat_4": { - "locked": { - "lastModified": 1688025799, - "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", - "owner": "nix-community", - "repo": "flake-compat", - "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_5": { "flake": false, "locked": { "lastModified": 1673956053, @@ -314,6 +326,21 @@ "type": "github" } }, + "flake-compat_5": { + "locked": { + "lastModified": 1688025799, + "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", + "owner": "nix-community", + "repo": "flake-compat", + "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "flake-compat", + "type": "github" + } + }, "flake-compat_6": { "flake": false, "locked": { @@ -330,6 +357,22 @@ "type": "github" } }, + "flake-compat_7": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -354,7 +397,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1685518550, @@ -372,7 +415,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1687709756, @@ -390,7 +433,7 @@ }, "flake-utils_3": { "inputs": { - "systems": "systems_4" + "systems": "systems_5" }, "locked": { "lastModified": 1694529238, @@ -408,7 +451,7 @@ }, "flake-utils_4": { "inputs": { - "systems": "systems_5" + "systems": "systems_6" }, "locked": { "lastModified": 1694529238, @@ -443,7 +486,7 @@ "gitignore": { "inputs": { "nixpkgs": [ - "elewrap", + "agenix-rekey", "pre-commit-hooks", "nixpkgs" ] @@ -463,6 +506,28 @@ } }, "gitignore_2": { + "inputs": { + "nixpkgs": [ + "elewrap", + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_3": { "inputs": { "nixpkgs": [ "pre-commit-hooks", @@ -747,9 +812,25 @@ "type": "github" } }, + "nixpkgs-stable_3": { + "locked": { + "lastModified": 1685801374, + "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c37ca420157f4abc31e26f436c1145f8951ff373", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-wayland": { "inputs": { - "flake-compat": "flake-compat_4", + "flake-compat": "flake-compat_5", "lib-aggregate": "lib-aggregate", "nix-eval-jobs": "nix-eval-jobs", "nixpkgs": [ @@ -811,18 +892,46 @@ }, "pre-commit-hooks": { "inputs": { - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat", "flake-utils": [ - "elewrap", + "agenix-rekey", "flake-utils" ], "gitignore": "gitignore", "nixpkgs": [ - "elewrap", + "agenix-rekey", "nixpkgs" ], "nixpkgs-stable": "nixpkgs-stable" }, + "locked": { + "lastModified": 1694364351, + "narHash": "sha256-oadhSCqopYXxURwIA6/Anpe5IAG11q2LhvTJNP5zE6o=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "4f883a76282bc28eb952570afc3d8a1bf6f481d7", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "pre-commit-hooks_2": { + "inputs": { + "flake-compat": "flake-compat_4", + "flake-utils": [ + "elewrap", + "flake-utils" + ], + "gitignore": "gitignore_2", + "nixpkgs": [ + "elewrap", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, "locked": { "lastModified": 1688137124, "narHash": "sha256-ramG4s/+A5+t/QG2MplTNPP/lmBWDtbW6ilpwb9sKVo=", @@ -837,17 +946,17 @@ "type": "github" } }, - "pre-commit-hooks_2": { + "pre-commit-hooks_3": { "inputs": { - "flake-compat": "flake-compat_5", + "flake-compat": "flake-compat_6", "flake-utils": [ "flake-utils" ], - "gitignore": "gitignore_2", + "gitignore": "gitignore_3", "nixpkgs": [ "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable_2" + "nixpkgs-stable": "nixpkgs-stable_3" }, "locked": { "lastModified": 1694364351, @@ -868,7 +977,7 @@ "agenix": "agenix", "agenix-rekey": "agenix-rekey", "colmena": "colmena", - "devshell": "devshell", + "devshell": "devshell_2", "disko": "disko", "elewrap": "elewrap", "flake-utils": "flake-utils_3", @@ -883,7 +992,7 @@ "nixpkgs": "nixpkgs", "nixpkgs-wayland": "nixpkgs-wayland", "nixseparatedebuginfod": "nixseparatedebuginfod", - "pre-commit-hooks": "pre-commit-hooks_2", + "pre-commit-hooks": "pre-commit-hooks_3", "stylix": "stylix", "templates": "templates" } @@ -934,7 +1043,7 @@ "stylix": { "inputs": { "base16": "base16", - "flake-compat": "flake-compat_6", + "flake-compat": "flake-compat_7", "home-manager": [ "home-manager" ], @@ -1031,6 +1140,21 @@ "type": "github" } }, + "systems_6": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "templates": { "locked": { "lastModified": 1691421369, diff --git a/flake.nix b/flake.nix index 926a337..56ce765 100644 --- a/flake.nix +++ b/flake.nix @@ -11,6 +11,7 @@ agenix-rekey = { url = "github:oddlama/agenix-rekey"; inputs.nixpkgs.follows = "nixpkgs"; + inputs.flake-utils.follows = "flake-utils"; }; colmena = { @@ -127,6 +128,11 @@ extraEncryptionPubkeys = [./secrets/backup.pub]; }; + agenix-rekey = agenix-rekey.configure { + userFlake = self; + inherit (self) nodes pkgs; + }; + inherit (import ./nix/hosts.nix inputs) colmena @@ -160,6 +166,7 @@ ++ import ./pkgs/default.nix ++ [ devshell.overlays.default + agenix-rekey.overlays.default ]; }; @@ -180,11 +187,8 @@ .${system}; }; - # Define local apps and apps used for rekeying secrets # `nix run .#` - apps = - agenix-rekey.defineApps self pkgs self.nodes - // import ./apps inputs system; + apps = import ./apps inputs system; # `nix flake check` checks.pre-commit-hooks = pre-commit-hooks.lib.${system}.run { @@ -208,33 +212,37 @@ nix # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions. ]; - commands = with pkgs; [ + commands = [ { package = colmena.packages.${system}.colmena; help = "Build and deploy this nix config to nodes"; } { - package = alejandra; + package = pkgs.agenix-rekey; + help = "Edit and rekey secrets"; + } + { + package = pkgs.alejandra; help = "Format nix code"; } { - package = statix; + package = pkgs.statix; help = "Lint nix code"; } { - package = deadnix; + package = pkgs.deadnix; help = "Find unused expressions in nix code"; } { - package = update-nix-fetchgit; + package = pkgs.update-nix-fetchgit; help = "Update fetcher hashes inside nix files"; } { - package = nix-tree; + package = pkgs.nix-tree; help = "Interactively browse dependency graphs of Nix derivations"; } { - package = nix-diff; + package = pkgs.nix-diff; help = "Explain why two Nix derivations differ"; } ]; diff --git a/modules/config/secrets.nix b/modules/config/secrets.nix index d255474..3f973aa 100644 --- a/modules/config/secrets.nix +++ b/modules/config/secrets.nix @@ -26,6 +26,7 @@ forceRekeyOnSystem = builtins.extraBuiltins.unsafeCurrentSystem; hostPubkey = config.node.secretsDir + "/host.pub"; generatedSecretsDir = inputs.self.outPath + "/secrets/generated/${config.node.name}"; + cacheDir = "\"\${XDG_CACHE_HOME:=$HOME/.cache}/agenix-rekey\""; }; age.generators.basic-auth = { diff --git a/users/modules/config/impermanence.nix b/users/modules/config/impermanence.nix index 47c2fcb..6ebd3a3 100644 --- a/users/modules/config/impermanence.nix +++ b/users/modules/config/impermanence.nix @@ -12,6 +12,7 @@ in { home.persistence."/state".directories = [ + ".cache/agenix-rekey" # agenix-rekey cache ".cache/fontconfig" ".cache/nix" # nix eval cache ".config/dconf" # some apps store their configuration using dconf diff --git a/users/myuser/graphical/default.nix b/users/myuser/graphical/default.nix index b022605..16f76b8 100644 --- a/users/myuser/graphical/default.nix +++ b/users/myuser/graphical/default.nix @@ -37,6 +37,7 @@ zathura ]; + # TODO on neogit close do neotree update # TODO kitty terminfo missing with ssh root@localhost # TODO nix repl cltr+del doesnt work # TODO wrap neovim for kitty hist