chore: use agenix, enable initrd networking

flake.lock

@@ -2,17 +2,17 @@
   "nodes": {
     "agenix": {
       "inputs": {
+        "darwin": "darwin",
         "nixpkgs": [
-          "ragenix",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1673301561,
-        "narHash": "sha256-gRUWHbBAtMuPDJQXotoI8u6+3DGBIUZHkyQWpIv7WpM=",
+        "lastModified": 1676134447,
+        "narHash": "sha256-PU+6hKp7wbxCCRF5RO5g//Q0G+Rhbj92VrprvXtTOlc=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "42d371d861a227149dc9a7e03350c9ab8b8ddd68",
+        "rev": "6053c559c59ca0ebd57330cd356964f85befaff8",
         "type": "github"
       },
       "original": {
@@ -26,11 +26,11 @@
         "flake-utils": "flake-utils"
       },
       "locked": {
-        "lastModified": 1675778630,
-        "narHash": "sha256-RS69eIBvUrH8wUYYQiwcc8TMOQH52xd6e5NaoDEr4zw=",
+        "lastModified": 1676148182,
+        "narHash": "sha256-oyZpFRBMluuD0TFPGE3FredFdXvbgvyUiX6nziPjX0k=",
         "owner": "oddlama",
         "repo": "agenix-rekey",
-        "rev": "8602e836b406af6e06ef2b3b78ff8eb7569e2e4d",
+        "rev": "100a27170a2943288ede749efde41e22d524370e",
         "type": "github"
       },
       "original": {
@@ -64,6 +64,28 @@
         "type": "github"
       }
     },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1673295039,
+        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -257,33 +279,9 @@
         "type": "github"
       }
     },
-    "ragenix": {
-      "inputs": {
-        "agenix": "agenix",
-        "flake-utils": [
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "rust-overlay": "rust-overlay"
-      },
-      "locked": {
-        "lastModified": 1675293936,
-        "narHash": "sha256-xaObOxlMiZ8noXbXWfoUJrCjVZ8oc9HBblc/MeCq7fc=",
-        "owner": "yaxitech",
-        "repo": "ragenix",
-        "rev": "325733b734aa4cc4d6b19f1169e6672cad4128ca",
-        "type": "github"
-      },
-      "original": {
-        "owner": "yaxitech",
-        "repo": "ragenix",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "agenix-rekey": "agenix-rekey",
         "colmena": "colmena",
         "flake-utils": "flake-utils_2",
@@ -292,35 +290,9 @@
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
         "pre-commit-hooks": "pre-commit-hooks",
-        "ragenix": "ragenix",
         "templates": "templates"
       }
     },
-    "rust-overlay": {
-      "inputs": {
-        "flake-utils": [
-          "ragenix",
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "ragenix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1673662873,
-        "narHash": "sha256-/YOtiDKPUXKKpIhsAds11llfC42ScGW27bbHnNZebco=",
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "rev": "90163bbbadce526f8b248a5fe545b06c59597108",
-        "type": "github"
-      },
-      "original": {
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "type": "github"
-      }
-    },
     "stable": {
       "locked": {
         "lastModified": 1669735802,

flake.nix

@@ -25,9 +25,8 @@
     };
 
     agenix-rekey.url = "github:oddlama/agenix-rekey";
-    ragenix = {
-      url = "github:yaxitech/ragenix";
-      inputs.flake-utils.follows = "flake-utils";
+    agenix = {
+      url = "github:ryantm/agenix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
@@ -60,7 +59,24 @@
         config.allowUnfree = true;
       };
 
-      apps = agenix-rekey.defineApps self pkgs self.nodes;
+      apps =
+        agenix-rekey.defineApps self pkgs self.nodes
+        // {
+          generate-initrd-keys = flake-utils.mkApp {
+            drv = let
+              generateHostKey = node: ''
+                if [[ ! -f ${node.config.rekey.secrets.initrd_host_ed25519_key.file} ]]; then
+                  ssh-keygen -t ed25519 -N "" -f /tmp/1
+                  TODO
+                fi
+              '';
+            in
+              pkgs.writeShellScript "generate-initrd-keys" ''
+                set -euo pipefail
+                ${pkgs.lib.concatStringsSep "\n" (pkgs.lib.mapAttrsToList generateHostKey self.nodes)}
+              '';
+          };
+        };
       checks = import ./nix/checks.nix inputs system;
       devShells.default = import ./nix/dev-shell.nix inputs system;
       formatter = pkgs.alejandra;

hosts/nom/net.nix

@@ -5,15 +5,17 @@
   };
 
   systemd.network.networks = {
-    wired = {
+    "10-lan0" = {
       DHCP = "yes";
       matchConfig.MACAddress = "00:00:00:00:00:00";
+      networkConfig.IPv6PrivacyExtensions = "kernel";
       dhcpV4Config.RouteMetric = 10;
       dhcpV6Config.RouteMetric = 10;
     };
-    wireless = {
+    "10-wlan0" = {
       DHCP = "yes";
       matchConfig.MACAddress = "00:00:00:00:00:00";
+      networkConfig.IPv6PrivacyExtensions = "kernel";
       dhcpV4Config.RouteMetric = 40;
       dhcpV6Config.RouteMetric = 40;
     };

hosts/ward/net.nix

@@ -1,21 +1,22 @@
 {
   networking = {
     hostId = "49ce3b71";
-    wireless.iwd.enable = true;
   };
 
   systemd.network.networks = {
-    enp1s0 = {
+    "10-lan0" = {
       DHCP = "yes";
       matchConfig.MACAddress = "00:00:00:00:00:00";
+      networkConfig.IPv6PrivacyExtensions = "kernel";
       dhcpV4Config.RouteMetric = 10;
       dhcpV6Config.RouteMetric = 10;
     };
-    enp2s0 = {
+    "10-lan1" = {
       DHCP = "yes";
       matchConfig.MACAddress = "00:00:00:00:00:00";
-      dhcpV4Config.RouteMetric = 10;
-      dhcpV6Config.RouteMetric = 10;
+      networkConfig.IPv6PrivacyExtensions = "kernel";
+      dhcpV4Config.RouteMetric = 20;
+      dhcpV6Config.RouteMetric = 20;
     };
   };
 }

modules/core/default.nix

@@ -46,7 +46,8 @@ in {
   };
 
   networking = {
-    useDHCP = lib.mkForce false;
+    # FIXME: would like to use mkForce false for useDHCP, but nixpkgs#215908 blocks that.
+    useDHCP = true;
     useNetworkd = true;
     wireguard.enable = true;
     dhcpcd.enable = false;

modules/core/ssh.nix

@@ -1,4 +1,17 @@
 {
+  config,
+  name,
+  ...
+}: {
+  rekey.secrets.initrd_host_ed25519_key.file = ../../hosts/${name}/initrd_host_ed25519_key.age;
+
+  boot.initrd.network.enable = true;
+  boot.initrd.network.ssh = {
+    enable = true;
+    port = 4;
+    hostKeys = [config.rekey.secrets.initrd_host_ed25519_key.path];
+  };
+
   services.sshd.enable = true;
   services.openssh = {
     enable = true;

nix/colmena.nix

@@ -5,7 +5,7 @@
   #impermanence,
   nixos-hardware,
   nixpkgs,
-  ragenix,
+  agenix,
   agenix-rekey,
   templates,
   ...
@@ -28,7 +28,7 @@ with nixpkgs.lib; let
       (../hosts + "/${hostName}")
       home-manager.nixosModules.default
       #impermanence.nixosModules.default
-      ragenix.nixosModules.age
+      agenix.nixosModules.default
       agenix-rekey.nixosModules.default
     ];
   };

nix/overlay.nix

@@ -1,17 +1,8 @@
-{
-  nixpkgs,
-  ragenix,
-  ...
-}:
+{nixpkgs, ...}:
 with nixpkgs.lib; let
   localOverlays =
     mapAttrs'
     (f: _: nameValuePair (removeSuffix ".nix" f) (import (./overlays + "/${f}")))
     (builtins.readDir ./overlays);
 in
-  localOverlays
-  // {
-    default =
-      composeManyExtensions ((attrValues localOverlays)
-        ++ [ragenix.overlays.default]);
-  }
+  localOverlays // {default = composeManyExtensions (attrValues localOverlays);}