Rename secrets

2026-01-05 12:08:42 +01:00 · 2026-01-05 12:08:42 +01:00 · 0ccb9c51b2
commit 0ccb9c51b2
parent 3cce82ce03
37 changed files with 282 additions and 165 deletions
--- a/configurations/nixos/aepplet/default.nix
+++ b/configurations/nixos/aepplet/default.nix
@ -1,27 +1,19 @@
-# ++ 80_Hg: Mercury
-#
-# Minimal environment for a workbase VirtualBox on macOS
 {
  lib,
  pkgs,
  inputs,
  ...
-}:
-with lib._elements; {
+}: {
  imports = [
    ./hardware.nix
    ./disko.nix
  ];

-  elements = {
-    hostname = "mercury";
-    users = ["christopher"];
-    quirks = ["avahi" "docker"];
+  bosun = {
+    # quirks = ["avahi" "docker"];

-    secrets = {
    key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPjqieS4GkYAa1WRYZpxjgYsj7VGZ9U+rTFCkX8M0umD";
  };
-  };

  system.stateVersion = "24.11";

@ -46,7 +38,7 @@ with lib._elements; {
  disko.devices.disk.main.device = "/dev/sda";

  boot.loader.grub.enable = true;
-  networking.hostName = "mercury";
+  networking.hostName = "aepplet";
  time.timeZone = "Europe/Berlin";

  environment.systemPackages = with pkgs; [
--- a/configurations/nixos/aepplet/disko.nix
+++ b/configurations/nixos/aepplet/disko.nix
@ -1,7 +1,9 @@
-{
-  disko.devices = {
-    disk = {
-      main = {
+{inputs, ...}: {
+  imports = [
+    inputs.disko.nixosModules.default
+  ];
+
+  disko.devices.disk.main = {
    type = "disk";
    content = {
      type = "gpt";
@ -31,6 +33,4 @@
      };
    };
  };
-    };
-  };
 }
--- a/configurations/nixos/endurance/default.nix
+++ b/configurations/nixos/endurance/default.nix
@ -7,34 +7,18 @@
  config,
  inputs,
  ...
-}:
-with lib._elements; {
+}: {
  imports = [
    inputs.flatpak.nixosModules.nix-flatpak
    ./hardware.nix
    ./disko.nix
    ./metrics.nix
+    ./musnix.nix
  ];

-  elements = {
-    hostname = "cobalt";
-    users = ["christopher"];
-    quirks = ["avahi" "docker" "nix-ld"];
-    wm = enabled;
-
-    secrets = {
+  bosun = {
+    #quirks = ["avahi" "docker" "nix-ld"];
    key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPjqieS4GkYAa1WRYZpxjgYsj7VGZ9U+rTFCkX8M0umD";
-
-      needs.victoriametricsEnvFile.rekeyFile = "victoria.env.age";
-    };
-  };
-
-  # Set the default drive
-  disko.devices.disk.main.device = "/dev/nvme1n1";
-
-  musnix = {
-    enable = true;
-    rtcqs.enable = true;
  };

  qt = {
--- a/configurations/nixos/endurance/disko.nix
+++ b/configurations/nixos/endurance/disko.nix
@ -1,8 +1,13 @@
-{
+{inputs, ...}: {
+  imports = [
+    inputs.disko.nixosModules.disko
+  ];
+
  disko.devices = {
    disk = {
      main = {
        type = "disk";
+        device = "/dev/nvme1n1";
        content = {
          type = "gpt";
          partitions = {
--- a/configurations/nixos/endurance/metrics.nix
+++ b/configurations/nixos/endurance/metrics.nix
@ -4,6 +4,8 @@
  pkgs,
  ...
 }: {
+  bosun.secrets.victoriametricsEnvFile = "victoria.env.age";
+
  services = {
    telegraf = {
      enable = true;
--- a/configurations/nixos/endurance/musnix.nix
+++ b/configurations/nixos/endurance/musnix.nix
@ -0,0 +1,12 @@
+{inputs, ...}: {
+  imports = [
+    inputs.musnix.nixosModules.default
+  ];
+
+  musnix = {
+    enable = true;
+    rtcqs.enable = true;
+  };
+
+  users.users.toph.extraGroups = ["audio"];
+}
--- a/flake.nix
+++ b/flake.nix
@ -78,8 +78,7 @@
      ...
    }: {
      imports = [
-        inputs.agenix-rekey.flakeModule
-        inputs.disko.flakeModules.default
+        inputs.agenix-rekey.flakeModules.default
        inputs.home-manager.flakeModules.home-manager
        ./modules/flake
      ];
--- a/modules/common/secrets.nix
+++ b/modules/common/secrets.nix
@ -1,40 +0,0 @@
-# All hosts automatically include this module. This also means that it is necessary for
-# every host to specify the option `elements.secrets.key = "key";`.
-{
-  config,
-  system,
-  inputs,
-  pkgs,
-  lib,
-  ...
-}:
-with lib; let
-  cfg = config.elements.secrets;
-in {
-  options = {
-    elements.secrets = {
-      rekeyPath = mkOption {
-        type = types.str;
-        default = config.elements.hostname;
-      };
-
-      key = mkOption {
-        type = types.str;
-      };
-
-      needs = mkOption {
-        type = types.attrsOf (types.either types.str types.attrs);
-        default = {};
-      };
-    };
-  };
-
-  config = {
-    environment.systemPackages = [
-      pkgs.age-plugin-yubikey
-      inputs.agenix-rekey.packages.${system}.default
-    ];
-
-    age = lib._elements.agenixRekeyConfig inputs.self cfg;
-  };
-}
--- a/modules/flake/default.nix
+++ b/modules/flake/default.nix
@ -3,5 +3,6 @@
    ./hosts.nix
    ./args.nix
    ./formatter.nix
+    ./lib
  ];
 }
--- a/modules/flake/hosts.nix
+++ b/modules/flake/hosts.nix
@ -6,15 +6,31 @@
  imports = [inputs.easy-hosts.flakeModule];

  config.easy-hosts = {
+    shared.modules = [
+      ../generic/default.nix
+    ];
+
+    perClass = class: {
+      modules = [
+        "${self}/modules/${class}/default.nix"
+      ];
+    };
+
    hosts = {
-      endurance = {};
+      endurance = {
+        path = ../../configurations/nixos/endurance;
+        class = "nixos";
+      };

      vasa = {
-        arch = "aarch64";
+        path = ../../configurations/darwin/vasa;
        class = "darwin";
      };

-      aepplet = {};
+      aepplet = {
+        path = ../../configurations/nixos/aepplet;
+        class = "nixos";
+      };
    };
  };
 }
--- a/modules/flake/lib/default.nix
+++ b/modules/flake/lib/default.nix
@ -0,0 +1,11 @@
+{
+  lib,
+  inputs,
+  ...
+}: {
+  flake.lib = lib.fixedPoints.makeExtensible (final: {
+    secrets = import ./secrets.nix {inherit inputs lib;};
+
+    inherit (final.secrets) mkSecret;
+  });
+}
--- a/modules/flake/lib/secrets.nix
+++ b/modules/flake/lib/secrets.nix
@ -0,0 +1,10 @@
+{
+  inputs,
+  lib,
+  ...
+}: let
+  inherit (inputs) self;
+in {
+  mkSecret = config: {
+  };
+}
--- a/modules/generic/default.nix
+++ b/modules/generic/default.nix
@ -0,0 +1,6 @@
+{
+  imports = [
+    ./profiles.nix
+    ./secrets.nix
+  ];
+}
--- a/modules/generic/profiles.nix
+++ b/modules/generic/profiles.nix
@ -0,0 +1,10 @@
+{lib, ...}: let
+  inherit (lib) mkEnableOption;
+in {
+  options.bosun.profiles = {
+    graphical.enable = mkEnableOption "Graphical interface";
+    headless.enable = mkEnableOption "Headless";
+    workstation.enable = mkEnableOption "Workstation";
+    server.enable = mkEnableOption "Server";
+  };
+}
--- a/modules/generic/secrets.nix
+++ b/modules/generic/secrets.nix
@ -0,0 +1,78 @@
+{
+  config,
+  system,
+  inputs,
+  pkgs,
+  lib,
+  self,
+  ...
+}:
+with lib; let
+  cfg = config.bosun;
+in {
+  imports = [
+    inputs.agenix.nixosModules.default
+    inputs.agenix-rekey.nixosModules.default
+
+    # inputs.agenix.homeManagerModules.default
+  ];
+
+  options.bosun = {
+    rekeyPath = mkOption {
+      type = types.str;
+      default = config.networking.hostName;
+    };
+
+    key = mkOption {
+      type = types.str;
+    };
+
+    secrets = mkOption {
+      type = types.attrsOf (types.either types.str types.attrs);
+      default = {};
+    };
+  };
+
+  # TODO: Make this work for both home manager and nixos
+  config = {
+    environment.systemPackages = [
+      pkgs.age-plugin-yubikey
+      inputs.agenix-rekey.packages.${system}.default
+    ];
+
+    age = {
+      # general host setup
+      rekey = {
+        hostPubkey = cfg.key;
+
+        # See https://github.com/oddlama/agenix-rekey?tab=readme-ov-file#local
+        # for potential effects of this decision.
+        storageMode = "local";
+        localStorageDir = self + "/secrets/rekeyed/${cfg.rekeyPath}";
+
+        # Used to decrypt stored secrets for rekeying.
+        masterIdentities = [
+          (self + "/secrets/keys/master-identity.pub")
+        ];
+
+        # Keys that will always be encrypted for. These act as backup keys in
+        # case the master identities are somehow lost.
+        extraEncryptionPubkeys = [
+          "age1zd8wxnmgf04qcan9cvs0736valy8407f497fw9j0auwf072yadzqqdqsj9"
+        ];
+      };
+
+      # map all simplified secrets from `config.bosun.secrets` to their
+      # respective `config.age.secrets` mapping
+      secrets =
+        lib.attrsets.mapAttrs (
+          name: secret: (
+            if builtins.isString secret
+            then {rekeyFile = self + "/secrets/${secret}";}
+            else secret // {rekeyFile = self + "/secrets/${secret.rekeyFile}";}
+          )
+        )
+        cfg.secrets;
+    };
+  };
+}
--- a/modules/home/default.nix
+++ b/modules/home/default.nix
@ -0,0 +1,5 @@
+{
+  imports = [
+    ./secrets.nix
+  ];
+}
--- a/modules/home/secrets.nix
+++ b/modules/home/secrets.nix
@ -0,0 +1,37 @@
+{
+  inputs,
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.bosun;
+in {
+  imports = [
+    inputs.agenix.homeManagerModules.default
+    # inputs.agenix-rekey.homeManagerModules.default
+  ];
+
+  options.bosun = {
+    rekeyPath = mkOption {
+      type = types.str;
+    };
+
+    key = mkOption {
+      type = types.str;
+    };
+
+    secrets = mkOption {
+      type = types.attrsOf (types.either types.str types.attrs);
+      default = {};
+    };
+  };
+
+  config.age =
+    (lib.bosun.mkAgenixConfig inputs.self cfg)
+    // {
+      identityPaths = ["${config.home.homeDirectory}/.ssh/key"];
+      secretsDir = "${config.home.homeDirectory}/.local/share/agenix/agenix";
+      secretsMountPoint = "${config.home.homeDirectory}/.local/share/agenix/agenix.d";
+    };
+}
--- a/modules/home/secrets/default.nix
+++ b/modules/home/secrets/default.nix
@ -1,40 +0,0 @@
-{
-  pkgs,
-  inputs,
-  lib,
-  config,
-  ...
-}:
-with lib; let
-  cfg = config.elements.secrets;
-in {
-  imports = [
-    inputs.agenix.homeManagerModules.default
-    inputs.agenix-rekey.homeManagerModules.default
-  ];
-
-  options = {
-    elements.secrets = {
-      rekeyPath = mkOption {
-        type = types.str;
-      };
-
-      key = mkOption {
-        type = types.str;
-      };
-
-      needs = mkOption {
-        type = types.attrsOf (types.either types.str types.attrs);
-        default = {};
-      };
-    };
-  };
-
-  config.age =
-    (lib._elements.agenixRekeyConfig inputs.self cfg)
-    // {
-      identityPaths = ["${config.home.homeDirectory}/.ssh/key"];
-      secretsDir = "${config.home.homeDirectory}/.local/share/agenix/agenix";
-      secretsMountPoint = "${config.home.homeDirectory}/.local/share/agenix/agenix.d";
-    };
-}
--- a/modules/nixos/common/default.nix
+++ b/modules/nixos/common/default.nix
@ -1,6 +0,0 @@
-{...}: {
-  imports = [
-    ./core
-    ./core/users.nix
-  ];
-}
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -0,0 +1,7 @@
+{
+  imports = [
+    ./services
+    ./system.nix
+    ./users.nix
+  ];
+}
--- a/modules/nixos/common/core/default.nix
+++ b/modules/nixos/common/core/default.nix
--- a/modules/nixos/common/core/users.nix
+++ b/modules/nixos/common/core/users.nix
@ -18,18 +18,17 @@ in
      };
    };

-    config = let
-      mkIfUser = name: mkIf (elem name cfg.users);
-      #secretFor = name: file: mkIfUser name {rekeyFile = ./../../../.. + "/secrets/${file}";};
-    in {
-      # age.secrets.christopher-password = secretFor "christopher" "christopher-password.age";
+    config = {
+      bosun.secrets.tophPassword = "toph-password.age";

      programs.fish.enable = true;
+
      users = {
-        users.christopher = mkIfUser "christopher" {
+        users.toph = {
          isNormalUser = true;
-          # passwordFile = config.age.secrets.christopher-password.path;
+          passwordFile = config.age.secrets.tophPassword.path;
          shell = pkgs.fish;
+
          extraGroups = [
            "wheel"
            "docker"
@ -37,13 +36,14 @@ in
            "uinput"
            "pico"
          ];
+
          openssh.authorizedKeys.keys = [
            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEqcR3f71g7yuxQtUewrqdoEh8jDHtkB1973GF0EQ6q christopher@all"
          ];
        };

-        groups.christopher = {
-          members = ["christopher"];
+        groups.toph = {
+          members = ["toph"];
          gid = 1000;
        };
      };
--- a/secrets/rekeyed/aepplet/a833fa567d54391802a4b064f0911c99-tophPassword.age
+++ b/secrets/rekeyed/aepplet/a833fa567d54391802a4b064f0911c99-tophPassword.age
--- a/secrets/rekeyed/cobalt/744ad1a7e324b40d0805e2ef82d8fc5a-victoriametricsEnvFile.age
+++ b/secrets/rekeyed/cobalt/744ad1a7e324b40d0805e2ef82d8fc5a-victoriametricsEnvFile.age
--- a/secrets/rekeyed/cobalt/a833fa567d54391802a4b064f0911c99-tophPassword.age
+++ b/secrets/rekeyed/cobalt/a833fa567d54391802a4b064f0911c99-tophPassword.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 /u/eYA a2YtLIFiK8lETFr+I/Yixme90wgJX/X+kW2KpCFWGiM
+xm/9eER61LCPTiRUi24Qh3gQq1OV8s9BQjgxRJfLvKs
+-> vEX:@rY-grease #.ah Wz?~ Gr|K[7W -.UYxQ#
+CTEhaEVZInKKSMg6Vzb54cghIPT7PbUy57qgdWwXx6lvbnnIxsqnRUwBhLK8sT3w
+Sx+t1v8/cuDK
+--- nzehXvl4h/fS4/3W2Rsn0Uu1E9NUsEIR6ni5qOA/U1I
+–®<EFBFBD>i«8<EFBFBD>üæÅKØ£„®Ù¾eÖ„™‹L•“ž+KV´ÉŒnC(?˜¶±C
--- a/secrets/rekeyed/endurance/744ad1a7e324b40d0805e2ef82d8fc5a-victoriametricsEnvFile.age
+++ b/secrets/rekeyed/endurance/744ad1a7e324b40d0805e2ef82d8fc5a-victoriametricsEnvFile.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 /u/eYA uWoNFabVJzmA1L8l124lyvnvAFgsQ9rh/Okags2UrxU
+vGenkj0xh5FbxTnS91XEz2qAoILYZS5skYHaadaNIBo
+-> F"k"3;+O-grease (5t/PH
+zBRuwDmTbpClRyVeC77vgGo4aDE2/KxWdcJK1gXvu60DxzUfyjlF3SjKLGBx4qIp
+
+--- VxGN6ddpUyGJNbtKpOIoo7dZ3Xy1vxX1GA5f3EXef7g
+‡ÿ&`j‰•¼˜×àZ<C3A0>»å=s§Þ¯·8ôéoz´Ò<C2B4>Óçïr–ˆ–ÌñÎß%*}Ù÷æÇpMuœ` …ÙoK¶«œÐÁ~
+l23vË°
+9qxÍ—g|žòc:2.ÓN
bÕÁ›°i‡‡8cdJ*z#<14>°ÊYð[7Æ¶Ç‘=¿}{ó<><0C>›g	<09>Y`gûçw,*\Ûr‹/B<>Ü[ ƒ±ðÙ&»
--- a/secrets/rekeyed/christopher_cobalt/0abeaf0474074a50285a177aacd7ec0f-id_ethnuc.age
+++ b/secrets/rekeyed/christopher_cobalt/0abeaf0474074a50285a177aacd7ec0f-id_ethnuc.age
--- a/secrets/rekeyed/christopher_cobalt/0f948eedfa8d6e97a197d3e5df42c92e-id_hausgold.age
+++ b/secrets/rekeyed/christopher_cobalt/0f948eedfa8d6e97a197d3e5df42c92e-id_hausgold.age
--- a/secrets/rekeyed/christopher_cobalt/1944c0824166a3a9a50bd2dbd4cef01b-id_rhenium.age
+++ b/secrets/rekeyed/christopher_cobalt/1944c0824166a3a9a50bd2dbd4cef01b-id_rhenium.age
--- a/secrets/rekeyed/christopher_cobalt/241c114c18645057167f14101ddcdbcb-id_homeassistant.age
+++ b/secrets/rekeyed/christopher_cobalt/241c114c18645057167f14101ddcdbcb-id_homeassistant.age
--- a/secrets/rekeyed/christopher_cobalt/68a44c5680f7a6e57f6cc276f6fae690-repoUpdatePAT.age
+++ b/secrets/rekeyed/christopher_cobalt/68a44c5680f7a6e57f6cc276f6fae690-repoUpdatePAT.age
--- a/secrets/rekeyed/christopher_cobalt/a3984008ff2b9a3226656619c81e4c47-emailPassword.age
+++ b/secrets/rekeyed/christopher_cobalt/a3984008ff2b9a3226656619c81e4c47-emailPassword.age
--- a/secrets/rekeyed/christopher_cobalt/bf37e236fcc3c1ce07d32b54d70f80ef-id_europium.age
+++ b/secrets/rekeyed/christopher_cobalt/bf37e236fcc3c1ce07d32b54d70f80ef-id_europium.age
--- a/secrets/rekeyed/christopher_cobalt/d5d9325b86283f0a1572f2817924fea4-id_github.age
+++ b/secrets/rekeyed/christopher_cobalt/d5d9325b86283f0a1572f2817924fea4-id_github.age
--- a/secrets/rekeyed/christopher_cobalt/dcb82593014313ac12faa7a33834a1aa-config.age
+++ b/secrets/rekeyed/christopher_cobalt/dcb82593014313ac12faa7a33834a1aa-config.age
--- a/secrets/rekeyed/christopher_cobalt/f163a86f52bfaee9d516fee4b00a5111-npmrc.age
+++ b/secrets/rekeyed/christopher_cobalt/f163a86f52bfaee9d516fee4b00a5111-npmrc.age
--- a/secrets/toph-password.age
+++ b/secrets/toph-password.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 j/67yub+Kz8oFNN07MHKeCXXwNS0D39nkc+SqAV8UgM
+89AdrCsf4LxQJBl+Q/Xr+GotScOBaP3FpgFEmEnCAQg
+-> piv-p256 Kmn3OQ AjPU/LUjzP+YtoJ8yUeL1uwsA69KSeGNA3EoYcdxhhzs
+a6I1KQkU49lFg/5WAxKcPWu39tUBJbbFsNYS2PFFZSA
+-> 5{Mh-grease k^I'> 8jI;`F8F QO]Z. ?A?`
+SDGA88nlZIKe3/d/ArbzO47BdBBf
+--- bH47GyWwrNHQGcm6j2AaKnCVaxVzVPGRtBBjJb0zoW4
+
+ÂÚ•CG0X{xB[°(s eK,9Ö:_‹oˆR¯k¸öô·V+ãhá*