feat(cache): add secrets and host-keys

klarkc · Dec 20, 2023 · 4bb0dd6 · 4bb0dd6
1 parent c153370
commit 4bb0dd6
Show file tree

Hide file tree

Showing 7 changed files with 103 additions and 16 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,7 @@
 /result
 /*.img
+/*.qcow2
+/secrets/*
+!/secrets/*.nix
+!/secrets/*.age
+!/secrets/*.pub
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -2,11 +2,13 @@
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
     generators.url = "github:nix-community/nixos-generators";
+    agenix.url = "github:ryantm/agenix";
     attic.url = "github:zhaofengli/attic";
     everyday.url = "github:klarkc/nixos-everyday";
     # optimizations
     generators.inputs.nixpkgs.follows = "nixpkgs";
     attic.inputs.nixpkgs.follows = "nixpkgs";
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs = { self, ... }@inputs:
@@ -17,6 +19,7 @@
       system = "${platform}-${os}";
       pkgs = import inputs.nixpkgs { inherit system; };
       lib = {
+        secrets = ./secrets;
         mkSystem = options:
           let
             inherit (inputs.nixpkgs.lib) nixosSystem;

diff --git a/secrets/env.age b/secrets/env.age
diff --git a/secrets/klarkc.pub b/secrets/klarkc.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYlM/N+ZY5j5ddzyWWoEsYwnhhDiTGlmprZscFapgWt klarkc@ssdinarch
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -0,0 +1,4 @@
+let klarkc = builtins.readFile ./klarkc.pub; in
+{
+  "env.age".publicKeys = [ klarkc ];
+}
diff --git a/setups/cache/default.nix b/setups/cache/default.nix
@@ -1,20 +1,28 @@
 { system, pkgs, flake, ... }:
 let
-  inherit (flake.inputs.everyday.nixosModules) logger;
+  inherit (flake.inputs.generators.nixosModules) vm-nogui;
+  inherit (flake.inputs.everyday.nixosModules) logger host-keys;
   inherit (flake.inputs.attic.nixosModules) atticd;
-  inherit (flake.outputs.lib) mkSystem;
+  inherit (flake.outputs.lib) mkSystem secrets;
+  agenix = flake.inputs.agenix.nixosModules.default;
   domain = "cache.klarkc.is-a.dev";
+  home = "/home/klarkc";
   cache-module = { config, ... }: {
+    imports = [ logger atticd vm-nogui agenix host-keys ];
+    # cd secrets
+    # echo -n 'ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="' > env
+    # openssl rand 64 | base64 -w0 >> env
+    # echo -n '"' >> env
+    # cat env | nix run github:ryantm/agenix -- -e env.age -i ~/.ssh/id_ed25519
+    # cp ~/.ssh/id_ed25519.pub klarkc.pub
+    age.secrets.env.file = "${secrets}/env.age";
+    services.atticd.credentialsFile = config.age.secrets.env.path;
+    host-keys.source = "${home}/.ssh";
     system.stateVersion = config.system.nixos.version;
-    imports = [ logger atticd ];
     fileSystems."/".device = "none";
     boot.loader.grub.device = "nodev";
     services.atticd = {
       enable = true;
-      # echo -n 'ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="' > /tmp/atticd.env
-      # openssl rand 64 | base64 -w0 >> /tmp/atticd.env
-      # echo -n '"' >> /tmp/atticd.env
-      credentialsFile = "/tmp/atticd.env";
       settings = {
         listen = "[::]:8080";
         chunking = {
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYlM/N+ZY5j5ddzyWWoEsYwnhhDiTGlmprZscFapgWt klarkc@ssdinarch