ragenix: add initial user secrets

progresses #11
2023-04-20 13:45:06 +10:00 · 2023-04-20 13:45:06 +10:00 · 27454a11e4
parent 4a6e51a9a7
commit 27454a11e4
3 changed files with 15 additions and 9 deletions
--- a/outputs.nix
+++ b/outputs.nix
@ -23,12 +23,6 @@ in {
      inherit (nix.packages."${pkgs.system}") nix;
      inherit (nixpkgsUnstable.legacyPackages."${pkgs.system}") alejandra;
    };
-  nixosConfigurations = nixpkgs.lib.nixosSystem {
-    system = "${pkgs.system}";
-    modules = [
-      ragenix.nixosModules.default
-    ];
-  };
 }))
 // {
  colmena = {
@ -40,7 +34,12 @@ in {
        overlays = [];
      };
    };
-    toscano = import ./nixos/hosts/toscano/configuration.nix;
+    toscano = {
+      imports = [
+        ./nixos/hosts/toscano/configuration.nix
+        ragenix.nixosModules.default
+      ];
+    };
    # The below lines are in the wrong place
    #nixosConfigurations = import ./nixos/configurations.nix (inputs
    #  // {
--- a/profiles/users.nix
+++ b/profiles/users.nix
@ -4,6 +4,11 @@
  pkgs,
  ...
 }: {
+  age.secrets = {
+    root.file = ../secrets/root.age;
+    fiscalvelvetpoet.file = ../secrets/fiscalvelvetpoet.age;
+  };
+
  # JFDIC Ops groups:
  users.groups.fiscalvelvetpoet.gid = 1000;

@ -14,7 +19,7 @@
    group = "fiscalvelvetpoet";
    extraGroups = ["wheel"];
    # fix this
-    #passwordFile = config.age.secrets.fiscalvelvetpoet.path;
+    passwordFile = config.age.secrets.fiscalvelvetpoet.path;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@jfdic.org"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair"
@ -23,7 +28,7 @@

  users.users.root = {
    # fix this
-    #passwordFile = config.age.secrets.root.path;
+    passwordFile = config.age.secrets.root.path;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@jfdic.org"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair"
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -1,3 +1,5 @@
+# Used by ragenix nix only.
+# Ensure that $RULES has been set
 let
  fiscalvelvetpoet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so";
  ops = [fiscalvelvetpoet];