diff --git a/.envrc b/.envrc index 1678f0e..461a3d0 100644 --- a/.envrc +++ b/.envrc @@ -1,4 +1,6 @@ use flake watch_file flake.nix +# Allow ragenix to find it's configuration +export RULES=$(realpath ./secrets/secrets.nix) export NIXOPS_DEPLOYMENT=jfdic-ops diff --git a/.gitignore b/.gitignore index b72f980..92b2793 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ .direnv -secrets diff --git a/README.rst b/README.rst index b7d2737..d0db2b9 100644 --- a/README.rst +++ b/README.rst @@ -1,10 +1,10 @@ JFDIC Ops ========= -NixOps_ deployment configuration for `JFDI Collective`_ services. +Colmena_ deployment configuration for `JFDI Collective`_ services. The canonical home for this repo is https://source.jfdic.org/jfdic/jfdic-ops -.. _NixOps: https://nixos.org/nixops +.. _Colmena: https://colmena.cli.rs/ .. _JFDI Collective: https://jfdic.org/ diff --git a/default.nix b/default.nix new file mode 100644 index 0000000..bfce7af --- /dev/null +++ b/default.nix @@ -0,0 +1,19 @@ +{ + sources ? import ./nix/sources.nix, + system ? builtins.currentSystem, + crossSystem ? null, + config ? {}, + alejandraUnstable ? (import sources.nixpkgsUnstable {}).alejandra, +} @ args: +with import ./nix args; { + shell = mkShell { + buildInputs = [ + alejandraUnstable # The Uncompromising Nix Code Formatter + colmena + niv + treefmt # one CLI to format the code tree + ]; + NIX_PATH = "nixpkgs=${sources.nixpkgs}"; + NIXOPS_DEPLOYMENT = "${globals.deploymentName}"; + }; +} diff --git a/flake.lock b/flake.lock index 7e85e9d..0a827df 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,103 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "nixpkgs": [ + "ragenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1677126346, + "narHash": "sha256-4s+PPGC1M07QsPyeye5drc2JLa1lhDnCV3XAsG8+pH4=", + "owner": "ryantm", + "repo": "agenix", + "rev": "c2a71c83c70844c5e31db69347e86af080bcdad0", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "colmena": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs", + "stable": "stable", + "utils": "utils" + }, + "locked": { + "lastModified": 1664434431, + "narHash": "sha256-F/Jl1GqSp08fw7PCHiv/ijn/pAP1YOStIhHws291s7A=", + "owner": "zhaofengli", + "repo": "colmena", + "rev": "7253d9b4bb1f0f031d926092cb5dae3b03f1e812", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "ref": "v0.3.2", + "repo": "colmena", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "ragenix", + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "locked": { + "lastModified": 1676283394, + "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "hakyll-skeleton": { "flake": false, "locked": { @@ -53,7 +151,7 @@ "nix": { "inputs": { "lowdown-src": "lowdown-src", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nixpkgs-regression": "nixpkgs-regression" }, "locked": { @@ -71,38 +169,18 @@ "type": "github" } }, - "nixops": { - "inputs": { - "nixpkgs": "nixpkgs_2", - "utils": "utils" - }, - "locked": { - "lastModified": 1657388807, - "narHash": "sha256-MtTM5KUHIDqnY254chIOp00EmsbYsXR3mXrnbbY4wg0=", - "owner": "NixOS", - "repo": "nixops", - "rev": "dcafae5258773dc0fbdd31b425f1ad3fb59173fe", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "master", - "repo": "nixops", - "type": "github" - } - }, "nixpkgs": { "locked": { - "lastModified": 1657693803, - "narHash": "sha256-G++2CJ9u0E7NNTAi9n5G8TdDmGJXcIjkJ3NF8cetQB8=", + "lastModified": 1653060744, + "narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "365e1b3a859281cf11b94f87231adeabbdd878a2", + "rev": "dfd82985c273aac6eced03625f454b334daae2e8", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-22.05-small", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -141,16 +219,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1656753965, - "narHash": "sha256-BCrB3l0qpJokOnIVc3g2lHiGhnjUi0MoXiw6t1o8H1E=", + "lastModified": 1657693803, + "narHash": "sha256-G++2CJ9u0E7NNTAi9n5G8TdDmGJXcIjkJ3NF8cetQB8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0ea7a8f1b939d74e5df8af9a8f7342097cdf69eb", + "rev": "365e1b3a859281cf11b94f87231adeabbdd878a2", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixos-22.05-small", "repo": "nixpkgs", "type": "github" } @@ -171,6 +249,29 @@ "type": "github" } }, + "ragenix": { + "inputs": { + "agenix": "agenix", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1677625082, + "narHash": "sha256-62xmRPfjZgDn8AgEhb6eRoJrTxGeM8HfhfF+PkJokok=", + "owner": "yaxitech", + "repo": "ragenix", + "rev": "6f2dacf3d6af36228a8fad3b136990a6b6dfe30b", + "type": "github" + }, + "original": { + "owner": "yaxitech", + "repo": "ragenix", + "type": "github" + } + }, "resrok-web": { "flake": false, "locked": { @@ -190,24 +291,66 @@ }, "root": { "inputs": { + "colmena": "colmena", "hakyll-skeleton": "hakyll-skeleton", "jfdic-web": "jfdic-web", "nix": "nix", - "nixops": "nixops", "nixpkgs": "nixpkgs_3", "nixpkgsUnstable": "nixpkgsUnstable", + "ragenix": "ragenix", "resrok-web": "resrok-web", "utils": "utils_2", "voc-web": "voc-web" } }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "ragenix", + "flake-utils" + ], + "nixpkgs": [ + "ragenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1676687290, + "narHash": "sha256-DP0CJ7qtUXf+mmMglJL1yANizzV1O4UfQ9NrKgy7O04=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "bdccd5e973d45159f7d13f7c65a4271dc02cf6d4", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "stable": { + "locked": { + "lastModified": 1653087707, + "narHash": "sha256-zfno3snrzZTWQ2B7K53QHrGZwrjnJLTRPalymrSsziU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "cbd40c72b2603ab54e7208f99f9b35fc158bc009", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-21.11", + "repo": "nixpkgs", + "type": "github" + } + }, "utils": { "locked": { - "lastModified": 1634851050, - "narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=", + "lastModified": 1649676176, + "narHash": "sha256-OWKJratjt2RW151VUlJPRALb7OU2S5s+f0vLj4o1bHM=", "owner": "numtide", "repo": "flake-utils", - "rev": "c91f3de5adaf1de973b797ef7485e441a65b8935", + "rev": "a4b154ebbdc88c8498a5c7b01589addc9e9cb678", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 1cc7159..93c4f10 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,10 @@ description = "jfdic-ops deployment"; inputs = { + ragenix = { + url = "github:yaxitech/ragenix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; hakyll-skeleton = { flake = false; url = git+https://source.jfdic.org/jfdic/hakyll-skeleton/?ref=consensus; @@ -15,7 +19,6 @@ url = git+https://source.jfdic.org/resrok/resrok-web/?ref=consensus; }; nix.url = "github:NixOS/nix/?ref=2.10.3"; - nixops.url = github:NixOS/nixops/?ref=master; nixpkgs.url = github:NixOS/nixpkgs/?ref=nixos-22.11; nixpkgsUnstable.url = github:NixOS/nixpkgs/?ref=nixos-unstable; utils.url = "github:numtide/flake-utils"; @@ -23,6 +26,7 @@ flake = false; url = git+https://source.jfdic.org/voc/voc-web/?ref=consensus; }; + colmena.url = "github:zhaofengli/colmena/?ref=v0.3.2"; }; outputs = {...} @ args: import ./outputs.nix args; diff --git a/hosts/toscano.nix b/hosts/toscano.nix deleted file mode 100644 index 3811812..0000000 --- a/hosts/toscano.nix +++ /dev/null @@ -1,26 +0,0 @@ -# NixOps configuration for toscano -# -# https://en.wikipedia.org/wiki/Joseph_Toscano -{ - config, - pkgs, - lib, - ... -}: { - imports = [ - ../networks/linode.nix - ../profiles/forgejo.nix - ../profiles/hakyll-skeleton.nix - ../profiles/jfdic-web.nix - ../profiles/resrok-web.nix - ../profiles/tmateServer.nix - ../profiles/voc-web.nix - ../secrets/forgejo.nix - ]; - - deployment.targetHost = "45.79.236.198"; - - networking.hostName = "toscano"; - - system.stateVersion = "21.05"; # The version of NixOS originally installed -} diff --git a/nixos/configurations.nix b/nixos/configurations.nix new file mode 100644 index 0000000..50b1ea5 --- /dev/null +++ b/nixos/configurations.nix @@ -0,0 +1,33 @@ +{ + self, + nixpkgs, + inputs, + nix, + ... +}: let + nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem; + customModules = import ../modules/modules-list.nix; + baseModules = [ + # make flake inputs accessiable in NixOS + {_module.args.inputs = inputs;} + { + imports = [ + ({pkgs, ...}: { + nix.nixPath = [ + "nixpkgs=${pkgs.path}" + ]; + nix.extraOptions = '' + experimental-features = nix-command flakes + ''; + documentation.info.enable = false; + }) + ]; + } + ]; + defaultModules = baseModules ++ customModules; + deployment = { + allowLocalDeployment = true; + }; +in { + #toscano = import ./hosts/toscano/configuration.nix; +} diff --git a/nixos/hosts/toscano/configuration.nix b/nixos/hosts/toscano/configuration.nix new file mode 100644 index 0000000..467beae --- /dev/null +++ b/nixos/hosts/toscano/configuration.nix @@ -0,0 +1,36 @@ +# NixOS configuration for toscano +# +# https://en.wikipedia.org/wiki/Joseph_Toscano +{ + config, + pkgs, + lib, + ... +}: { + imports = [ + ../../../networks/linode.nix + ../../../profiles/forgejo.nix + ../../../profiles/hakyll-skeleton.nix + ../../../profiles/jfdic-web.nix + ../../../profiles/resrok-web.nix + ../../../profiles/tmateServer.nix + ../../../profiles/voc-web.nix + ]; + + age.secrets = { + forgejo = { + file = ../../../secrets/forgejo.age; + owner = "gitea"; + group = "gitea"; + }; + }; + + deployment = { + tags = ["infra"]; + targetHost = "45.79.236.198"; + }; + + networking.hostName = "toscano"; + + system.stateVersion = "21.05"; # The version of NixOS originally installed +} diff --git a/outputs.nix b/outputs.nix index d3be2f7..9c6d144 100644 --- a/outputs.nix +++ b/outputs.nix @@ -2,8 +2,9 @@ self, hakyll-skeleton, jfdic-web, + ragenix, + colmena, nix, - nixops, nixpkgs, nixpkgsUnstable, resrok-web, @@ -12,32 +13,37 @@ ... } @ inputs: (utils.lib.eachDefaultSystem (system: let - pkgs = - nixpkgs.legacyPackages."${system}"; + pkgs = nixpkgs.legacyPackages."${system}"; in { devShell = pkgs.callPackage ./shell.nix { + inherit (ragenix.packages."${pkgs.system}") ragenix; + inherit (colmena.packages."${pkgs.system}") colmena; inherit (nix.packages."${pkgs.system}") nix; inherit (nixpkgsUnstable.legacyPackages."${pkgs.system}") alejandra; - nixops = nixops.defaultPackage."${pkgs.system}"; }; })) // { - nixopsConfigurations.default = { - inherit nixpkgs; - network = { - description = "jfdic-ops nodes"; - enableRollback = true; - storage.legacy = { - databasefile = "~/.nixops/deployments.nixops"; + colmena = { + meta = { + description = "jfdi collective's NixOS deployment"; + name = "jfdic-ops"; + nixpkgs = import nixpkgs { + system = "x86_64-linux"; + overlays = []; }; }; - defaults = { - system.autoUpgrade.enable = false; # Disabled as it conflicts with NixOps - _module.args.inputs = inputs; # make flake inputs accessiable in NixOS - imports = [./profiles/host_common.nix]; + toscano = { + imports = [ + ./nixos/hosts/toscano/configuration.nix + ragenix.nixosModules.default + ]; }; - toscano = import ./hosts/toscano.nix; }; + # The below lines are in the wrong place + #nixosConfigurations = import ./nixos/configurations.nix (inputs + # // { + # inherit inputs; + # }); } diff --git a/profiles/forgejo.nix b/profiles/forgejo.nix index 83e10c6..326e550 100644 --- a/profiles/forgejo.nix +++ b/profiles/forgejo.nix @@ -1,23 +1,26 @@ # NixOps configuration for the hosts running Forgejo { config, - inputs, pkgs, lib, ... - }: { +}: let + flake = builtins.getFlake (toString ../.); + nixpkgsUnstable = flake.inputs.nixpkgsUnstable; + forgejo = nixpkgsUnstable.legacyPackages."${pkgs.system}".forgejo; +in { services.gitea = { enable = true; # Enable Forgejo appName = "JFDI Collective: Forgejo Service"; # Give the site a name database = { type = "postgres"; # Database type - passwordFile = "/run/keys/gitea-dbpass"; # Where to find the password + passwordFile = config.age.secrets.forgejo.path; }; disableRegistration = true; domain = "source.jfdic.org"; # Domain name rootUrl = "https://source.jfdic.org/"; # Root web URL httpPort = 3002; # Provided unique port - package = inputs.nixpkgsUnstable.legacyPackages."${pkgs.system}".forgejo; # a soft fork of gitea + package = forgejo; # a soft fork of gitea settings = let docutils = pkgs.python37.withPackages (ps: with ps; [ diff --git a/profiles/hakyll-skeleton.nix b/profiles/hakyll-skeleton.nix index 830ecbd..b9ec514 100644 --- a/profiles/hakyll-skeleton.nix +++ b/profiles/hakyll-skeleton.nix @@ -2,11 +2,11 @@ { self, config, - inputs, pkgs, ... }: let - hakyll-skeleton = import inputs.hakyll-skeleton {}; + flake = builtins.getFlake (toString ../.); + hakyll-skeleton = import flake.inputs.hakyll-skeleton {}; webdomain = "skeleton.jfdic.org"; in { environment.sessionVariables = { diff --git a/profiles/jfdic-web.nix b/profiles/jfdic-web.nix index e60fdec..947aeef 100644 --- a/profiles/jfdic-web.nix +++ b/profiles/jfdic-web.nix @@ -2,11 +2,11 @@ { self, config, - inputs, pkgs, ... }: let - jfdic-web = import inputs.jfdic-web {}; + flake = builtins.getFlake (toString ../.); + jfdic-web = import flake.inputs.jfdic-web {}; webdomain = "jfdic.org"; in { environment.sessionVariables = { diff --git a/profiles/resrok-web.nix b/profiles/resrok-web.nix index e0fa7b5..b7007b4 100644 --- a/profiles/resrok-web.nix +++ b/profiles/resrok-web.nix @@ -2,11 +2,11 @@ { self, config, - inputs, pkgs, ... }: let - resrok-web = import inputs.resrok-web {}; + flake = builtins.getFlake (toString ../.); + resrok-web = import flake.inputs.resrok-web {}; webdomain = "resrok.org"; in { environment.sessionVariables = { diff --git a/profiles/server_common.nix b/profiles/server_common.nix index cad1c54..2b900b4 100644 --- a/profiles/server_common.nix +++ b/profiles/server_common.nix @@ -7,8 +7,7 @@ }: { imports = [ ../profiles/openssh.nix - ../secrets/user-fiscalvelvetpoet.nix - ../secrets/user-root.nix + ../profiles/users.nix ]; programs.mosh = { diff --git a/profiles/users.nix b/profiles/users.nix new file mode 100644 index 0000000..6699a24 --- /dev/null +++ b/profiles/users.nix @@ -0,0 +1,37 @@ +# Configuration common to all JFDIC servers +{ + config, + pkgs, + ... +}: { + age.secrets = { + root.file = ../secrets/root.age; + fiscalvelvetpoet.file = ../secrets/fiscalvelvetpoet.age; + }; + + # JFDIC Ops groups: + users.groups.fiscalvelvetpoet.gid = 1000; + + # JFDIC Ops Users + users.users.fiscalvelvetpoet = { + isNormalUser = true; + uid = 1000; + group = "fiscalvelvetpoet"; + extraGroups = ["wheel"]; + # fix this + passwordFile = config.age.secrets.fiscalvelvetpoet.path; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@jfdic.org" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair" + ]; + }; + + users.users.root = { + # fix this + passwordFile = config.age.secrets.root.path; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@jfdic.org" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair" + ]; + }; +} diff --git a/profiles/voc-web.nix b/profiles/voc-web.nix index dc61399..655dfa6 100644 --- a/profiles/voc-web.nix +++ b/profiles/voc-web.nix @@ -2,11 +2,11 @@ { self, config, - inputs, pkgs, ... }: let - voc-web = import inputs.voc-web {}; + flake = builtins.getFlake (toString ../.); + voc-web = import flake.inputs.voc-web {}; webdomain = "voicesofcapricornia.org"; in { environment.sessionVariables = { diff --git a/secrets/fiscalvelvetpoet.age b/secrets/fiscalvelvetpoet.age new file mode 100644 index 0000000..df3c33a --- /dev/null +++ b/secrets/fiscalvelvetpoet.age @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBabmpl +K3V2ZWV4c2pXcmtHYlhPaWVTd0Z2UnUrRTU0UHJxSlNGVGxrMEFZCjdsNW1IQTZY +VWR5MG9YbjlHVGk1OEFEbGthNXVsbkpHbnlyN0lOU3dxOWsKLT4gc3NoLWVkMjU1 +MTkgZjVUaEFnIDIwdjFwUmc5dEhGdTd3WFdLMlJzN2NqQ1R1YWV2RXBwbTE5OU0x +Y3hHMDAKcFhOYjdDcncwTnplamd3UTlaWVFiMXBHTlpuNFVSa01iaER4amlhdHdR +MAotPiBRLWdyZWFzZSBjCkRMREtPUVdTeER4WWhjcjJOWSsvUkxtK2JTUnRhblB4 +KzFxMW5BVGp5U2hmdGtOZ1FDbFkrdUpNR1JuKzRLTWUKVTZCZk5nRTRUcnUzWURp +MVplUGhTQjBrQU1UNwotLS0gSm52ejc3TXRBdlYrS0pRamQzeHo4N0pvcktHMDEv +RzdXakJMVlZrYzNtMAp8HicX1xAaiwdoitp+OGbp3imWarnmMynCZxHsdPGmDIYG +CEYqJ9JJVXAtzUL7kIE7uQOSZvgp4MvWahk5a0ITQkJDLbXef1mxhavGI6SYkhKP +4fYc4GN7xAcxTRvb/oBP67lhc8Pt1W+h6BLphYMYbMM7XT/zHAVCUBrCCKTW2Swc +NgJYUgwf7rI+hg/AKeXDXWYyidcYMrvb+L7jiIwZ6Q== +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/forgejo.age b/secrets/forgejo.age new file mode 100644 index 0000000..7a5dfc2 --- /dev/null +++ b/secrets/forgejo.age @@ -0,0 +1,11 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBzblFC +eUZrZEw3R24weVJ2TUw3QWZ6WDNYS1NDZVpGTktnakk4M2FnVEhFCjUxK1BucVBu +Vm52cXhyK1RyRFdTd2w1WU9NWDUranZTRkhzOHIwbXVHTlkKLT4gc3NoLWVkMjU1 +MTkgZjVUaEFnIERNWExUWk95Wk1udHYxWm1vKzAwR29kUC9JeUJoMVI3MUx3UmFG +aDFCakkKSitsbEtsVzQ5eDAzZ0VUOXIrUkNsSkFFRXJGbEUyVTZNKzcwcTBhWnYy +RQotPiBsbS1ncmVhc2UgLTwpJyAxTmtRMgp5OVpBSDh2azhrYjI1cmNjVmdKdlh0 +d2ZJZwotLS0gSGRZZ2k2ZDhqc3E1clBkOVZ4K3FjZUtGUG1XZ1ozVDRpZkd3ZkhG +d3ZuYwocfVjJedKaGHSUGZE2tTu5W47y68PW51+NdYxQOT65fyZD9/Vxi+7HiFqM +0xrmCMh3IsOvPa60vuY= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/root.age b/secrets/root.age new file mode 100644 index 0000000..f8653d1 --- /dev/null +++ b/secrets/root.age @@ -0,0 +1,15 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBoaDBJ +M2E4THRwVmtpWTMwMGpKZ2owdC9aci9zMVZGSzdRYk1Xb2VoUmxzCjVveDgzUUc5 +SG1OUEVPb0pFTm5VdG93a2lBbVF3OXh1eGNsL1dZWGY1T3MKLT4gc3NoLWVkMjU1 +MTkgZjVUaEFnIDhFWHNoaFFkeVJ3NXBKc3oxVXdzeWtEc1NqSjAvRDZMWG9XSFVR +UnVzMlEKMEJVOU45OUhVd0FEWTIrLzV2WnN6VmVJWjRHM0xRUk5YdFdNS0J1YVBD +NAotPiB4WyMtZ3JlYXNlIFBBaTM8IDsgSDIgTChDaFRtcUcKSUlkVHFnRDA5cWIy +Mjk4THJPREpRTW5FZ2RVR3lhTWFTOXhPaHdldVRBYWd2WE1Pc0IzbFZFQ0Q2RTAz +Q2MySgpYUUNDNE9GM2JrUVpWbE1kenFLVGtDaFFGZjFvTFhYbWY0ZlI0MTlLVXFW +d2d5dUdtL2hoSXcKLS0tIHZZMWk2amdIZHpCVzNtSUFvTyt0V3IyVm9NWWVyc3lG +WDZpYmNtUkkzTDAKUHVWJeK+gcL0T5tHLBFQQP0EKHtO3Y2MFfNti/dtUhMoOnl0 +cKi+siTFVAR6hasO8eM+NYgDg0mCt5ThQfAQyr0c2VoPyNu1ITJKwZZndk52y6nv +g95L4myoHPlJOKEb2pzSyDYKQZw4kUB4JKC5i7zy7a0TsMzVXUjZRDuOvWxcvXw8 +QbjtYbRJUZ+pFN445/awGVcZyMIE6KhrazU+WSU= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..05d04e4 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,14 @@ +# Used by ragenix nix only. +# Ensure that $RULES has been set via direnv +let + fiscalvelvetpoet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so"; + ops = [fiscalvelvetpoet]; + users = [fiscalvelvetpoet]; + + toscano = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWcukRkNUQUbgXQle8q9xszDZOnDf3BVpPSFgycJVVE"; + systems = [toscano]; +in { + "root.age".publicKeys = ops ++ systems; + "fiscalvelvetpoet.age".publicKeys = [fiscalvelvetpoet] ++ systems; + "forgejo.age".publicKeys = [fiscalvelvetpoet toscano]; +} diff --git a/shell.nix b/shell.nix index a6c2c48..15644ed 100644 --- a/shell.nix +++ b/shell.nix @@ -1,16 +1,18 @@ { pkgs ? import {}, + ragenix, alejandra, mkShell, - nixops, + colmena, nix, }: with pkgs; mkShell { buildInputs = [ + ragenix # CLI management of secrets encrypted via existing SSH keys alejandra # The Uncompromising Nix Code Formatter - nixops - nix + colmena # simple, stateless NixOS deployment tool + nix # Powerful package manager, makes packaging reliable & reproducible tea # Gitea official CLI client treefmt # one CLI to format the code tree ];