remove agenix

.github/labeler.yml

@@ -11,7 +11,7 @@
           - "secrets.yaml"
           - "**/*/*.enc.json"
           - "**/*/secrets.yaml"
-          - "secrets/**/*"
+          - "modules/secrets/**/*"
 
 "terraform":
   - changed-files:

dev/shell.nix

@@ -1,11 +1,10 @@
-{ inputs', pkgs, ... }:
+{ pkgs, ... }:
 {
   devShells = {
     default =
       with pkgs;
       mkShellNoCC {
         packages = [
-          inputs'.agenix.packages.default
           jq
           python3.pkgs.deploykit
           python3.pkgs.invoke

dev/treefmt.nix

@@ -32,7 +32,6 @@
   };
 
   settings.global.excludes = [
-    "*.age"
     # vendored from external source
     "hosts/build02/packages-with-update-script.nix"
   ];

devdoc/onboarding.md

@@ -4,8 +4,6 @@
 
 - Add their user and ssh key to [users](../users) as member of the `trusted` and `wheel` groups.
 
-- Add their user to [secrets/secrets.nix](../secrets/secrets.nix) and run `inv update-agenix-files`.
-
 - Add their age key to [sops.json](../sops.json) and run `inv update-sops-files`.
 
 - Add their email in [terraform/locals.tf](../terraform/locals.tf), this will give them access to:

flake.lock

@@ -1,34 +1,5 @@
 {
   "nodes": {
-    "agenix": {
-      "inputs": {
-        "darwin": [
-          "nix-darwin"
-        ],
-        "home-manager": [
-          "empty"
-        ],
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "systems": [
-          "systems"
-        ]
-      },
-      "locked": {
-        "lastModified": 1723293904,
-        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
-        "owner": "ryantm",
-        "repo": "agenix",
-        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ryantm",
-        "repo": "agenix",
-        "type": "github"
-      }
-    },
     "buildbot-nix": {
       "inputs": {
         "flake-parts": [
@@ -353,7 +324,6 @@
     },
     "root": {
       "inputs": {
-        "agenix": "agenix",
         "buildbot-nix": "buildbot-nix",
         "cgroup-exporter": "cgroup-exporter",
         "disko": "disko",

flake.nix

@@ -7,11 +7,6 @@
   ];
 
   inputs = {
-    agenix.inputs.darwin.follows = "nix-darwin";
-    agenix.inputs.home-manager.follows = "empty";
-    agenix.inputs.nixpkgs.follows = "nixpkgs";
-    agenix.inputs.systems.follows = "systems";
-    agenix.url = "github:ryantm/agenix";
     buildbot-nix.inputs.flake-parts.follows = "flake-parts";
     buildbot-nix.inputs.hercules-ci-effects.follows = "hercules-ci-effects";
     buildbot-nix.inputs.nixpkgs.follows = "nixpkgs";

modules/darwin/common/default.nix

@@ -12,7 +12,6 @@
     ./sops-nix.nix
     ./telegraf.nix
     ./users.nix
-    inputs.agenix.darwinModules.age
     inputs.srvos.darwinModules.server
   ];
 

modules/nixos/common/agenix.nix

@@ -1,6 +0,0 @@
-{ inputs, ... }:
-{
-  imports = [
-    inputs.agenix.nixosModules.age
-  ];
-}

modules/nixos/common/default.nix

@@ -8,7 +8,6 @@
   imports = [
     ../../shared/known-hosts.nix
     ../../shared/nix-daemon.nix
-    ./agenix.nix
     ./builder.nix
     ./security.nix
     ./sops-nix.nix

secrets/secrets.nix

@@ -1,22 +0,0 @@
-let
-  users = map (name: builtins.readFile ../users/keys/${name}) userNames;
-
-  userNames = [
-    "adisbladis"
-    "mic92"
-    "ryantm"
-    "zimbatm"
-    "zowoq"
-  ];
-
-  inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts;
-
-  secrets = {
-  };
-in
-builtins.listToAttrs (
-  map (secretName: {
-    name = "${secretName}.age";
-    value.publicKeys = secrets."${secretName}" ++ users;
-  }) (builtins.attrNames secrets)
-)

tasks.py

@@ -53,15 +53,6 @@ def sotp(c: Any, acct: str) -> None:
     c.run(f"nix develop .#sotp -c sotp {acct}")
 
 
-@task
-def update_agenix_files(c: Any) -> None:
-    """
-    Update all agenix secrets
-    """
-    os.chdir("secrets")
-    c.run("agenix --rekey", pty=True)
-
-
 @task
 def update_sops_files(c: Any) -> None:
     """