aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.gitignore1
-rw-r--r--flake.lock88
-rw-r--r--flake.nix28
-rw-r--r--nix/lib/mkSystem.nix2
-rw-r--r--secrets/restic-backups.age7
-rw-r--r--secrets/secrets.nix12
6 files changed, 130 insertions, 8 deletions
diff --git a/.gitignore b/.gitignore
index 942f51c..7f2acd4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,4 +10,3 @@
/*.qcow2
bin/
/.direnv/
-/secrets/
diff --git a/flake.lock b/flake.lock
index e4030df..ba094ab 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,8 +1,53 @@
{
"nodes": {
+ "agenix": {
+ "inputs": {
+ "darwin": "darwin",
+ "home-manager": "home-manager",
+ "nixpkgs": [
+ "nixpkgs"
+ ],
+ "systems": "systems"
+ },
+ "locked": {
+ "lastModified": 1723293904,
+ "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+ "owner": "ryantm",
+ "repo": "agenix",
+ "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+ "type": "github"
+ },
+ "original": {
+ "owner": "ryantm",
+ "repo": "agenix",
+ "type": "github"
+ }
+ },
"darwin": {
"inputs": {
"nixpkgs": [
+ "agenix",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1700795494,
+ "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+ "owner": "lnl7",
+ "repo": "nix-darwin",
+ "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+ "type": "github"
+ },
+ "original": {
+ "owner": "lnl7",
+ "ref": "master",
+ "repo": "nix-darwin",
+ "type": "github"
+ }
+ },
+ "darwin_2": {
+ "inputs": {
+ "nixpkgs": [
"nixpkgs"
]
},
@@ -58,7 +103,7 @@
},
"flake-utils": {
"inputs": {
- "systems": "systems"
+ "systems": "systems_2"
},
"locked": {
"lastModified": 1731533236,
@@ -98,6 +143,27 @@
"home-manager": {
"inputs": {
"nixpkgs": [
+ "agenix",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1703113217,
+ "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+ "owner": "nix-community",
+ "repo": "home-manager",
+ "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "repo": "home-manager",
+ "type": "github"
+ }
+ },
+ "home-manager_2": {
+ "inputs": {
+ "nixpkgs": [
"nixpkgs"
]
},
@@ -173,10 +239,11 @@
},
"root": {
"inputs": {
- "darwin": "darwin",
+ "agenix": "agenix",
+ "darwin": "darwin_2",
"devshell": "devshell",
"flake-utils": "flake-utils",
- "home-manager": "home-manager",
+ "home-manager": "home-manager_2",
"nixpkgs": "nixpkgs",
"pre-commit-hooks": "pre-commit-hooks",
"treefmt-nix": "treefmt-nix"
@@ -197,6 +264,21 @@
"type": "github"
}
},
+ "systems_2": {
+ "locked": {
+ "lastModified": 1681028828,
+ "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+ "owner": "nix-systems",
+ "repo": "default",
+ "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-systems",
+ "repo": "default",
+ "type": "github"
+ }
+ },
"treefmt-nix": {
"inputs": {
"nixpkgs": [
diff --git a/flake.nix b/flake.nix
index 90a217f..83db950 100644
--- a/flake.nix
+++ b/flake.nix
@@ -20,17 +20,33 @@
};
flake-utils.url = "github:numtide/flake-utils";
+
pre-commit-hooks = {
url = "github:cachix/pre-commit-hooks.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
- devshell.url = "github:numtide/devshell";
- devshell.inputs.nixpkgs.follows = "nixpkgs";
+
+ devshell = {
+ url = "github:numtide/devshell";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
+
+ agenix = {
+ url = "github:ryantm/agenix";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
};
# Output config, or config for NixOS system
outputs =
- { nixpkgs, darwin, flake-utils, pre-commit-hooks, devshell, ... }@inputs:
+ { nixpkgs
+ , darwin
+ , flake-utils
+ , pre-commit-hooks
+ , devshell
+ , agenix
+ , ...
+ }@inputs:
flake-utils.lib.eachDefaultSystem
(system:
let
@@ -53,7 +69,11 @@
};
devShells.default = pkgs.devshell.mkShell {
- packages = with pkgs; [ just ];
+ packages = with pkgs; [
+ just
+ agenix
+ inputs.agenix.packages."${system}".default
+ ];
env = [{
name = "DEVSHELL_NO_MOTD";
value = "1";
diff --git a/nix/lib/mkSystem.nix b/nix/lib/mkSystem.nix
index 87af732..13e052e 100644
--- a/nix/lib/mkSystem.nix
+++ b/nix/lib/mkSystem.nix
@@ -36,6 +36,8 @@ systemFunc rec {
home-manager.users.${user} = import userHMConfig { inputs = inputs; };
}
+ inputs.agenix.nixosModules.default
+
# We expose some extra arguments so that our modules can parameterize
# better based on these values.
{
diff --git a/secrets/restic-backups.age b/secrets/restic-backups.age
new file mode 100644
index 0000000..5e8ea2f
--- /dev/null
+++ b/secrets/restic-backups.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 9Ia8+w mPCN4AjX68aTAy5yMB2ZK7dGHex/1KzgHtIwH3EGn10
+qkAnGg8E6CaGoOFTl5KrkSrb2JVuUjRK2nJQM8UUQec
+-> ssh-ed25519 pXC0Mg pdnJb3OKYTDJ2I083v7On6MMfAm8GrgVWVtet/aJzCM
+qs5Q/xk6KFWgFzN5L+oWAw6VGiGZ1ZXRt4WZglnrdV0
+--- 2ev3nTb+Qhfg6CZnPOJcayE9mp4B1QcHmywEM4al+R0
+PSܮR; z_b25ωEp5 Wp \ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..69c15f3
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,12 @@
+let
+ fcuny =
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi";
+ users = [ fcuny ];
+
+ vm-aarch64 =
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvVTAPXBOynTeMXvti6Xt9luCJAHaHZBb6aGs0SDoO";
+ vm-synology =
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHf5gXGbOjaoqdpCDnHjBMhikuM0smLKhUo7J83+by+K";
+ systems = [ vm-aarch64 vm-synology ];
+in
+{ "restic-backups.age".publicKeys = [ fcuny vm-synology ]; }
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-06 04:29:31 +0000