From eee7d2ddcf5e404abb779b4ac6626325b43721ba Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Wed, 17 Sep 2025 23:51:27 +0200
Subject: [PATCH] Add secret management with agenix

---
 flake.lock                 | 113 +++++++++++++++++++++++++++++++------
 flake.nix                  |  14 ++++-
 hosts/srv01.hf/default.nix |   1 +
 hosts/srv01.hf/secrets.nix |   7 +++
 4 files changed, 116 insertions(+), 19 deletions(-)
 create mode 100644 hosts/srv01.hf/secrets.nix

diff --git a/flake.lock b/flake.lock
index 97db651..8a290db 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,28 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": [],
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1754433428,
+        "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "auto-cpufreq": {
       "inputs": {
         "nixpkgs": [
@@ -7,11 +30,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1752998173,
-        "narHash": "sha256-ZlYpBp2WOe03UrpjJGz5KTOL/pp7A452hJO/Vc8C4/0=",
+        "lastModified": 1758056808,
+        "narHash": "sha256-7I4duKo9OdQ7sldgjoYBlpZ+xykszDj/IVz5hlJOaeg=",
         "owner": "AdnanHodzic",
         "repo": "auto-cpufreq",
-        "rev": "562278377ffa96f3c1af49c7b499df028ce8d8bd",
+        "rev": "9f86acc38dca4299b70ea55ae6c52902da5c903c",
         "type": "github"
       },
       "original": {
@@ -27,11 +50,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1753140376,
-        "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=",
+        "lastModified": 1757508292,
+        "narHash": "sha256-7lVWL5bC6xBIMWWDal41LlGAG+9u2zUorqo3QCUL4p4=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c",
+        "rev": "146f45bee02b8bd88812cfce6ffc0f933788875a",
         "type": "github"
       },
       "original": {
@@ -96,15 +119,36 @@
     "home-manager": {
       "inputs": {
         "nixpkgs": [
+          "agenix",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1753592768,
-        "narHash": "sha256-oV695RvbAE4+R9pcsT9shmp6zE/+IZe6evHWX63f2Qg=",
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "fc3add429f21450359369af74c2375cb34a2d204",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1757808926,
+        "narHash": "sha256-K6PEI5PYY94TVMH0mX3MbZNYFme7oNRKml/85BpRRAo=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "f21d9167782c086a33ad53e2311854a8f13c281e",
         "type": "github"
       },
       "original": {
@@ -137,11 +181,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1754564048,
-        "narHash": "sha256-dz303vGuzWjzOPOaYkS9xSW+B93PSAJxvBd6CambXVA=",
+        "lastModified": 1757943327,
+        "narHash": "sha256-w6cDExPBqbq7fTLo4dZ1ozDGeq3yV6dSN4n/sAaS6OM=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "26ed7a0d4b8741fe1ef1ee6fa64453ca056ce113",
+        "rev": "67a709cfe5d0643dafd798b0b613ed579de8be05",
         "type": "github"
       },
       "original": {
@@ -153,11 +197,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1754767907,
-        "narHash": "sha256-8OnUzRQZkqtUol9vuUuQC30hzpMreKptNyET2T9lB6g=",
+        "lastModified": 1758070117,
+        "narHash": "sha256-uLwwHFCZnT1c3N3biVe/0hCkag2GSrf9+M56+Okf+WY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c5f08b62ed75415439d48152c2a784e36909b1bc",
+        "rev": "e9b7f2ff62b35f711568b1f0866243c7c302028d",
         "type": "github"
       },
       "original": {
@@ -260,14 +304,32 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "auto-cpufreq": "auto-cpufreq",
         "disko": "disko",
-        "home-manager": "home-manager",
+        "home-manager": "home-manager_2",
         "lazy-apps": "lazy-apps",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
         "proxmox-nixos": "proxmox-nixos",
-        "systems": "systems_2"
+        "secrets": "secrets",
+        "systems": "systems_3"
+      }
+    },
+    "secrets": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1758144826,
+        "narHash": "sha256-iP17+7kzDVsMa66W1RmAx6LQzQVCSYj7QemyhuZMUFQ=",
+        "ref": "refs/heads/main",
+        "rev": "8ed4ae40d7b203880e368f5822260f0cd2ed0229",
+        "revCount": 2,
+        "type": "git",
+        "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git"
       }
     },
     "systems": {
@@ -286,6 +348,21 @@
       }
     },
     "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_3": {
       "locked": {
         "lastModified": 1689347949,
         "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
@@ -302,7 +379,7 @@
     },
     "utils": {
       "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
       },
       "locked": {
         "lastModified": 1710146030,
diff --git a/flake.nix b/flake.nix
index a4ec7a2..fab5bf0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,7 +22,17 @@
       url = "github:nix-community/disko";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        darwin.follows = "";
+      };
+    };
+    secrets = {
+      url = "git+ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git";
+      flake = false;
+    };
     systems.url = "github:nix-systems/default-linux";
   };
 
@@ -34,6 +44,7 @@
     home-manager,
     auto-cpufreq,
     proxmox-nixos,
+    agenix,
     disko,
     systems,
     ...
@@ -126,6 +137,7 @@
 
         modules = [
           disko.nixosModules.disko
+          agenix.nixosModules.default
           ./hosts/srv01.hf
         ];
       };
diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix
index 63062a8..1cea677 100644
--- a/hosts/srv01.hf/default.nix
+++ b/hosts/srv01.hf/default.nix
@@ -4,6 +4,7 @@
   imports =
     [
       ../../modules/disko/efi-full-btrfs.nix
+      ./secrets.nix
 
       ../../users/julius/nixos-server.nix
       ../../users/nixremote.nix
diff --git a/hosts/srv01.hf/secrets.nix b/hosts/srv01.hf/secrets.nix
new file mode 100644
index 0000000..9b8fb86
--- /dev/null
+++ b/hosts/srv01.hf/secrets.nix
@@ -0,0 +1,7 @@
+{ inputs, ... }:
+{
+  age.secrets = {
+    teleport-ca_pin.file = "${inputs.secrets}/secrets/teleport/ca_pin";
+    teleport-join_token.file = "${inputs.secrets}/secrets/srv01-hf/teleport_auth_token";
+  };
+}