JuliusFreudenberger/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add secret management with agenix

Browse source
This commit is contained in:
JuliusFreudenberger 2025-09-17 23:51:27 +02:00
parent 739b50349c
commit eee7d2ddcf
4 changed files with 116 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

113
flake.lock generated
View file

@ -1,5 +1,28 @@
{ {
"nodes": { "nodes": {
"agenix": {
"inputs": {
"darwin": [],
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1754433428,
"narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
"owner": "ryantm",
"repo": "agenix",
"rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"auto-cpufreq": { "auto-cpufreq": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -7,11 +30,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1752998173, "lastModified": 1758056808,
"narHash": "sha256-ZlYpBp2WOe03UrpjJGz5KTOL/pp7A452hJO/Vc8C4/0=", "narHash": "sha256-7I4duKo9OdQ7sldgjoYBlpZ+xykszDj/IVz5hlJOaeg=",
"owner": "AdnanHodzic", "owner": "AdnanHodzic",
"repo": "auto-cpufreq", "repo": "auto-cpufreq",
"rev": "562278377ffa96f3c1af49c7b499df028ce8d8bd", "rev": "9f86acc38dca4299b70ea55ae6c52902da5c903c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -27,11 +50,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1753140376, "lastModified": 1757508292,
"narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=", "narHash": "sha256-7lVWL5bC6xBIMWWDal41LlGAG+9u2zUorqo3QCUL4p4=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c", "rev": "146f45bee02b8bd88812cfce6ffc0f933788875a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -96,15 +119,36 @@
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"agenix",
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1753592768, "lastModified": 1745494811,
"narHash": "sha256-oV695RvbAE4+R9pcsT9shmp6zE/+IZe6evHWX63f2Qg=", "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "fc3add429f21450359369af74c2375cb34a2d204", "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1757808926,
"narHash": "sha256-K6PEI5PYY94TVMH0mX3MbZNYFme7oNRKml/85BpRRAo=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "f21d9167782c086a33ad53e2311854a8f13c281e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -137,11 +181,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1754564048, "lastModified": 1757943327,
"narHash": "sha256-dz303vGuzWjzOPOaYkS9xSW+B93PSAJxvBd6CambXVA=", "narHash": "sha256-w6cDExPBqbq7fTLo4dZ1ozDGeq3yV6dSN4n/sAaS6OM=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "26ed7a0d4b8741fe1ef1ee6fa64453ca056ce113", "rev": "67a709cfe5d0643dafd798b0b613ed579de8be05",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -153,11 +197,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1754767907, "lastModified": 1758070117,
"narHash": "sha256-8OnUzRQZkqtUol9vuUuQC30hzpMreKptNyET2T9lB6g=", "narHash": "sha256-uLwwHFCZnT1c3N3biVe/0hCkag2GSrf9+M56+Okf+WY=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c5f08b62ed75415439d48152c2a784e36909b1bc", "rev": "e9b7f2ff62b35f711568b1f0866243c7c302028d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -260,14 +304,32 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix",
"auto-cpufreq": "auto-cpufreq", "auto-cpufreq": "auto-cpufreq",
"disko": "disko", "disko": "disko",
"home-manager": "home-manager", "home-manager": "home-manager_2",
"lazy-apps": "lazy-apps", "lazy-apps": "lazy-apps",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"proxmox-nixos": "proxmox-nixos", "proxmox-nixos": "proxmox-nixos",
"systems": "systems_2" "secrets": "secrets",
"systems": "systems_3"
}
},
"secrets": {
"flake": false,
"locked": {
"lastModified": 1758144826,
"narHash": "sha256-iP17+7kzDVsMa66W1RmAx6LQzQVCSYj7QemyhuZMUFQ=",
"ref": "refs/heads/main",
"rev": "8ed4ae40d7b203880e368f5822260f0cd2ed0229",
"revCount": 2,
"type": "git",
"url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git"
},
"original": {
"type": "git",
"url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git"
} }
}, },
"systems": { "systems": {
@ -286,6 +348,21 @@
} }
}, },
"systems_2": { "systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": { "locked": {
"lastModified": 1689347949, "lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
@ -302,7 +379,7 @@
}, },
"utils": { "utils": {
"inputs": { "inputs": {
"systems": "systems" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1710146030, "lastModified": 1710146030,

14
flake.nix
View file

@ -22,7 +22,17 @@
url = "github:nix-community/disko"; url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
agenix = {
url = "github:ryantm/agenix";
inputs = {
nixpkgs.follows = "nixpkgs";
darwin.follows = "";
};
};
secrets = {
url = "git+ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git";
flake = false;
};
systems.url = "github:nix-systems/default-linux"; systems.url = "github:nix-systems/default-linux";
}; };
@ -34,6 +44,7 @@
home-manager, home-manager,
auto-cpufreq, auto-cpufreq,
proxmox-nixos, proxmox-nixos,
agenix,
disko, disko,
systems, systems,
... ...
@ -126,6 +137,7 @@
modules = [ modules = [
disko.nixosModules.disko disko.nixosModules.disko
agenix.nixosModules.default
./hosts/srv01.hf ./hosts/srv01.hf
]; ];
}; };

1
hosts/srv01.hf/default.nix
View file

@ -4,6 +4,7 @@
imports = imports =
[ [
../../modules/disko/efi-full-btrfs.nix ../../modules/disko/efi-full-btrfs.nix
./secrets.nix
../../users/julius/nixos-server.nix ../../users/julius/nixos-server.nix
../../users/nixremote.nix ../../users/nixremote.nix

7
hosts/srv01.hf/secrets.nix Normal file
View file

@ -0,0 +1,7 @@
{ inputs, ... }:
{
age.secrets = {
teleport-ca_pin.file = "${inputs.secrets}/secrets/teleport/ca_pin";
teleport-join_token.file = "${inputs.secrets}/secrets/srv01-hf/teleport_auth_token";
};
}