JuliusFreudenberger/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add secret management with agenix

Browse source
This commit is contained in:
JuliusFreudenberger 2025-09-17 23:51:27 +02:00
parent 739b50349c
commit eee7d2ddcf
4 changed files with 116 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

113
flake.lock generated
View file

@ -1,5 +1,28 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": [],
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1754433428,
"narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
"owner": "ryantm",
"repo": "agenix",
"rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"auto-cpufreq": {
"inputs": {
"nixpkgs": [
@ -7,11 +30,11 @@
]
},
"locked": {
"lastModified": 1752998173,
"narHash": "sha256-ZlYpBp2WOe03UrpjJGz5KTOL/pp7A452hJO/Vc8C4/0=",
"lastModified": 1758056808,
"narHash": "sha256-7I4duKo9OdQ7sldgjoYBlpZ+xykszDj/IVz5hlJOaeg=",
"owner": "AdnanHodzic",
"repo": "auto-cpufreq",
"rev": "562278377ffa96f3c1af49c7b499df028ce8d8bd",
"rev": "9f86acc38dca4299b70ea55ae6c52902da5c903c",
"type": "github"
},
"original": {
@ -27,11 +50,11 @@
]
},
"locked": {
"lastModified": 1753140376,
"narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=",
"lastModified": 1757508292,
"narHash": "sha256-7lVWL5bC6xBIMWWDal41LlGAG+9u2zUorqo3QCUL4p4=",
"owner": "nix-community",
"repo": "disko",
"rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c",
"rev": "146f45bee02b8bd88812cfce6ffc0f933788875a",
"type": "github"
},
"original": {
@ -96,15 +119,36 @@
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1753592768,
"narHash": "sha256-oV695RvbAE4+R9pcsT9shmp6zE/+IZe6evHWX63f2Qg=",
"lastModified": 1745494811,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "fc3add429f21450359369af74c2375cb34a2d204",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1757808926,
"narHash": "sha256-K6PEI5PYY94TVMH0mX3MbZNYFme7oNRKml/85BpRRAo=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "f21d9167782c086a33ad53e2311854a8f13c281e",
"type": "github"
},
"original": {
@ -137,11 +181,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1754564048,
"narHash": "sha256-dz303vGuzWjzOPOaYkS9xSW+B93PSAJxvBd6CambXVA=",
"lastModified": 1757943327,
"narHash": "sha256-w6cDExPBqbq7fTLo4dZ1ozDGeq3yV6dSN4n/sAaS6OM=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "26ed7a0d4b8741fe1ef1ee6fa64453ca056ce113",
"rev": "67a709cfe5d0643dafd798b0b613ed579de8be05",
"type": "github"
},
"original": {
@ -153,11 +197,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1754767907,
"narHash": "sha256-8OnUzRQZkqtUol9vuUuQC30hzpMreKptNyET2T9lB6g=",
"lastModified": 1758070117,
"narHash": "sha256-uLwwHFCZnT1c3N3biVe/0hCkag2GSrf9+M56+Okf+WY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "c5f08b62ed75415439d48152c2a784e36909b1bc",
"rev": "e9b7f2ff62b35f711568b1f0866243c7c302028d",
"type": "github"
},
"original": {
@ -260,14 +304,32 @@
},
"root": {
"inputs": {
"agenix": "agenix",
"auto-cpufreq": "auto-cpufreq",
"disko": "disko",
"home-manager": "home-manager",
"home-manager": "home-manager_2",
"lazy-apps": "lazy-apps",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"proxmox-nixos": "proxmox-nixos",
"systems": "systems_2"
"secrets": "secrets",
"systems": "systems_3"
}
},
"secrets": {
"flake": false,
"locked": {
"lastModified": 1758144826,
"narHash": "sha256-iP17+7kzDVsMa66W1RmAx6LQzQVCSYj7QemyhuZMUFQ=",
"ref": "refs/heads/main",
"rev": "8ed4ae40d7b203880e368f5822260f0cd2ed0229",
"revCount": 2,
"type": "git",
"url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git"
},
"original": {
"type": "git",
"url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git"
}
},
"systems": {
@ -286,6 +348,21 @@
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
@ -302,7 +379,7 @@
},
"utils": {
"inputs": {
"systems": "systems"
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,

14
flake.nix
View file

@ -22,7 +22,17 @@
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix = {
url = "github:ryantm/agenix";
inputs = {
nixpkgs.follows = "nixpkgs";
darwin.follows = "";
};
};
secrets = {
url = "git+ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git";
flake = false;
};
systems.url = "github:nix-systems/default-linux";
};
@ -34,6 +44,7 @@
home-manager,
auto-cpufreq,
proxmox-nixos,
agenix,
disko,
systems,
...
@ -126,6 +137,7 @@
modules = [
disko.nixosModules.disko
agenix.nixosModules.default
./hosts/srv01.hf
];
};

1
hosts/srv01.hf/default.nix
View file

@ -4,6 +4,7 @@
imports =
[
../../modules/disko/efi-full-btrfs.nix
./secrets.nix
../../users/julius/nixos-server.nix
../../users/nixremote.nix

7
hosts/srv01.hf/secrets.nix Normal file
View file

@ -0,0 +1,7 @@
{ inputs, ... }:
{
age.secrets = {
teleport-ca_pin.file = "${inputs.secrets}/secrets/teleport/ca_pin";
teleport-join_token.file = "${inputs.secrets}/secrets/srv01-hf/teleport_auth_token";
};
}