use agenix

author: andromeda <andromeda@lenovo> 2025-12-30 17:45:01 +0100
committer: andromeda <andromeda@lenovo> 2025-12-30 17:45:01 +0100
commit: 0468cf2621e8ef812f774bbf2eed396b4c0d4602 (patch)
tree: b6657b5225c1dfc73a38dd29b258bccbba0467ec
parent: e39747ae2e9f4032b234f1f8d9a399b240f66539 (diff)
7 files changed, 31 insertions, 5 deletions
diff --git a/flake.nix b/flake.nix
index 69b6cff..d8682d5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -53,6 +53,7 @@
       };
     configurationWithHomeManager = machine: (configuration machine
       [
+        agenix.nixosModules.default
         home-manager.nixosModules.home-manager
         {
           nixpkgs.overlays = [
diff --git a/machines/173-249-5-230/configuration.nix b/machines/173-249-5-230/configuration.nix
index b8b403e..853a5db 100644
--- a/machines/173-249-5-230/configuration.nix
+++ b/machines/173-249-5-230/configuration.nix
@@ -1,4 +1,9 @@
-{machine, ...}: {
+{
+  config,
+  machine,
+  ...
+}: {
+  age.secrets.secret1.file = ../../secrets/secret1.age;
   boot.tmp.cleanOnBoot = true;
   boot.loader.grub.devices = ["nodev"];
   environment.persistence."/nix/persist" = {
@@ -66,7 +71,7 @@
   users.users."mtgmonkey" = {
     isNormalUser = true;
     description = "mtgmonkey";
-    initialPassword = "password";
+    passwordFile = builtins.toString config.age.secrets.secret1.path;
     extraGroups = ["wheel"];
     openssh.authorizedKeys.keys = machine.pub-keys.ssh;
   };
diff --git a/machines/laptop/configuration.nix b/machines/laptop/configuration.nix
index 1b07935..58b019e 100644
--- a/machines/laptop/configuration.nix
+++ b/machines/laptop/configuration.nix
@@ -1,8 +1,13 @@
 {
+  config,
   lib,
   machine,
   ...
 }: {
+  age.secrets = {
+    secret0.file = ../../secrets/secret0.age;
+    secret1.file = ../../secrets/secret1.age;
+  };
   boot.loader = {
     efi.canTouchEfiVariables = true;
     systemd-boot.enable = true;
@@ -16,6 +21,7 @@
       "/var/lib/nixos"
       "/var/lib/systemd/coredump"
       "/etc/NetworkManager/system-connections"
+      "/etc/ssh"
     ];
     files = [
       "/etc/machine-id"
@@ -82,6 +88,7 @@
       ly.enable = true;
     };
     libinput.enable = true;
+    openssh.enable = true;
     printing.enable = true;
   };
   system.stateVersion = "26.05";
@@ -89,7 +96,7 @@
   users.users."andromeda" = {
     isNormalUser = true;
     description = "andromeda";
-    initialPassword = "password";
+    hashedPasswordFile = builtins.toString config.age.secrets.secret0.path;
     extraGroups = [
       "networkmanager"
       "wheel"
@@ -98,7 +105,7 @@
   users.users."mtgmonkey" = {
     isNormalUser = true;
     description = "mtgmonkey";
-    initialPassword = "password";
+    hashedPasswordFile = builtins.toString config.age.secrets.secret1.path;
     extraGroups = [
       "networkmanager"
       "wheel"
diff --git a/machines/laptop/hardware-configuration.nix b/machines/laptop/hardware-configuration.nix
index bde1c83..8ebef80 100644
--- a/machines/laptop/hardware-configuration.nix
+++ b/machines/laptop/hardware-configuration.nix
@@ -21,7 +21,7 @@
     #device = "none";
     #fsType = "tmpfs";
     #options = ["defaults" "size=60%" "mode=755"];
-    device = "/dev/disk/by-uuid/16c93673-4f0e-4010-a7f4-7ccffb20edb7";
+    device = "/dev/disk/by-uuid/5455cfb4-0efd-4f55-b496-d2cab3f419b7";
     fsType = "btrfs";
     options = ["subvol=root"];
   };
@@ -48,6 +48,12 @@
     done
 
     btrfs subvolume create /btrfs_tmp/root
+    mkdir /btrfs_tmp/root/nix
+    mkdir /btrfs_tmp/root/etc
+    mount ${config.fileSystems."/nix".device} /btrfs_tmp/root/nix
+    cp /btrfs_tmp/root/nix/persist/etc/ssh /btrfs_tmp/root/etc/ssh -r
+    umount /btrfs_tmp/root/nix
+    rm -r /btrfs_tmp/root/nix
     umount /btrfs_tmp
   '';
 
diff --git a/secrets/secret0.age b/secrets/secret0.age
new file mode 100644
index 0000000..4fd14de
--- /dev/null
+++ b/secrets/secret0.age
diff --git a/secrets/secret1.age b/secrets/secret1.age
new file mode 100644
index 0000000..3a172d3
--- /dev/null
+++ b/secrets/secret1.age
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..43b72b3
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,7 @@
+let
+  andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo";
+  lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo";
+in {
+  "secret0.age".publicKeys = [andromeda lenovo];
+  "secret1.age".publicKeys = [andromeda lenovo];
+}
author	andromeda <andromeda@lenovo>	2025-12-30 17:45:01 +0100
committer	andromeda <andromeda@lenovo>	2025-12-30 17:45:01 +0100
commit	0468cf2621e8ef812f774bbf2eed396b4c0d4602 (patch)
tree	b6657b5225c1dfc73a38dd29b258bccbba0467ec
parent	e39747ae2e9f4032b234f1f8d9a399b240f66539 (diff)