use agenix

2021-06-14 22:48:23 -04:00 · 2021-06-14 22:48:23 -04:00 · b0ae5e394f
commit b0ae5e394f
parent 3a91b44d85
5 changed files with 36 additions and 6 deletions
--- a/common/common.nix
+++ b/common/common.nix
@ -40,12 +40,7 @@
  users.users.googlebot = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0VFnn3+Mh0nWeN92jov81qNE9fpzTAHYBphNoY7HUx" # reg
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat
-    ];
+    openssh.authorizedKeys.keys = (import ./ssh.nix).users;
    hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/";
  };
 }
--- a/flake.nix
+++ b/flake.nix
@ -2,6 +2,7 @@
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.05";
    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-21.05";
+    agenix.url = "github:ryantm/agenix";
  };

  outputs = inputs: {
@ -14,6 +15,10 @@
          modules = [
            path
            inputs.simple-nixos-mailserver.nixosModule
+            inputs.agenix.nixosModules.age
+            {
+              environment.systemPackages = [ inputs.agenix.defaultPackage.${system} ];
+            }
          ];
          specialArgs = { inherit inputs; };
        };
--- a/machines/liza/configuration.nix
+++ b/machines/liza/configuration.nix
@ -31,7 +31,9 @@
  };

  services.searx.enable = true;
+  services.searx.environmentFile = "/run/secrets/searx";
  services.searx.settings.server.port = 8080;
+  services.searx.settings.server.secret_key = "@SEARX_SECRET_KEY@";
  services.nginx.virtualHosts."search.neet.space" = {
    enableACME = true;
    forceSSL = true;
@ -39,6 +41,7 @@
      proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}";
    };
  };
+  age.secrets.searx.file = ../../secrets/searx.age;

  security.acme.acceptTerms = true;
  security.acme.email = "zuckerberg@neet.dev";
--- a/secrets/searx.age
+++ b/secrets/searx.age
@ -0,0 +1,18 @@
+age-encryption.org/v1
+-> ssh-ed25519 G2eSCQ Z0lX5ZlHIpggimOiFj1+ZVgOP37LFr/w94cCtqWFZT8
+7rzvrJSdK+dUAsswTjVq0wkCiL2XQaryycun3ux0W9w
+-> ssh-ed25519 2a2Yhw g5nEPzN5X0Vr+vauzUe5jg6H50ONh8NVjD93AG/2+i0
+6qUsQzDKLtU5gp3ve1iF8tKuB4Rx+K0+HZQy9ks2iwI
+-> ssh-ed25519 N240Tg JIzitiQPOTthl6QbborOGU3n9RqIjul39BFYOfB8diY
+4NOqzWpUwF9j0JzYaJn7Uqa3Crl6QLr48hCaBnOsGPQ
+-> ssh-ed25519 mbw8xA zjorFxrWa3TSj99VRfBrGkiLrcBzof+5jKrwhf5fDyU
+tcRZMBobPQ5/PeDKTllFaJMEV26Gc88s9XkrLkWe7PQ
+-> ssh-ed25519 xoAm7w 9sZy5pPgQ1ooFMcuiybut220iYgZFKV8HfVcSjo+2hU
+6vKyFN5ujm25ihAGtwYwY6oQLzu4/ETHb+DStIJr55E
+-> Hyy_H$H-grease 96O> WKPyA0k.
+IKjwegCjx6684Vp2IY1rShLipM16jQspX9cUtWz/7JGMoOdlVaYmzfu5VfdDiO32
+Oc/d3FWCEGLBEYu6m2oOLMuCGf8lljSigmbl8/3odwQQGo4F1ECYEkIxzf5xQW9m
+6w
+--- R3auwtnTaQRkfqoZBVitJInFrpdhIDMSKCcSoS2qNqo
+„<EFBFBD>}áê•zÀ<î(¥Q‚²uÜ¤VëÉb&áƒƒ4w/£ªY§mßa¯EÍpã²l©-7¸/,TNªÿß2ÄD÷îûcìÿ“saTBi=àÆ3ÌÞsâv™q¥+…Ðèöæ`Â|
+jG¶^
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,9 @@
+let
+  keys = import ../common/ssh.nix;
+  systems = keys.systems;
+  users = keys.users;
+  all = users ++ systems;
+in
+{
+  "searx.age".publicKeys = all;
+}