feat(agenix-rekey)!: first try

Cannot `agenix rekey` / `deploy` `agenix rekey` rekeys separate keys successfully but canot build the derivation that contains them
2023-12-25 15:17:30 +02:00 · 2023-12-25 15:17:30 +02:00 · 8feb5245ea
commit 8feb5245ea
parent 9eb47f44b9
16 changed files with 138 additions and 109 deletions
--- a/machines/nixos/x86_64-linux/jeeves/configuration.nix
+++ b/machines/nixos/x86_64-linux/jeeves/configuration.nix
@ -3,14 +3,23 @@
  imports = [
    inputs.hardware.nixosModules.common-cpu-amd
    inputs.hardware.nixosModules.common-gpu-amd
-    (import ./disko.nix { inherit inputs outputs; })
+    ./disko.nix
    inputs.agenix.nixosModules.default
+    # FIXME: agenix-rekey
+    inputs.agenix-rekey.nixosModules.default
    ./network.nix
    ./wireguard.nix
    ./jellyfin.nix
    ./mindustry.nix
  ];

+  # FIXME: agenix-rekey
+  age.rekey = {
+    hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPopSTZ81UyKp9JSljCLp+Syk51zacjh9fLteqxQ6/aB";
+    masterIdentities = [ "${inputs.self}/secrets/privkey.age" ];
+    # forceRekeyOnSystem = "aarch64-darwin";
+  };
+
  nixpkgs = {
    hostPlatform = "x86_64-linux";
    config = {
@ -61,7 +70,15 @@
  ];

  # NOTE: made with `mkpasswd -m sha-516`
-  age.secrets."jeeves_password".file = ../../../../secrets/home/jeeves_password.age;
+  age.secrets."jeeves.user.password" = {
+    # file = ../../../../secrets/home/jeeves/user/password.age;
+    # file = "${inputs.self}/secrets/home/jeeves/user/password.age";
+    # FIXME: agenix-rekey
+    rekeyFile = "${inputs.self}/secrets/home/jeeves/user/password.age";
+    # generator = {pkgs, ...}: ''
+    #   ${pkgs.mkpasswd}/bin/mkpasswd -m sha-516
+    # '';
+  };

  users = {
    mutableUsers = true;
@ -69,7 +86,7 @@
      jeeves = {
        isNormalUser = true;
        shell = pkgs.zsh;
-        hashedPasswordFile = config.age.secrets."jeeves_password".path;
+        hashedPasswordFile = config.age.secrets."jeeves.user.password".path;
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBj8ZGcvI80WrJWV+dNy1a3L973ydSNqtwcVHzurDUaW (none)"
        ];
@ -98,19 +115,26 @@
  #   ];
  # };

-  security.sudo.extraRules= [
-    {
-      users = [
-        "jeeves"
-      ];
-      commands = [
+  # security.sudo-rs = {
+  #   enable = !config.security.sudo.enable;
+  #   inherit (config.security.sudo) extraRules;
+  # };
+  security.sudo = {
+    enable = true;
+    extraRules= [
+      {
+        users = [
+          "jeeves"
+        ];
+        commands = [
        {
          command = "ALL" ;
          options= [ "NOPASSWD" ]; # "SETENV" # Adding the following could be a good idea
        }
-      ];
-    }
-  ];
+        ];
+      }
+    ];
+  };

  services.openssh = {
    enable = true;
--- a/machines/nixos/x86_64-linux/jeeves/disko.nix
+++ b/machines/nixos/x86_64-linux/jeeves/disko.nix
@ -1,5 +1,4 @@
-{ inputs, outputs, ... }:
-{ lib, pkgs, config, ... }:
+{ inputs, outputs, lib, pkgs, config, ... }:
 {
  imports = [
    inputs.disko.nixosModules.disko
--- a/machines/nixos/x86_64-linux/jeeves/network.nix
+++ b/machines/nixos/x86_64-linux/jeeves/network.nix
@ -1,12 +1,17 @@
-{ lib, pkgs, config, ... }:
+{ inputs, outputs, lib, pkgs, config, ... }:
 {
  environment.systemPackages = with pkgs; [
  ];

-  age.secrets."home/wifi.env".file = ../../../../secrets/home/wifi.env.age;
+  age.secrets."home.wifi.env" = {
+    # file = ../../../../secrets/home/wifi/env.age;
+    # file = "${inputs.self}/secrets/home/wifi/env.age";
+    # FIXME: agenix-rekey
+    rekeyFile = "${inputs.self}/secrets/home/wifi/env.age";
+  };
  networking.wireless = {
    iwd.enable = true;
-    environmentFile = config.age.secrets."home/wifi.env".path;
+    environmentFile = config.age.secrets."home.wifi.env".path;
    networks = {
      home = {
        ssid = "@HOME_WIFI_SSID@";
--- a/machines/nixos/x86_64-linux/jeeves/wireguard.nix
+++ b/machines/nixos/x86_64-linux/jeeves/wireguard.nix
@ -1,4 +1,4 @@
-{ lib, pkgs, config, ... }:
+{ inputs, outputs, lib, pkgs, config, ... }:
 {
  environment.systemPackages = with pkgs; [
    wireguard-tools
@ -10,12 +10,17 @@
  # wg pubkey < private > public

  # Server
-  age.secrets."wireguard/server.private" = {
-    file = ../../../../secrets/home/wireguard/server.private.age;
+  age.secrets."wireguard.private" = {
+    # file = ../../../../secrets/home/jeeves/wireguard/private.age;
+    # file = "${inputs.self}/secrets/home/jeeves/wireguard/private.age";
    mode = "077";
-  };
-  age.secrets."wireguard/server.public" = {
-    file = ../../../../secrets/home/wireguard/server.public.age;
+    # FIXME: agenix-rekey
+    rekeyFile = "${inputs.self}/secrets/home/jeeves/wireguard/private.age";
+    # generator = {lib, pkgs, file, ...}: ''
+    #   priv=$(${pkgs.wireguard-tools}/bin/wg genkey)
+    #   ${pkgs.wireguard-tools}/bin/wg pubkey <<< "$priv" > ${lib.escapeShellArg (lib.removeSuffix ".age" file + ".pub")}
+    #   echo "$priv"
+    # '';
  };

  networking.firewall.allowedUDPPorts = [51820];
@ -28,7 +33,7 @@
          MTUBytes = "1300";
        };
        wireguardConfig = {
-          PrivateKeyFile = config.age.secrets."wireguard/server.private".path;
+          PrivateKeyFile = config.age.secrets."wireguard.private".path;
          ListenPort = 51820;
        };
        wireguardPeers = [