diff options
| -rw-r--r-- | default.nix | 5 | ||||
| -rw-r--r-- | lib/asecret.nix | 29 | ||||
| -rw-r--r-- | lib/default.nix | 1 | ||||
| -rw-r--r-- | lib/machines.nix | 6 | ||||
| -rw-r--r-- | npins/sources.json | 13 | ||||
| -rw-r--r-- | secrets/.gpg-id | 1 | ||||
| -rw-r--r-- | secrets/rootPassword.gpg | bin | 0 -> 652 bytes |
7 files changed, 49 insertions, 6 deletions
diff --git a/default.nix b/default.nix index 5841e24..ba860b9 100644 --- a/default.nix +++ b/default.nix @@ -4,16 +4,17 @@ with (import ./lib { inherit sources pkgs; }); eval { machines.bob.imports = [ - ({ self, config, ... }: { + ({ config, pkgs, self, ... }: { imports = [ "${sources.nixpkgs}/nixos/modules/testing/hardcodedSecret.nix" ./modules/userSecret.nix + self.config.outputs.nixosModules.asecret ]; networking.hostName = "bob"; testing.hardcodedSecret.rootPassword = { secret.consumer = config.users.users.root.passwordSecret; - content = "nixos"; + content = pkgs.asecret-lib.hashedPassword "rootPassword"; }; users.users.root.passwordSecret.provider = diff --git a/lib/asecret.nix b/lib/asecret.nix new file mode 100644 index 0000000..3688612 --- /dev/null +++ b/lib/asecret.nix @@ -0,0 +1,29 @@ +{ lib +, pkgs +, sources +, ... +}: +{ + overlays = [ + (import "${sources.asecret}/pkgs") + ]; + devShell = { + packages = [ + pkgs.asecret + pkgs.nixVersions.nix_2_24 # nix-plugins' `buildInputs' + ]; + shellHook = '' + PASSWORD_STORE_DIR=${toString ../.}/secrets; export PASSWORD_STORE_DIR + + NIX_CONFIG=' + plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins + extra-builtins-file = ${sources.asecret}/extra-builtins.nix + '; export NIX_CONFIG + ''; + }; + nixosModules.asecret = { + nixpkgs.overlays = [ + (_: super: { asecret-lib = import "${sources.asecret}/lib" { inherit lib; }; }) + ]; + }; +} diff --git a/lib/default.nix b/lib/default.nix index bb8f63a..53f736e 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -12,6 +12,7 @@ in lib.evalModules { modules = [ config + ./asecret.nix ./devShell.nix ./machines.nix ./nixosModules.nix diff --git a/lib/machines.nix b/lib/machines.nix index d652fcf..675326d 100644 --- a/lib/machines.nix +++ b/lib/machines.nix @@ -10,16 +10,14 @@ let config { documentation.enable = false; + boot.loader.grub.device = "nodev"; fileSystems."/".device = "tmpfs"; - nixpkgs.localSystem = { - system = "x86_64-linux"; - }; + nixpkgs.localSystem.system = "x86_64-linux"; } ]; specialArgs = { inherit - pkgs self sources ; diff --git a/npins/sources.json b/npins/sources.json index f90c6a9..da42a1c 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -1,5 +1,18 @@ { "pins": { + "asecret": { + "type": "Git", + "repository": { + "type": "GitHub", + "owner": "aforemny", + "repo": "asecret" + }, + "branch": "main", + "submodules": false, + "revision": "d56990e50ec64be7912b0e31516514c0d34a3b17", + "url": "https://github.com/aforemny/asecret/archive/d56990e50ec64be7912b0e31516514c0d34a3b17.tar.gz", + "hash": "1an7xd5sh01gjzlk6fwwk4zq8xgkssgfmjyn74izxmfyk76nfd39" + }, "nixpkgs": { "type": "Git", "repository": { diff --git a/secrets/.gpg-id b/secrets/.gpg-id new file mode 100644 index 0000000..5efd92d --- /dev/null +++ b/secrets/.gpg-id @@ -0,0 +1 @@ +Password Storage Key diff --git a/secrets/rootPassword.gpg b/secrets/rootPassword.gpg Binary files differnew file mode 100644 index 0000000..88e8525 --- /dev/null +++ b/secrets/rootPassword.gpg |