olaf/nixos-config_to_rule_them_all
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Removed agenix secret management

Browse Source
This commit is contained in:
Olaf 2025-05-18 09:29:56 +02:00
parent f8df758e3c
commit 8467795708
7 changed files with 15 additions and 219 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -2,4 +2,6 @@ README.md~
.DS_Store .DS_Store
result result
dump.txt dump.txt
*~ flake.lock
*~

5
README.md
View File

@ -5,9 +5,8 @@ Started with a configuration generated from [this nixos config template](https:/
Installed nix with `--nix-build-group-id 30000` Installed nix with `--nix-build-group-id 30000`
Created the full verion with secret-management: Initialy created 'with secrets' but stripped out the git/agenix in favor of sops
``` ```
mkdir -p nixos-config && cd nixos-config && nix flake --extra-experimental-features 'nix-command flakes' init -t github:dustinlyons/nixos-config#starter-with-secrets mkdir -p nixos-config && cd nixos-config && nix flake --extra-experimental-features 'nix-command flakes' init -t github:dustinlyons/nixos-config#starter-with-secrets
```
```

84
apps/aarch64-darwin/apply
View File

@ -1,5 +1,8 @@
#!/usr/bin/env bash #!/usr/bin/env bash
VERSION=1.0
# Color codes
RED='\033[0;31m' RED='\033[0;31m'
GREEN='\033[0;32m' GREEN='\033[0;32m'
YELLOW='\033[1;33m' YELLOW='\033[1;33m'
@ -32,69 +35,6 @@ _prompt() {
read -r $variable read -r $variable
} }
insert_secrets_output() {
local pattern="outputs = { self, darwin, nix-homebrew, homebrew-bundle, homebrew-core, homebrew-cask, home-manager, nixpkgs, disko, agenix } @inputs:"
local insert_text="secrets "
awk -v pat="$pattern" -v insert="$insert_text" '
$0 ~ pat {
sub(/} @inputs:/, ", " insert "} @inputs:"); # Replace the closing brace with the insert text followed by the brace
gsub(/ ,/, ","); # Correct any spaces before commas
print
next
}
{ print }
' flake.nix > flake.nix.tmp
mv flake.nix.tmp flake.nix
}
insert_secrets_input() {
# Define file path
FILE_PATH="flake.nix"
# Backup the original file
cp "$FILE_PATH" "${FILE_PATH}.bak"
# Temporary file for the text to insert
TEMP_FILE="temp_insert.txt"
# Write the formatted text to the temporary file
cat > "$TEMP_FILE" << 'EOF'
secrets = {
url = "git+ssh://git@github.com/%GITHUB_USER%/%GITHUB_SECRETS_REPO%.git";
flake = false;
};
EOF
# Check if the 'secrets' block already exists
if grep -q 'url = "git+ssh://git@github.com/%GITHUB_USER%/%GITHUB_SECRETS_REPO%.git"' "$FILE_PATH"; then
echo "The 'secrets' block already exists in the file."
rm "$TEMP_FILE"
rm "${FILE_PATH}.bak"
exit 0
fi
# Find the start and end line numbers of the 'disko' block
START_LINE=$(grep -n 'disko = {' "$FILE_PATH" | head -n 1 | cut -d: -f1)
END_LINE=$(tail -n +$START_LINE "$FILE_PATH" | grep -n '};' | head -n 1 | cut -d: -f1)
END_LINE=$((START_LINE + END_LINE - 1))
# Create a new file with the insertion
{
sed -n "1,${END_LINE}p" "$FILE_PATH"
cat "$TEMP_FILE"
sed -n "$((END_LINE + 1)),\$p" "$FILE_PATH"
} > "${FILE_PATH}.new"
# Replace the original file with the new file
mv "${FILE_PATH}.new" "$FILE_PATH"
# Clean up the temporary files
rm "$TEMP_FILE"
rm "${FILE_PATH}.bak"
}
ask_for_star() { ask_for_star() {
_print "${YELLOW}Would you like to support my work by starring my GitHub repo? yes/no [yes]: ${NC}" _print "${YELLOW}Would you like to support my work by starring my GitHub repo? yes/no [yes]: ${NC}"
local response local response
@ -138,12 +78,6 @@ if [[ -z "$GIT_NAME" ]]; then
_prompt "${YELLOW}Please enter your name: ${NC}" GIT_NAME _prompt "${YELLOW}Please enter your name: ${NC}" GIT_NAME
fi fi
_prompt "${YELLOW}Please enter your Github username: ${NC}" GITHUB_USER
_prompt "${YELLOW}Please enter your Github secrets repository name: ${NC}" GITHUB_SECRETS_REPO
export GITHUB_USER
export GITHUB_SECRETS_REPO
select_boot_disk() { select_boot_disk() {
local disks local disks
local _boot_disk local _boot_disk
@ -174,7 +108,6 @@ if [[ "$OS" != "Darwin" ]]; then
select_boot_disk select_boot_disk
fi fi
# Confirmation step
confirm_details() { confirm_details() {
_print "${GREEN}Username: $USERNAME" _print "${GREEN}Username: $USERNAME"
_print "Email: $GIT_EMAIL" _print "Email: $GIT_EMAIL"
@ -186,8 +119,6 @@ confirm_details() {
_print "Hostname: $HOST_NAME${NC}" _print "Hostname: $HOST_NAME${NC}"
fi fi
_print "${GREEN}Secrets repository: $GITHUB_USER/$GITHUB_SECRETS_REPO${NC}"
_prompt "${YELLOW}Is this correct? yes/no: ${NC}" choice _prompt "${YELLOW}Is this correct? yes/no: ${NC}" choice
case "$choice" in case "$choice" in
@ -205,7 +136,6 @@ confirm_details() {
esac esac
} }
# Call the confirmation function
confirm_details confirm_details
# Function to replace tokens in each file # Function to replace tokens in each file
@ -217,8 +147,6 @@ replace_tokens() {
LC_ALL=C LANG=C sed -i '' -e "s/%USER%/$USERNAME/g" "$file" LC_ALL=C LANG=C sed -i '' -e "s/%USER%/$USERNAME/g" "$file"
LC_ALL=C LANG=C sed -i '' -e "s/%EMAIL%/$GIT_EMAIL/g" "$file" LC_ALL=C LANG=C sed -i '' -e "s/%EMAIL%/$GIT_EMAIL/g" "$file"
LC_ALL=C LANG=C sed -i '' -e "s/%NAME%/$GIT_NAME/g" "$file" LC_ALL=C LANG=C sed -i '' -e "s/%NAME%/$GIT_NAME/g" "$file"
LC_ALL=C LANG=C sed -i '' -e "s/%GITHUB_USER%/$GITHUB_USER/g" "$file"
LC_ALL=C LANG=C sed -i '' -e "s/%GITHUB_SECRETS_REPO%/$GITHUB_SECRETS_REPO/g" "$file"
else else
# Linux or other # Linux or other
sed -i -e "s/%USER%/$USERNAME/g" "$file" sed -i -e "s/%USER%/$USERNAME/g" "$file"
@ -227,16 +155,10 @@ replace_tokens() {
sed -i -e "s/%INTERFACE%/$PRIMARY_IFACE/g" "$file" sed -i -e "s/%INTERFACE%/$PRIMARY_IFACE/g" "$file"
sed -i -e "s/%DISK%/$BOOT_DISK/g" "$file" sed -i -e "s/%DISK%/$BOOT_DISK/g" "$file"
sed -i -e "s/%HOST%/$HOST_NAME/g" "$file" sed -i -e "s/%HOST%/$HOST_NAME/g" "$file"
sed -i -e "s/%GITHUB_USER%/$GITHUB_USER/g" "$file"
sed -i -e "s/%GITHUB_SECRETS_REPO%/$GITHUB_SECRETS_REPO/g" "$file"
fi fi
fi fi
} }
# Insert secrets repo into flake
insert_secrets_input
insert_secrets_output
# Traverse directories and call replace_tokens on each Nix file # Traverse directories and call replace_tokens on each Nix file
export -f replace_tokens export -f replace_tokens
find . -type f -exec bash -c 'replace_tokens "$0"' {} \; find . -type f -exec bash -c 'replace_tokens "$0"' {} \;

84
apps/x86_64-darwin/apply
View File

@ -1,5 +1,8 @@
#!/usr/bin/env bash #!/usr/bin/env bash
VERSION=1.0
# Color codes
RED='\033[0;31m' RED='\033[0;31m'
GREEN='\033[0;32m' GREEN='\033[0;32m'
YELLOW='\033[1;33m' YELLOW='\033[1;33m'
@ -32,69 +35,6 @@ _prompt() {
read -r $variable read -r $variable
} }
insert_secrets_output() {
local pattern="outputs = { self, darwin, nix-homebrew, homebrew-bundle, homebrew-core, homebrew-cask, home-manager, nixpkgs, disko, agenix } @inputs:"
local insert_text="secrets "
awk -v pat="$pattern" -v insert="$insert_text" '
$0 ~ pat {
sub(/} @inputs:/, ", " insert "} @inputs:"); # Replace the closing brace with the insert text followed by the brace
gsub(/ ,/, ","); # Correct any spaces before commas
print
next
}
{ print }
' flake.nix > flake.nix.tmp
mv flake.nix.tmp flake.nix
}
insert_secrets_input() {
# Define file path
FILE_PATH="flake.nix"
# Backup the original file
cp "$FILE_PATH" "${FILE_PATH}.bak"
# Temporary file for the text to insert
TEMP_FILE="temp_insert.txt"
# Write the formatted text to the temporary file
cat > "$TEMP_FILE" << 'EOF'
secrets = {
url = "git+ssh://git@github.com/%GITHUB_USER%/%GITHUB_SECRETS_REPO%.git";
flake = false;
};
EOF
# Check if the 'secrets' block already exists
if grep -q 'url = "git+ssh://git@github.com/%GITHUB_USER%/%GITHUB_SECRETS_REPO%.git"' "$FILE_PATH"; then
echo "The 'secrets' block already exists in the file."
rm "$TEMP_FILE"
rm "${FILE_PATH}.bak"
exit 0
fi
# Find the start and end line numbers of the 'disko' block
START_LINE=$(grep -n 'disko = {' "$FILE_PATH" | head -n 1 | cut -d: -f1)
END_LINE=$(tail -n +$START_LINE "$FILE_PATH" | grep -n '};' | head -n 1 | cut -d: -f1)
END_LINE=$((START_LINE + END_LINE - 1))
# Create a new file with the insertion
{
sed -n "1,${END_LINE}p" "$FILE_PATH"
cat "$TEMP_FILE"
sed -n "$((END_LINE + 1)),\$p" "$FILE_PATH"
} > "${FILE_PATH}.new"
# Replace the original file with the new file
mv "${FILE_PATH}.new" "$FILE_PATH"
# Clean up the temporary files
rm "$TEMP_FILE"
rm "${FILE_PATH}.bak"
}
ask_for_star() { ask_for_star() {
_print "${YELLOW}Would you like to support my work by starring my GitHub repo? yes/no [yes]: ${NC}" _print "${YELLOW}Would you like to support my work by starring my GitHub repo? yes/no [yes]: ${NC}"
local response local response
@ -138,12 +78,6 @@ if [[ -z "$GIT_NAME" ]]; then
_prompt "${YELLOW}Please enter your name: ${NC}" GIT_NAME _prompt "${YELLOW}Please enter your name: ${NC}" GIT_NAME
fi fi
_prompt "${YELLOW}Please enter your Github username: ${NC}" GITHUB_USER
_prompt "${YELLOW}Please enter your Github secrets repository name: ${NC}" GITHUB_SECRETS_REPO
export GITHUB_USER
export GITHUB_SECRETS_REPO
select_boot_disk() { select_boot_disk() {
local disks local disks
local _boot_disk local _boot_disk
@ -174,7 +108,6 @@ if [[ "$OS" != "Darwin" ]]; then
select_boot_disk select_boot_disk
fi fi
# Confirmation step
confirm_details() { confirm_details() {
_print "${GREEN}Username: $USERNAME" _print "${GREEN}Username: $USERNAME"
_print "Email: $GIT_EMAIL" _print "Email: $GIT_EMAIL"
@ -186,8 +119,6 @@ confirm_details() {
_print "Hostname: $HOST_NAME${NC}" _print "Hostname: $HOST_NAME${NC}"
fi fi
_print "${GREEN}Secrets repository: $GITHUB_USER/$GITHUB_SECRETS_REPO${NC}"
_prompt "${YELLOW}Is this correct? yes/no: ${NC}" choice _prompt "${YELLOW}Is this correct? yes/no: ${NC}" choice
case "$choice" in case "$choice" in
@ -205,7 +136,6 @@ confirm_details() {
esac esac
} }
# Call the confirmation function
confirm_details confirm_details
# Function to replace tokens in each file # Function to replace tokens in each file
@ -217,8 +147,6 @@ replace_tokens() {
LC_ALL=C LANG=C sed -i '' -e "s/%USER%/$USERNAME/g" "$file" LC_ALL=C LANG=C sed -i '' -e "s/%USER%/$USERNAME/g" "$file"
LC_ALL=C LANG=C sed -i '' -e "s/%EMAIL%/$GIT_EMAIL/g" "$file" LC_ALL=C LANG=C sed -i '' -e "s/%EMAIL%/$GIT_EMAIL/g" "$file"
LC_ALL=C LANG=C sed -i '' -e "s/%NAME%/$GIT_NAME/g" "$file" LC_ALL=C LANG=C sed -i '' -e "s/%NAME%/$GIT_NAME/g" "$file"
LC_ALL=C LANG=C sed -i '' -e "s/%GITHUB_USER%/$GITHUB_USER/g" "$file"
LC_ALL=C LANG=C sed -i '' -e "s/%GITHUB_SECRETS_REPO%/$GITHUB_SECRETS_REPO/g" "$file"
else else
# Linux or other # Linux or other
sed -i -e "s/%USER%/$USERNAME/g" "$file" sed -i -e "s/%USER%/$USERNAME/g" "$file"
@ -227,16 +155,10 @@ replace_tokens() {
sed -i -e "s/%INTERFACE%/$PRIMARY_IFACE/g" "$file" sed -i -e "s/%INTERFACE%/$PRIMARY_IFACE/g" "$file"
sed -i -e "s/%DISK%/$BOOT_DISK/g" "$file" sed -i -e "s/%DISK%/$BOOT_DISK/g" "$file"
sed -i -e "s/%HOST%/$HOST_NAME/g" "$file" sed -i -e "s/%HOST%/$HOST_NAME/g" "$file"
sed -i -e "s/%GITHUB_USER%/$GITHUB_USER/g" "$file"
sed -i -e "s/%GITHUB_SECRETS_REPO%/$GITHUB_SECRETS_REPO/g" "$file"
fi fi
fi fi
} }
# Insert secrets repo into flake
insert_secrets_input
insert_secrets_output
# Traverse directories and call replace_tokens on each Nix file # Traverse directories and call replace_tokens on each Nix file
export -f replace_tokens export -f replace_tokens
find . -type f -exec bash -c 'replace_tokens "$0"' {} \; find . -type f -exec bash -c 'replace_tokens "$0"' {} \;

20
apps/x86_64-linux/apply
View File

@ -1,5 +1,8 @@
#!/usr/bin/env bash #!/usr/bin/env bash
VERSION=1.0
# Color codes
RED='\033[0;31m' RED='\033[0;31m'
GREEN='\033[0;32m' GREEN='\033[0;32m'
YELLOW='\033[1;33m' YELLOW='\033[1;33m'
@ -75,17 +78,6 @@ if [[ -z "$GIT_NAME" ]]; then
_prompt "${YELLOW}Please enter your name: ${NC}" GIT_NAME _prompt "${YELLOW}Please enter your name: ${NC}" GIT_NAME
fi fi
if [[ -z "$GITHUB_USER" ]]; then
_prompt "${YELLOW}Please enter your Github username: ${NC}" GITHUB_USER
fi
if [[ -z "$GITHUB_SECRETS_REPO" ]]; then
_prompt "${YELLOW}Please enter your Github secrets repository name: ${NC}" GITHUB_SECRETS_REPO
fi
export GITHUB_USER
export GITHUB_SECRETS_REPO
select_boot_disk() { select_boot_disk() {
local disks local disks
local _boot_disk local _boot_disk
@ -128,8 +120,6 @@ confirm_details() {
_print "Hostname: $HOST_NAME${NC}" _print "Hostname: $HOST_NAME${NC}"
fi fi
_print "${GREEN}Secrets repository: $GITHUB_USER/$GITHUB_SECRETS_REPO${NC}"
_prompt "${YELLOW}Is this correct? yes/no: ${NC}" choice _prompt "${YELLOW}Is this correct? yes/no: ${NC}" choice
case "$choice" in case "$choice" in
@ -159,8 +149,6 @@ replace_tokens() {
LC_ALL=C LANG=C sed -i '' -e "s/%USER%/$USERNAME/g" "$file" LC_ALL=C LANG=C sed -i '' -e "s/%USER%/$USERNAME/g" "$file"
LC_ALL=C LANG=C sed -i '' -e "s/%EMAIL%/$GIT_EMAIL/g" "$file" LC_ALL=C LANG=C sed -i '' -e "s/%EMAIL%/$GIT_EMAIL/g" "$file"
LC_ALL=C LANG=C sed -i '' -e "s/%NAME%/$GIT_NAME/g" "$file" LC_ALL=C LANG=C sed -i '' -e "s/%NAME%/$GIT_NAME/g" "$file"
LC_ALL=C LANG=C sed -i '' -e "s/%GITHUB_USER%/$GITHUB_USER/g" "$file"
LC_ALL=C LANG=C sed -i '' -e "s/%GITHUB_SECRETS_REPO%/$GITHUB_SECRETS_REPO/g" "$file"
else else
# Linux or other # Linux or other
sed -i -e "s/%USER%/$USERNAME/g" "$file" sed -i -e "s/%USER%/$USERNAME/g" "$file"
@ -169,8 +157,6 @@ replace_tokens() {
sed -i -e "s/%INTERFACE%/$PRIMARY_IFACE/g" "$file" sed -i -e "s/%INTERFACE%/$PRIMARY_IFACE/g" "$file"
sed -i -e "s/%DISK%/$BOOT_DISK/g" "$file" sed -i -e "s/%DISK%/$BOOT_DISK/g" "$file"
sed -i -e "s/%HOST%/$HOST_NAME/g" "$file" sed -i -e "s/%HOST%/$HOST_NAME/g" "$file"
sed -i -e "s/%GITHUB_USER%/$GITHUB_USER/g" "$file"
sed -i -e "s/%GITHUB_SECRETS_REPO%/$GITHUB_SECRETS_REPO/g" "$file"
fi fi
fi fi
} }

8
flake.nix
View File

@ -1,5 +1,5 @@
{ {
description = "Starter Configuration with secrets for MacOS and NixOS"; description = "Starter Configuration with secrets (removed) for MacOS and NixOS";
inputs = { inputs = {
nixpkgs = { nixpkgs = {
url = "github:nixos/nixpkgs/nixos-unstable"; url = "github:nixos/nixpkgs/nixos-unstable";
@ -33,10 +33,6 @@
url = "github:nix-community/disko"; url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
secrets = {
url = "git@git.kolkman.org:olaf/nix-config-secrets.git";
flake = false;
};
sops-nix = { sops-nix = {
url = "github:Mic92/sops-nix"; url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -53,7 +49,6 @@
home-manager, home-manager,
nixpkgs, nixpkgs,
disko, disko,
secrets,
nixd, nixd,
sops-nix, sops-nix,
}@inputs: }@inputs:
@ -108,7 +103,6 @@
"create-keys" = mkApp "create-keys" system; "create-keys" = mkApp "create-keys" system;
"check-keys" = mkApp "check-keys" system; "check-keys" = mkApp "check-keys" system;
"install" = mkApp "install" system; "install" = mkApp "install" system;
"install-with-secrets" = mkApp "install-with-secrets" system;
}; };
mkDarwinApps = system: { mkDarwinApps = system: {
"apply" = mkApp "apply" system; "apply" = mkApp "apply" system;

29
modules/nixos/secrets.nix
View File

@ -1,29 +0,0 @@
{ config, pkgs, agenix, secrets, ... }:
let user = "olaf"; in
{
age.identityPaths = [
"/home/${user}/.ssh/id_ed25519"
];
# Your secrets go here
#
# Note: the installWithSecrets command you ran to boostrap the machine actually copies over
# a Github key pair. However, if you want to store the keypair in your nix-secrets repo
# instead, you can reference the age files and specify the symlink path here. Then add your
# public key in shared/files.nix.
#
# If you change the key name, you'll need to update the SSH configuration in shared/home-manager.nix
# so Github reads it correctly.
#
# age.secrets."github-ssh-key" = {
# symlink = false;
# path = "/home/${user}/.ssh/id_github";
# file = "${secrets}/github-ssh-key.age";
# mode = "600";
# owner = "${user}";
# group = "wheel";
# };
}