From 9490e8554724969c532106d2cffb0b2c8d602d09 Mon Sep 17 00:00:00 2001
From: Yusuf Bera Ertan <y.bera003.06@protonmail.com>
Date: Tue, 9 May 2023 02:58:14 +0300
Subject: [PATCH] use agenix for nix-build key

---
 hosts/tkaronto/modules/secrets.nix   |   7 +++++++
 modules/develop/nixbuild/default.nix |   4 ++--
 secrets/nixBuildKey.age              | Bin 0 -> 1315 bytes
 secrets/secrets.nix                  |   1 +
 shells/default.nix                   |   2 +-
 users/modules/musikcube/default.nix  |   7 ++++++-
 users/modules/musikcubed/default.nix |   7 ++++++-
 users/patriot/default.nix            |   1 +
 8 files changed, 24 insertions(+), 5 deletions(-)
 create mode 100644 secrets/nixBuildKey.age

diff --git a/hosts/tkaronto/modules/secrets.nix b/hosts/tkaronto/modules/secrets.nix
index 305c1ec..bf62cd6 100644
--- a/hosts/tkaronto/modules/secrets.nix
+++ b/hosts/tkaronto/modules/secrets.nix
@@ -8,4 +8,11 @@
     owner = "systemd-network";
     group = "systemd-network";
   };
+
+  age.secrets.nixBuildKey = {
+    file = ../../../secrets/nixBuildKey.age;
+    owner = "root";
+    group = "nix-build-key-access";
+  };
+  users.groups."nix-build-key-access" = {};
 }
diff --git a/modules/develop/nixbuild/default.nix b/modules/develop/nixbuild/default.nix
index fb84531..b0ecf9b 100644
--- a/modules/develop/nixbuild/default.nix
+++ b/modules/develop/nixbuild/default.nix
@@ -1,8 +1,8 @@
-{...}: {
+{config, ...}: {
   programs.ssh.extraConfig = ''
     Host eu.nixbuild.net
       PubkeyAcceptedKeyTypes ssh-ed25519
-      IdentityFile /etc/nixos/keys/nixbuild.key
+      IdentityFile ${config.age.secrets.nixBuildKey.path}
   '';
 
   programs.ssh.knownHosts = {
diff --git a/secrets/nixBuildKey.age b/secrets/nixBuildKey.age
new file mode 100644
index 0000000000000000000000000000000000000000..7d4fde5c2a0de5069d65229bf6b5140c5b1bde1b
GIT binary patch
literal 1315
zcmWmC`)?Bk003Z67n5@`WXKdl+>9`!>)N}v*IokXUAyb`uGe1Q?SWu>y<Q*p=<eFP
zwt)!vgMcUsBLT!H$~G2)22i65q6Wk*Bp?_JA|#+73<)5h10+NJ7ruOHfj9Fqr`F4r
zf+BY-s$kJUz`U?s)AD9jOShvLNlyzvgiPU*i3{0!A{L*JWi6&kDlBqkoh<tVTLgqa
zS3-pIrE*2^VWgE&A`y?4FWPHhZ?<G(IY5A5-IItIbQq5XBn6kFDHo5_@)TA~g>7mv
zS?79<s+6-cY(nw!ls}7cc}NXK87Ux$vIoeg1v!a`4Op)9@R>}mVyEL4reaNDGU<d2
zR5OWHSm6U;g|AdGI73pbFAg?zf0#``HVguiu@Iie3@G51GwHC+F2pERNLB?6CwZaX
zOVqV8->@Szlh%Amp@+9y!=fc%jYSQ=sGubTs98N68x_LIS|aEwiirfI!>Me=sXJwX
zu*L|1OgXcxk?sNYI-LqQWR%DRVN|3*v=B@;C;->}LczfleGVn$!rXq$hj=`Q4fDd$
zEWs<9Jr+tvJx)|+`~il`A+#40P?|&=R3u47N*GWSGitfc$`-$7rQJ*~ZAUx=&G9lq
zfT{mr>o%#35e%ZLB<iolDQh02;u)b(B?>v*PY6Jw=wd@TZ@DZIHi;m)A|u)eRYtLx
zmWGssZgU0GTE!hS3Ze<CX46;+si;z%P@P!?uP`ORZ^ZO;Fc>P3v?~>Lrh>VKOLm1Z
znWu9ik@0!a5LKd-Tvk^zqyT0eNxA?l0itS(LU`0D0)pb>tcatLu9jgQjMxKM-iz5H
zYLxCpnQA8JqaiTqFccye^`s&^N8^<|UV>>fPzxypECYHnudtlJah|YMb`dE93fryD
z9=DH2$dV*7jxfYmb2XkcasNL?9A-h~(;DBduuIxCh)cJ307x{dqm3#m!HI@aiMVqF
z8IW0}N3Q218Mn!zO995^FxACSqatHY(XbF6XQa%BiV4YNcj|ysa}*FZh|^3N0nBD|
zI~9+6F(srjRvZh&Axpw&L_<P`swT5IY^f#iT7>h3VNj9;06x<(Fn{(_U#z|P&D<r<
zvn{SW6g)^)-x}Jt<Ap^R9$X(-*SBicBYzKZ(|7i)JGEiV@7R5O-_xyu8+{k%Dp#ep
zsWXl|-+kzzE6ooLjr?@)orBG{hOREp?wR@eW7E1n*uQo3kK^A>dZ|TOHty~_Ha7gp
znTgp!`9kNm&p%#pZr+Z&{cvvC;SWc^71M;3m!}@wxuAN5m~_HEemi`#_4w%BbtkfI
zuSnO}iFf~*VjgCHe&6))#^v(Tk*=kOx18QP{o-#2#=5fosaa=NuUx;sdCTCcS!`^>
zSC=-2Za+D>we@Y!gO<V7&oxocbc4g+-oLneMQ7)x`S$zZ67TQE-SNLBzxZQ*V9Uvq
z6OCo(CRxuPy<~drQ0K_?vzPleesql+r)RIZ4|AiR-8lKfzNX^p#j!Svb63BA2Ewsj
zU*3DwvTJBC`|_llzs`JgkykxdW16}aZ$Gf@y*pt?$FQ}9dOSS5_?JZkdSm<Tjul#{
zO5$^lxMogF>HXR`o!|fF!J}(G9W@X6POZ5(XKcC9{r!30o^4Oe+q?T&!7-0|<In!4
Zw&q)-uC2L+H$0n+Gj}9u^ZF6!+`ltC{4W3i

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index fd8c250..dcd3feb 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -7,4 +7,5 @@ in {
   "bernbotToken.age".publicKeys = [yusdacra wolumonde];
   "musikquadConfig.age".publicKeys = [yusdacra wolumonde];
   "nixGithubAccessToken.age".publicKeys = [yusdacra];
+  "nixBuildKey.age".publicKeys = [yusdacra];
 }
diff --git a/shells/default.nix b/shells/default.nix
index eea6e72..f3dfeeb 100644
--- a/shells/default.nix
+++ b/shells/default.nix
@@ -7,7 +7,7 @@ tlib.genPkgs (pkgs: let
       if [ -z "''${1-}" ]; then
         agenix
       else
-        RULES="/etc/nixos/secrets/secrets.nix" agenix -i /etc/nixos/keys/ssh_key "$@"
+        RULES="/etc/nixos/secrets/secrets.nix" agenix -i /persist/keys/ssh_key "$@"
       fi
     '';
   };
diff --git a/users/modules/musikcube/default.nix b/users/modules/musikcube/default.nix
index c2ff4c5..3c6f6cc 100644
--- a/users/modules/musikcube/default.nix
+++ b/users/modules/musikcube/default.nix
@@ -1,4 +1,9 @@
-{config, pkgs, lib, ...}: let
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
   cfg = config.programs.musikcube;
 in {
   options = {
diff --git a/users/modules/musikcubed/default.nix b/users/modules/musikcubed/default.nix
index d178f10..237db79 100644
--- a/users/modules/musikcubed/default.nix
+++ b/users/modules/musikcubed/default.nix
@@ -1,4 +1,9 @@
-{config, lib, pkgs, ...}: let
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
   cfg = config.services.musikcubed;
 in {
   options = {
diff --git a/users/patriot/default.nix b/users/patriot/default.nix
index 0ba1a5d..94e8003 100644
--- a/users/patriot/default.nix
+++ b/users/patriot/default.nix
@@ -20,6 +20,7 @@ in {
       "adbusers"
       "dialout"
       "video"
+      "nix-build-key-access"
       (l.optional nixosConfig.networking.networkmanager.enable "networkmanager")
       (l.optional nixosConfig.virtualisation.docker.enable "docker")
     ];