use agenix for nix-build key

hosts/tkaronto/modules/secrets.nix

@@ -8,4 +8,11 @@
     owner = "systemd-network";
     group = "systemd-network";
   };
+
+  age.secrets.nixBuildKey = {
+    file = ../../../secrets/nixBuildKey.age;
+    owner = "root";
+    group = "nix-build-key-access";
+  };
+  users.groups."nix-build-key-access" = {};
 }

modules/develop/nixbuild/default.nix

@@ -1,8 +1,8 @@
-{...}: {
+{config, ...}: {
   programs.ssh.extraConfig = ''
     Host eu.nixbuild.net
       PubkeyAcceptedKeyTypes ssh-ed25519
-      IdentityFile /etc/nixos/keys/nixbuild.key
+      IdentityFile ${config.age.secrets.nixBuildKey.path}
   '';
 
   programs.ssh.knownHosts = {

secrets/secrets.nix

@@ -7,4 +7,5 @@ in {
   "bernbotToken.age".publicKeys = [yusdacra wolumonde];
   "musikquadConfig.age".publicKeys = [yusdacra wolumonde];
   "nixGithubAccessToken.age".publicKeys = [yusdacra];
+  "nixBuildKey.age".publicKeys = [yusdacra];
 }

shells/default.nix

@@ -7,7 +7,7 @@ tlib.genPkgs (pkgs: let
       if [ -z "''${1-}" ]; then
         agenix
       else
-        RULES="/etc/nixos/secrets/secrets.nix" agenix -i /etc/nixos/keys/ssh_key "$@"
+        RULES="/etc/nixos/secrets/secrets.nix" agenix -i /persist/keys/ssh_key "$@"
       fi
     '';
   };

users/modules/musikcube/default.nix

@@ -1,4 +1,9 @@
-{config, pkgs, lib, ...}: let
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
   cfg = config.programs.musikcube;
 in {
   options = {

users/modules/musikcubed/default.nix

@@ -1,4 +1,9 @@
-{config, lib, pkgs, ...}: let
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
   cfg = config.services.musikcubed;
 in {
   options = {

users/patriot/default.nix

@@ -20,6 +20,7 @@ in {
       "adbusers"
       "dialout"
       "video"
+      "nix-build-key-access"
       (l.optional nixosConfig.networking.networkmanager.enable "networkmanager")
       (l.optional nixosConfig.virtualisation.docker.enable "docker")
     ];