use agenix for nix-build key

This commit is contained in:
dusk 2023-05-09 02:58:14 +03:00
parent bf23baf74c
commit 9490e85547
Signed by: dusk
GPG Key ID: 1D8F8FAF2294D6EA
8 changed files with 24 additions and 5 deletions

View File

@ -8,4 +8,11 @@
owner = "systemd-network"; owner = "systemd-network";
group = "systemd-network"; group = "systemd-network";
}; };
age.secrets.nixBuildKey = {
file = ../../../secrets/nixBuildKey.age;
owner = "root";
group = "nix-build-key-access";
};
users.groups."nix-build-key-access" = {};
} }

View File

@ -1,8 +1,8 @@
{...}: { {config, ...}: {
programs.ssh.extraConfig = '' programs.ssh.extraConfig = ''
Host eu.nixbuild.net Host eu.nixbuild.net
PubkeyAcceptedKeyTypes ssh-ed25519 PubkeyAcceptedKeyTypes ssh-ed25519
IdentityFile /etc/nixos/keys/nixbuild.key IdentityFile ${config.age.secrets.nixBuildKey.path}
''; '';
programs.ssh.knownHosts = { programs.ssh.knownHosts = {

BIN
secrets/nixBuildKey.age Normal file

Binary file not shown.

View File

@ -7,4 +7,5 @@ in {
"bernbotToken.age".publicKeys = [yusdacra wolumonde]; "bernbotToken.age".publicKeys = [yusdacra wolumonde];
"musikquadConfig.age".publicKeys = [yusdacra wolumonde]; "musikquadConfig.age".publicKeys = [yusdacra wolumonde];
"nixGithubAccessToken.age".publicKeys = [yusdacra]; "nixGithubAccessToken.age".publicKeys = [yusdacra];
"nixBuildKey.age".publicKeys = [yusdacra];
} }

View File

@ -7,7 +7,7 @@ tlib.genPkgs (pkgs: let
if [ -z "''${1-}" ]; then if [ -z "''${1-}" ]; then
agenix agenix
else else
RULES="/etc/nixos/secrets/secrets.nix" agenix -i /etc/nixos/keys/ssh_key "$@" RULES="/etc/nixos/secrets/secrets.nix" agenix -i /persist/keys/ssh_key "$@"
fi fi
''; '';
}; };

View File

@ -1,4 +1,9 @@
{config, pkgs, lib, ...}: let {
config,
pkgs,
lib,
...
}: let
cfg = config.programs.musikcube; cfg = config.programs.musikcube;
in { in {
options = { options = {

View File

@ -1,4 +1,9 @@
{config, lib, pkgs, ...}: let {
config,
lib,
pkgs,
...
}: let
cfg = config.services.musikcubed; cfg = config.services.musikcubed;
in { in {
options = { options = {

View File

@ -20,6 +20,7 @@ in {
"adbusers" "adbusers"
"dialout" "dialout"
"video" "video"
"nix-build-key-access"
(l.optional nixosConfig.networking.networkmanager.enable "networkmanager") (l.optional nixosConfig.networking.networkmanager.enable "networkmanager")
(l.optional nixosConfig.virtualisation.docker.enable "docker") (l.optional nixosConfig.virtualisation.docker.enable "docker")
]; ];