use agenix for passwords

8 files changed, 84 insertions, 2 deletions

diff --git a/flake.lock b/flake.lock
index 914bae6..55c2e95 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,26 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "nixpkgs": [
+          "nixpkgsUnstable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1677969766,
+        "narHash": "sha256-AIp/ZYZMNLDZR/H7iiAlaGpu4lcXsVt9JQpBlf43HRY=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "03b51fe8e459a946c4b88dcfb6446e45efb2c24e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "crane": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -30,6 +51,28 @@
         "type": "github"
       }
     },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1673295039,
+        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -509,6 +552,7 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "getchoo": "getchoo",
         "home-manager": "home-manager",
         "lanzaboote": "lanzaboote",
diff --git a/flake.nix b/flake.nix
index c694a0a..6a70cd8 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,10 @@
 {
   inputs = {
     nixpkgsUnstable.url = "nixpkgs/nixos-unstable";
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgsUnstable";
+    };
     getchoo = {
       url = "github:getchoo/overlay";
       inputs.nixpkgs.follows = "nixpkgs";
diff --git a/hosts/default.nix b/hosts/default.nix
index 8aff79e..8aa7324 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -5,8 +5,21 @@ with inputs; let
     stateVersion = "23.05";
     pkgs = nixpkgsUnstable;
     modules = with inputs; [
+      agenix.nixosModules.default
       home-manager.nixosModules.home-manager
       nur.nixosModules.nur
+      {
+        services.openssh = {
+          enable = true;
+        };
+        age = {
+          identityPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+          secrets = {
+            rootPassword.file = ../secrets/rootPassword.age;
+            sethPassword.file = ../secrets/sethPassword.age;
+          };
+        };
+      }
     ];
   };
 in {
diff --git a/secrets/rootPassword.age b/secrets/rootPassword.age
new file mode 100644
index 0000000..f366051
--- /dev/null
+++ b/secrets/rootPassword.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 I92A3Q EfOo3tIt3JMxBNlthyfwMttJw9+oeXqWC5g/cXl5TBI
+vxbMZgnqumVL5+oeX40a69uHQNCs4IfCcEy19Jml2vA
+-> c.Bf)j-grease Jixf.<
+ifoJHQglpqk4xJxJZcKZo9mcJaXdrpkWH7EWG4FxjX0w2IRgfA0TQO4
+--- TtjT7dvJde5Xvtd71TeQR7S/yskWLBQO6y57DCtDGHs
+T��*p��f"��3,'������*�
V��ڝ�}�~�v|O%
:�"�c
�7����K�����!d��SA�w����ƐH�����ֱW��{�T��v�q�=���ܮ٧Q�y0n�Ai�tݥ��Oݱ
y�
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..c85e64a
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,6 @@
+let
+  key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ5K+yLHuz4kyCkJDX2Gd/uGVNEJroIAU/h0f9E2Mapn getchoo-nix";
+in {
+  "rootPassword.age".publicKeys = [key];
+  "sethPassword.age".publicKeys = [key];
+}
diff --git a/secrets/sethPassword.age b/secrets/sethPassword.age
new file mode 100644
index 0000000..fed4bd0
--- /dev/null
+++ b/secrets/sethPassword.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 I92A3Q 0QGb3otWyYQLJpEzO71T3topePPXNkLysKYEuff9Rw4
+hvqwo7GrKHyzIKaINOgcMg1qquhFrOO6kzLfQPpcAgw
+-> j-grease 4 ffxXt rx(eLx
+yFRw5nECGc/iqNbuVkUZxNkjUptxDCa/mCN84LPyxOOsoSZ0j1L1ix5gDY5mE+Ak
+GkNzygNN
+--- lB6259pAAmAg7B8E/AY0eVi3y0+f70atDJdq9Dm4qF0
+3;�MN��9��$�@u$��5gXp:l7�t�V���i�` ڱ�-���P�vԟ�l=�e�I'f$u����WL:˟g�G�3���s���VOӂ�ɡ�R�8CR�	}�Π�X��I�*���J�x��Ù(AKG#�qM4
\ No newline at end of file
diff --git a/users/root/default.nix b/users/root/default.nix
index 2fec3ea..a77e461 100644
--- a/users/root/default.nix
+++ b/users/root/default.nix
@@ -3,6 +3,6 @@
     home = "/root";
     uid = config.ids.uids.root;
     group = "root";
-    initialHashedPassword = "***REMOVED***";
+    passwordFile = config.age.secrets.rootPassword.path;
   };
 }
diff --git a/users/seth/default.nix b/users/seth/default.nix
index 52979b3..93368d9 100644
--- a/users/seth/default.nix
+++ b/users/seth/default.nix
@@ -7,8 +7,8 @@
   users.users.seth = {
     extraGroups = ["wheel"];
     isNormalUser = true;
-    hashedPassword = "***REMOVED***";
     shell = pkgs.fish;
+    passwordFile = config.age.secrets.sethPassword.path;
   };
 
   programs.fish.enable = true;