feat(nix-hm): add initial integration of agenix

2024-03-14 03:37:02 -05:00 · 2024-03-14 03:37:02 -05:00 · 88749bbc68
commit 88749bbc68
parent 0ccb675a7f
5 changed files with 306 additions and 27 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,9 +1,57 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "agenix": "agenix_2",
+        "crane": "crane",
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1709831932,
+        "narHash": "sha256-WsP8rOFa/SqYNbVtYJ/l2mWWOgyDTJFbITMV8tv0biI=",
+        "owner": "yaxitech",
+        "repo": "ragenix",
+        "rev": "06de099ef02840ec463419f12de73729d458e1eb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "yaxitech",
+        "repo": "ragenix",
+        "type": "github"
+      }
+    },
+    "agenix_2": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1707830867,
+        "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "bob": {
      "inputs": {
        "bob": "bob_2",
-        "flake-utils": "flake-utils",
+        "flake-utils": "flake-utils_2",
        "nixpkgs": [
          "nixpkgs"
        ]
@ -35,9 +83,53 @@
        "type": "github"
      }
    },
+    "crane": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1708794349,
+        "narHash": "sha256-jX+B1VGHT0ruHHL5RwS8L21R6miBn4B6s9iVyUJsJJY=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "2c94ff9a6fbeb9f3ea0107f28688edbe9c81deaa",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
    "emacs-overlay": {
      "inputs": {
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils_3",
        "nixpkgs": "nixpkgs",
        "nixpkgs-stable": "nixpkgs-stable"
      },
@ -131,7 +223,7 @@
    },
    "flake-utils": {
      "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1705309234,
@ -149,14 +241,14 @@
    },
    "flake-utils_2": {
      "inputs": {
-        "systems": "systems_2"
+        "systems": "systems_3"
      },
      "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "lastModified": 1705309234,
+        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
        "type": "github"
      },
      "original": {
@ -167,7 +259,7 @@
    },
    "flake-utils_3": {
      "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_4"
      },
      "locked": {
        "lastModified": 1710146030,
@ -185,7 +277,25 @@
    },
    "flake-utils_4": {
      "inputs": {
-        "systems": "systems_4"
+        "systems": "systems_5"
+      },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_5": {
+      "inputs": {
+        "systems": "systems_6"
      },
      "locked": {
        "lastModified": 1705309234,
@ -201,9 +311,9 @@
        "type": "github"
      }
    },
-    "flake-utils_5": {
+    "flake-utils_6": {
      "inputs": {
-        "systems": "systems_5"
+        "systems": "systems_7"
      },
      "locked": {
        "lastModified": 1701680307,
@ -219,7 +329,7 @@
        "type": "github"
      }
    },
-    "flake-utils_6": {
+    "flake-utils_7": {
      "locked": {
        "lastModified": 1659877975,
        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
@ -234,9 +344,9 @@
        "type": "github"
      }
    },
-    "flake-utils_7": {
+    "flake-utils_8": {
      "inputs": {
-        "systems": "systems_6"
+        "systems": "systems_8"
      },
      "locked": {
        "lastModified": 1705309234,
@ -309,6 +419,28 @@
      }
    },
    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
@ -330,7 +462,7 @@
    },
    "kanagawa-gtk": {
      "inputs": {
-        "flake-utils": "flake-utils_4",
+        "flake-utils": "flake-utils_5",
        "kanagawa-gtk": "kanagawa-gtk_2",
        "nixpkgs": [
          "nixpkgs"
@ -382,7 +514,7 @@
    },
    "neovim-flake": {
      "inputs": {
-        "flake-utils": "flake-utils_5",
+        "flake-utils": "flake-utils_6",
        "nixpkgs": [
          "neovim-nightly-overlay",
          "nixpkgs"
@ -428,7 +560,7 @@
    },
    "nixgl": {
      "inputs": {
-        "flake-utils": "flake-utils_6",
+        "flake-utils": "flake-utils_7",
        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
@ -526,10 +658,11 @@
    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "bob": "bob",
        "emacs-overlay": "emacs-overlay",
-        "flake-utils": "flake-utils_3",
-        "home-manager": "home-manager",
+        "flake-utils": "flake-utils_4",
+        "home-manager": "home-manager_2",
        "kanagawa-gtk": "kanagawa-gtk",
        "neovim-nightly-overlay": "neovim-nightly-overlay",
        "nixgl": "nixgl",
@ -539,6 +672,31 @@
      }
    },
    "rust-overlay": {
+      "inputs": {
+        "flake-utils": [
+          "agenix",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1708740535,
+        "narHash": "sha256-NCTw235XwSDbeTAtAwg/hOeNOgwYhVq7JjDdbkOgBeA=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "9b24383d77f598716fa0cbb8b48c97249f5ee1af",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "rust-overlay_2": {
      "inputs": {
        "flake-utils": [
          "wezterm",
@ -653,6 +811,36 @@
        "type": "github"
      }
    },
+    "systems_7": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_8": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "waybar": {
      "inputs": {
        "flake-compat": "flake-compat_2",
@ -676,14 +864,14 @@
    },
    "wezterm": {
      "inputs": {
-        "flake-utils": "flake-utils_7",
+        "flake-utils": "flake-utils_8",
        "freetype2": "freetype2",
        "harfbuzz": "harfbuzz",
        "libpng": "libpng",
        "nixpkgs": [
          "nixpkgs"
        ],
-        "rust-overlay": "rust-overlay",
+        "rust-overlay": "rust-overlay_2",
        "zlib": "zlib"
      },
      "locked": {
--- a/flake.nix
+++ b/flake.nix
@ -27,6 +27,10 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixgl.url = "github:guibou/nixGL";
+    agenix = {
+      url = "github:yaxitech/ragenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs = inputs@{ self, home-manager, nixpkgs, ... }:
@ -45,6 +49,7 @@
          };
          modules = [
            ({
+              imports = [ inputs.agenix.homeManagerModules.default ];
              nixpkgs.overlays = [
                inputs.neovim-nightly-overlay.overlay
                inputs.emacs-overlay.overlays.emacs
@ -58,11 +63,10 @@
                      wrapProgram $out/bin/lxappearance --prefix GDK_BACKEND : x11
                    '';
                  });
-                  opensnitch-ui = prev.opensnitch-ui.overrideAttrs
-                    (oldAttrs: {
-                      propagatedBuildInputs = oldAttrs.propagatedBuildInputs
-                        ++ [ prev.python311Packages.qt-material ];
-                    });
+                  opensnitch-ui = prev.opensnitch-ui.overrideAttrs (oldAttrs: {
+                    propagatedBuildInputs = oldAttrs.propagatedBuildInputs
+                      ++ [ prev.python311Packages.qt-material ];
+                  });
                })
              ];
              home = {
@ -74,5 +78,25 @@
            ./config
          ];
        };
-    };
+    } // inputs.flake-utils.lib.eachDefaultSystem (system:
+      let
+        pkgs = import nixpkgs {
+          inherit system;
+          overlays = [ inputs.agenix.overlays.default ];
+        };
+      in {
+        devShells.default = pkgs.mkShell {
+          packages = with pkgs; [
+            age
+            age-plugin-yubikey
+            pkgs.agenix
+            nixos-rebuild
+            pkgs.deploy-rs
+          ];
+          shellHook = ''
+            export RULES="$PWD/secrets/secrets.nix"
+            nix eval --json --file ./.nixd.nix > .nixd.json
+          '';
+        };
+      });
 }
--- a/lib/default.nix
+++ b/lib/default.nix
@ -0,0 +1,48 @@
+# Some of these functions were taken from https://github.com/NixOS/nixpkgs/blob/master/lib/
+{ lib ? (import <nixpkgs> { }).lib }:
+rec {
+  hasSuffix =
+    suffix:
+    string:
+    let
+      lenSuffix = builtins.stringLength suffix;
+      lenString = builtins.stringLength string;
+    in
+    (
+      lenString >= lenSuffix && (builtins.substring (lenString - lenSuffix) lenString string) == suffix
+    );
+  recurseDir = dir:
+    let
+      dirContents = builtins.readDir dir;
+    in
+    (builtins.concatMap
+      (dirItem:
+        let
+          itemType = builtins.getAttr dirItem dirContents;
+          itemPath = dir + "/${dirItem}";
+        in
+        if itemType == "directory" then
+          (recurseDir itemPath)
+        else
+          [ itemPath ])
+      (builtins.attrNames dirContents));
+  recurseFilesInDir = dir: suffix:
+    (builtins.filter (file: hasSuffix "${suffix}" file) (recurseDir dir));
+  recurseFilesInDirs = dirs: suffix:
+    (builtins.concatMap (dir: (recurseFilesInDir dir "${suffix}")) dirs);
+  # Full credit to https://stackoverflow.com/questions/54504685/nix-function-to-merge-attributes-records-recursively-and-concatenate-arrays/54505212#54505212
+  recursiveMerge = attrList:
+    let
+      f = attrPath:
+        lib.zipAttrsWith (n: values:
+          if lib.tail values == [ ]
+          then lib.head values
+          else if lib.all builtins.isList values
+          then lib.unique (lib.concatLists values)
+          else if lib.all builtins.isAttrs values
+          then f (attrPath ++ [ n ]) values
+          else lib.last values
+        );
+    in
+    f [ ] attrList;
+}
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -0,0 +1,18 @@
+{ agenix ? true, lib ? import ../lib { } }:
+let
+  keys = [
+    "age1yubikey1qfnj0k4mkzrn8ef5llwh2sv6hd7ckr0qml3n9hzdpz9c59ypvryhyst87k0"
+    "age1ur2lr3z6d2eftgxcalc6s5x9840ew9x43upl9k23wg0ugacrn5as4zl6sj"
+  ];
+  secrets = let dir = "files";
+  in {
+  };
+in if agenix then
+  (builtins.listToAttrs (builtins.concatMap (secretName: [{
+    name = builtins.toString secretName;
+    value.publicKeys = keys;
+  }]) (builtins.attrNames secrets)))
+else
+  (lib.recursiveMerge (builtins.map (secretName: {
+    age.secrets.${secretName}.file = ./${secrets.${secretName}};
+  }) (builtins.attrNames secrets)))
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1 @@
+import ./default.nix { agenix = true; }