addend agenix

2026-02-19 17:10:05 +01:00 · 2026-02-19 17:10:05 +01:00 · 9ee7b77ca3
commit 9ee7b77ca3
parent d93a98a952
8 changed files with 166 additions and 6 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,50 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1770165109,
+        "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
    "disko": {
      "inputs": {
        "nixpkgs": [
@ -21,6 +66,27 @@
      }
    },
    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
@ -58,10 +124,26 @@
    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "disko": "disko",
-        "home-manager": "home-manager",
+        "home-manager": "home-manager_2",
        "nixpkgs": "nixpkgs"
      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -7,9 +7,12 @@
        disko.inputs.nixpkgs.follows = "nixpkgs";
        home-manager.url = "github:nix-community/home-manager";
        home-manager.inputs.nixpkgs.follows = "nixpkgs";
+        agenix.url = "github:ryantm/agenix";
+        agenix.inputs.nixpkgs.follows = "nixpkgs";
+
    };

-    outputs = { self, nixpkgs, disko, home-manager }:
+    outputs = { self, nixpkgs, disko, home-manager, agenix }:
    let
        # options
        system = "x86_64-linux";
@ -22,7 +25,7 @@
        nixosConfigurations = {
            isengard = lib.nixosSystem {
                inherit system;
-                specialArgs = { inherit release myUser disko; };
+                specialArgs = { inherit release myUser disko agenix; };
                modules = [
                    ./hosts/isengard.nix
                    ./modules/base.nix
@ -32,8 +35,8 @@
                inherit system;
                specialArgs = { inherit release myUser disko; };
                modules = [
-                    ./hosts/palantir.nix
                    ./modules/base.nix
+                    ./hosts/palantir.nix

                    home-manager.nixosModules.home-manager
                    ./modules/home.nix
--- a/hosts/isengard.nix
+++ b/hosts/isengard.nix
@ -4,9 +4,13 @@
    # Imports
    imports = [
        disko.nixosModules.disko ../disko/isengard/btrfs-legacy.nix
+        
+        # Secrets
+        ../modules/agenix.nix

        # Containers
        ../modules/containers/ntfy.nix
+        ../modules/containers/vaultwarden.nix

    ];
    # Disks
@ -38,4 +42,3 @@

    system.stateVersion = release;
 }
-
--- a/modules/agenix.nix
+++ b/modules/agenix.nix
@ -0,0 +1,21 @@
+{ config, pkgs, agenix, system, ... }:
+
+{
+
+    imports = [
+        agenix.nixosModules.default
+    ];
+    environment.systemPackages = [
+        agenix.packages.${system}.default
+    ];
+
+    # Secrets
+    age.secrets = {
+        vaultwarden-admin-token = {
+            file = ../secrets/vaultwarden-admin-token.age;
+            owner = "root";
+            group = "root";
+            mode = "0400";
+        };
+    };
+}
--- a/modules/containers/ntfy.nix
+++ b/modules/containers/ntfy.nix
@ -15,7 +15,7 @@ in
        image = "binwiederhier/ntfy:latest";

        ports = [
-            "127.0.0.1:10000:80"
+            "0.0.0.0:10000:80"
        ];

        volumes = [
--- a/modules/containers/vaultwarden.nix
+++ b/modules/containers/vaultwarden.nix
@ -0,0 +1,31 @@
+{ config, ... }:
+
+let
+    vaultwardenDir = "/srv/containers/vaultwarden";
+in
+{
+    systemd.tmpfiles.rules = [
+        "d ${vaultwardenDir} 2775 root admin"
+    ];
+
+    virtualisation.oci-containers.containers.vaultwarden = {
+        autoStart = true;
+        image = "vaultwarden/server:latest";
+
+        ports = [
+            "0.0.0.0:10001:80"
+        ];
+
+        volumes = [
+            "${vaultwardenDir}:/data"
+        ];
+        
+        environment = {
+            TZ = "Europe/Bucharest";
+            WEBSOCKET_ENABLED = "true";
+            SIGNUPS_ALLOWED = "false";
+            ROCKET_PORT = "80";
+            ROCKET_ADDRESS = "0.0.0.0";
+        };
+    };
+}
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,10 @@
+let
+  victor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOiNyGO4RAxSdxvn2ZIBZ2Ze4iVVMrBNmu/V9JO70PoT victor@battleship";
+  users = [ victor ];
+
+  isengard = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKpsaUGNNrF8kHzmHAPOc4C15vF0SE9Nn6h+NC7nONX7 root@isengard";
+  systems = [ isengard ];
+in
+{
+  "vaultwarden-admin-token.age".publicKeys = [ victor isengard ];
+}
--- a/secrets/vaultwarden-env.age
+++ b/secrets/vaultwarden-env.age
@ -0,0 +1,10 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFA5bEdnQSB4RitR
+M0dlbjRZU0ZQZWNkZWs2eFRxRWZ4eVhlcnc2OUo0Rmszbkx1cUZvCnFSS3ZlanBJ
+MnJ1YmRsTDBRY3RkNGVPR0NxWC9CSjN4TlV6VjNxWHBXY0EKLT4gc3NoLWVkMjU1
+MTkgS0tuNDVBIHk3RGF0Y1V3bHBwQmZ5SlltSENLZlc1Ui96ZklrVlRHczhhdjJu
+YUlCQkUKSGkxY0w1ZFhsTW5xOVRqL3E0dGtYZXEvNzNOZlR4T0gxM3RKT1RmODQy
+TQotPiAmTCw3by0tZ3JlYXNlIGl6RD1pIEhwJGJvKgoya0xNT0lpczhnCi0tLSAv
+alp3bVBjenQ5WDlCdzRFeEJ4c01CQWhCMVk4R3dUeFpEbFpHdGVwTjVrCtAo7n+8
+1WWIS4y//7I5luHmYIz9b909UJSwg/g7oG9Q
+-----END AGE ENCRYPTED FILE-----