9 files changed, 110 insertions, 111 deletions

diff --git a/flake.lock b/flake.lock
index 7b9ac38..bc9c5b7 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,8 +1,73 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1695384796,
+        "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "1f677b3e161d3bdbfd08a939e8f25de2568e0ef4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1673295039,
+        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1682203081,
+        "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
           "nixpkgs"
         ]
       },
@@ -59,7 +124,8 @@
     },
     "root": {
       "inputs": {
-        "home-manager": "home-manager",
+        "agenix": "agenix",
+        "home-manager": "home-manager_2",
         "nix-darwin": "nix-darwin",
         "nixpkgs": "nixpkgs"
       }
diff --git a/flake.nix b/flake.nix
index cbad259..969c3c6 100644
--- a/flake.nix
+++ b/flake.nix
@@ -11,9 +11,13 @@
       url = "github:LnL7/nix-darwin";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { self, nixpkgs, home-manager, nix-darwin, ... }@inputs:
+  outputs = { self, nixpkgs, home-manager, nix-darwin, agenix, ... }@inputs:
     let
       args = {
         inherit self;
@@ -33,7 +37,6 @@
             ./hosts/common.nix
             ./home
             # FIXME: Get the following to work without nix-darwin bithcing about unused NixOS options.
-            # ./lib
             # ./modules
             # ./services
           ];
@@ -46,10 +49,10 @@
           modules = [
             { _module.args = args; }
             home-manager.nixosModules.home-manager
+            agenix.nixosModules.default
             ./hosts/ahmed/configuration.nix
             ./hosts/common.nix
             ./home
-            ./lib
 	    ./modules
             ./services
           ];
diff --git a/hosts/ahmed/cloudflare-ddns/default.nix b/hosts/ahmed/cloudflare-ddns.nix
index 77c799c..58f53b0 100644
--- a/hosts/ahmed/cloudflare-ddns/default.nix
+++ b/hosts/ahmed/cloudflare-ddns.nix
@@ -1,19 +1,19 @@
 # This module sets up cloudflare-dyndns for <linus.onl>.
 
-{ lib, ... }:
+{ lib, config, ... }:
 
 let
 
 in
 {
-  my.secrets.cloudflare-ddns = {
-    source = ./secrets.env;
-    dest = "/run/keys/cloudflare-ddns.env";
+  age.secrets.cloudflare-dyndns-api-token = {
+    file = ../../secrets/cloudflare-ddns-token.age;
+    # TODO: configure permissions
   };
 
   services.cloudflare-dyndns = {
     enable = true;
-    apiTokenFile =  "/run/keys/cloudflare-ddns.env";
+    apiTokenFile = config.age.secrets.cloudflare-dyndns-api-token.path;
     proxied = true;
     domains = [ "linus.onl" ];
   };
diff --git a/hosts/ahmed/configuration.nix b/hosts/ahmed/configuration.nix
index 7285962..3ac79fb 100644
--- a/hosts/ahmed/configuration.nix
+++ b/hosts/ahmed/configuration.nix
@@ -9,7 +9,7 @@
       ./hardware-configuration.nix
       ./ssh.nix
       ./disable-screen.nix
-      ./cloudflare-ddns
+      ./cloudflare-ddns.nix
     ];
 
   # Create the main user.
diff --git a/hosts/common.nix b/hosts/common.nix
index f18c062..32baeb5 100644
--- a/hosts/common.nix
+++ b/hosts/common.nix
@@ -1,6 +1,6 @@
 # Shared configuraion regardless of hosts.
 
-{ pkgs, options, self, ... }:
+{ pkgs, options, self, flakeInputs, ... }:
 
 {
   # Enable de facto stable features.
@@ -28,6 +28,7 @@
     comma
     curl
     moreutils
+    flakeInputs.agenix.packages.${system}.default
   ];
 
   # Aliases that are burned into my muscle memory.
diff --git a/lib/default.nix b/lib/default.nix
deleted file mode 100644
index d896ce2..0000000
--- a/lib/default.nix
+++ /dev/null
@@ -1,8 +0,0 @@
-{ ... }:
-
-{
-  imports =
-    [
-      ./secrets
-    ];
-}
diff --git a/lib/secrets/default.nix b/lib/secrets/default.nix
deleted file mode 100644
index 3c2da95..0000000
--- a/lib/secrets/default.nix
+++ /dev/null
@@ -1,92 +0,0 @@
-{ pkgs, config, lib, metadata, ... }:
-
-with lib;
-
-let
-  cfg = config.my.secrets;
-
-  secret = types.submodule {
-    options = {
-      source = mkOption {
-        type = types.path;
-        description = "local secret path";
-      };
-
-      dest = mkOption {
-        type = types.str;
-        description = "where to write the decrypted secret to";
-      };
-
-      owner = mkOption {
-        default = "root";
-        type = types.str;
-        description = "who should own the secret";
-      };
-
-      group = mkOption {
-        default = "root";
-        type = types.str;
-        description = "what group should own the secret";
-      };
-
-      permissions = mkOption {
-        default = "0400";
-        type = types.str;
-        description = "Permissions expressed as octal.";
-      };
-    };
-  };
-
-  mkSecretOnDisk = name:
-    { source, ... }:
-    pkgs.stdenv.mkDerivation {
-      name = "${name}-secret";
-      phases = "installPhase";
-      buildInputs = [ pkgs.rage ];
-      installPhase =
-        let
-          key = metadata.hosts."${config.networking.hostName}".sshPubKey;
-        in
-        ''
-          rage -a -r '${key}' -o "$out" '${source}'
-        '';
-    };
-
-  mkService = name:
-    { source, dest, owner, group, permissions, ... }: {
-      description = "decrypt secret for ${name}";
-      wantedBy = [ "multi-user.target" ];
-
-      serviceConfig.Type = "oneshot";
-
-      script = with pkgs; ''
-        rm -rf ${dest}
-        "${rage}"/bin/rage -d -i /etc/ssh/ssh_host_ed25519_key -o '${dest}' '${
-          mkSecretOnDisk name { inherit source; }
-        }'
-
-        chown '${owner}':'${group}' '${dest}'
-        chmod '${permissions}' '${dest}'
-      '';
-    };
-in
-{
-  options.my.secrets = mkOption {
-    type = types.attrsOf secret;
-    description = "secret configuration";
-    default = { };
-  };
-
-  config = mkIf (cfg != []) {
-    systemd.services =
-      let
-        units = mapAttrs'
-          (name: info: {
-            name = "${name}-key";
-            value = (mkService name info);
-          })
-          cfg;
-      in
-      units;
-  };
-}
diff --git a/secrets/cloudflare-ddns-token.age b/secrets/cloudflare-ddns-token.age
new file mode 100644
index 0000000..280ae85
--- /dev/null
+++ b/secrets/cloudflare-ddns-token.age
@@ -0,0 +1,19 @@
+age-encryption.org/v1
+-> ssh-ed25519 mPg9Wg gHYl+dLO8N5gCWv2x5qtuEvTrrL4XlLcT2Q6Zngb5WM
+BBoS++7s6L4JCZWDkIyyNdf5QDMB1zGUghOOFWo2EC4
+-> ssh-rsa 5MROTA
+QxtsUXR+3Flq0iZFtLsJTGM3nq5770pzOFUpLxVjhxg1gzEhRclgjYpn7m3TSAjp
+J+AUwRN8KlrFecggllmpoY9wyKYUjgvu6a8hh9TCFOytRDoIKtBQasSRH2eM6VrF
+wTlJ3MPoP8GJ6iNyHE5hlFHHc3P9HxqNK+qZfRB9zCN4zY8NQi+QmAexE9gPuVRL
+c7sOxAH/Ov4zQ9WMnGdAW7wPHyET5b3woW3ju9fJr08UtuavMyEMgHk6gKtsBkM6
+bK5fraFrbkWv3lW3SS6GRqT0sN14/zIP9CfaHu8GWG4TOdDV/d6HlJ5U+BvGQp3z
+lU54v2JfmPDtbPefzmG3+8GXb9ITCMUrGIfnHXaw4hoe8/WzSz46ZWufnPnzlWvn
+p7WDouB9lRH7/aMyIdPbKAfPIzeg1yKs3n6BXA/4ENa/msQ7MqKZpHJGinx6Yfde
+EErwThHTJXo/F8wCQRIHpAMOcHnpZHPV8rGR411A9wlZrWp00otkukSBAw4/teX6
+MfmXM14kFlYlg3uW4NO0TpelNFrBHHBFNzmIjadResQe1TW4rJ/X2aznw3jXbzii
+/rWGQIiSc4xpZbao9ZQktPtErCtU1vjJmc41qmSJgwUb81XSA8tLK5+T54KEOxM4
+eycpp8TiNE2vUnP4bVu+o8svwYDAzsxoD07RCTYFoSM
+-> dw-grease
+NVGg1adhRcMDrvPKNfly
+--- KcSrc4BXUEzO72Kl/qCJ+Ild9FjCMDyTwZl1Lpjj8LQ
+9N�?��!}l�r�/�_�-�T���dTy�J��_I���ED@Z�nI��
��9��Hf�ěr�n�a�O���᮷���c�O���'�LxՎN���3
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..0f349a8
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,10 @@
+# This file conatins configuration for the agenix CLI. It is not actually
+# imported into the system cofniguration.
+
+let
+  metadata = builtins.fromTOML (builtins.readFile ../metadata.toml);
+  publicKeys = map (builtins.getAttr "sshPubKey") (builtins.attrValues metadata.hosts);
+in
+{
+  "cloudflare-ddns-token.age".publicKeys = publicKeys;
+}