feat(secrets)!: Replace sops with agenix-rekey
sops-nix is tending to be fairly complex for our use-cases, which adds
difficulty to deploying, maintaining our wrapper module, keeping
".env.bin" files, etc.
agenix-rekey is a lot simpler.
notable in this commit is the `// { outputPath = ...; }` hack in
flake.nix. This is needed due to snowfall-lib otherwise butchering paths
such that agenix-rekey is unable to show us what secrets exist with
`agenix edit`, etc... companion to that is the lib.snowfall.fs stuff in
the secrets/default.nix file
Change-Id: Id3e79cfc7d37a7b7de7b8cc42f7392c4d8bd07c5
Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/801
Reviewed-by: Skyler Grey <minion@clicks.codes>
Tested-by: Skyler Grey <minion@clicks.codes>
diff --git a/flake.lock b/flake.lock
index e8fe841..21028ad 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,8 +1,52 @@
{
"nodes": {
+ "agenix": {
+ "inputs": {
+ "darwin": "darwin",
+ "home-manager": "home-manager",
+ "nixpkgs": "nixpkgs",
+ "systems": "systems"
+ },
+ "locked": {
+ "lastModified": 1720546205,
+ "narHash": "sha256-boCXsjYVxDviyzoEyAk624600f3ZBo/DKtUdvMTpbGY=",
+ "owner": "ryantm",
+ "repo": "agenix",
+ "rev": "de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6",
+ "type": "github"
+ },
+ "original": {
+ "owner": "ryantm",
+ "repo": "agenix",
+ "type": "github"
+ }
+ },
+ "agenix-rekey": {
+ "inputs": {
+ "devshell": "devshell",
+ "flake-utils": "flake-utils",
+ "nixpkgs": [
+ "nixpkgs"
+ ],
+ "pre-commit-hooks": "pre-commit-hooks"
+ },
+ "locked": {
+ "lastModified": 1721402988,
+ "narHash": "sha256-O5j5y5gpssVF5FNsSF7joTyrlW//LpwyLk6yBWgQ0VE=",
+ "owner": "oddlama",
+ "repo": "agenix-rekey",
+ "rev": "3f1c787e2092d9c13142ae7572cc1c52b68f1c4c",
+ "type": "github"
+ },
+ "original": {
+ "owner": "oddlama",
+ "repo": "agenix-rekey",
+ "type": "github"
+ }
+ },
"aux--docs-site": {
"inputs": {
- "flake-utils": "flake-utils",
+ "flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
],
@@ -43,9 +87,31 @@
"url": "https://git.auxolotl.org/auxolotl/wiki"
}
},
+ "darwin": {
+ "inputs": {
+ "nixpkgs": [
+ "agenix",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1700795494,
+ "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+ "owner": "lnl7",
+ "repo": "nix-darwin",
+ "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+ "type": "github"
+ },
+ "original": {
+ "owner": "lnl7",
+ "ref": "master",
+ "repo": "nix-darwin",
+ "type": "github"
+ }
+ },
"deploy-rs": {
"inputs": {
- "flake-compat": "flake-compat",
+ "flake-compat": "flake-compat_2",
"nixpkgs": [
"nixpkgs"
],
@@ -65,9 +131,47 @@
"type": "github"
}
},
+ "devshell": {
+ "inputs": {
+ "nixpkgs": [
+ "agenix-rekey",
+ "nixpkgs"
+ ],
+ "systems": "systems_2"
+ },
+ "locked": {
+ "lastModified": 1695195896,
+ "narHash": "sha256-pq9q7YsGXnQzJFkR5284TmxrLNFc0wo4NQ/a5E93CQU=",
+ "owner": "numtide",
+ "repo": "devshell",
+ "rev": "05d40d17bf3459606316e3e9ec683b784ff28f16",
+ "type": "github"
+ },
+ "original": {
+ "owner": "numtide",
+ "repo": "devshell",
+ "type": "github"
+ }
+ },
"flake-compat": {
"flake": false,
"locked": {
+ "lastModified": 1673956053,
+ "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+ "owner": "edolstra",
+ "repo": "flake-compat",
+ "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+ "type": "github"
+ },
+ "original": {
+ "owner": "edolstra",
+ "repo": "flake-compat",
+ "type": "github"
+ }
+ },
+ "flake-compat_2": {
+ "flake": false,
+ "locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
@@ -81,7 +185,7 @@
"type": "github"
}
},
- "flake-compat_2": {
+ "flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1650374568,
@@ -99,14 +203,14 @@
},
"flake-utils": {
"inputs": {
- "systems": "systems"
+ "systems": "systems_3"
},
"locked": {
- "lastModified": 1710146030,
- "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+ "lastModified": 1694529238,
+ "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
- "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+ "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
@@ -117,7 +221,7 @@
},
"flake-utils-plus": {
"inputs": {
- "flake-utils": "flake-utils_3"
+ "flake-utils": "flake-utils_4"
},
"locked": {
"lastModified": 1715533576,
@@ -136,7 +240,7 @@
},
"flake-utils_2": {
"inputs": {
- "systems": "systems_3"
+ "systems": "systems_4"
},
"locked": {
"lastModified": 1710146030,
@@ -154,7 +258,25 @@
},
"flake-utils_3": {
"inputs": {
- "systems": "systems_4"
+ "systems": "systems_6"
+ },
+ "locked": {
+ "lastModified": 1710146030,
+ "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+ "type": "github"
+ },
+ "original": {
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "type": "github"
+ }
+ },
+ "flake-utils_4": {
+ "inputs": {
+ "systems": "systems_7"
},
"locked": {
"lastModified": 1694529238,
@@ -170,9 +292,52 @@
"type": "github"
}
},
+ "gitignore": {
+ "inputs": {
+ "nixpkgs": [
+ "agenix-rekey",
+ "pre-commit-hooks",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1660459072,
+ "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
+ "owner": "hercules-ci",
+ "repo": "gitignore.nix",
+ "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
+ "type": "github"
+ },
+ "original": {
+ "owner": "hercules-ci",
+ "repo": "gitignore.nix",
+ "type": "github"
+ }
+ },
"home-manager": {
"inputs": {
"nixpkgs": [
+ "agenix",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1703113217,
+ "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+ "owner": "nix-community",
+ "repo": "home-manager",
+ "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "repo": "home-manager",
+ "type": "github"
+ }
+ },
+ "home-manager_2": {
+ "inputs": {
+ "nixpkgs": [
"nixpkgs"
]
},
@@ -207,6 +372,38 @@
},
"nixpkgs": {
"locked": {
+ "lastModified": 1703013332,
+ "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "nixos-unstable",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs-stable": {
+ "locked": {
+ "lastModified": 1685801374,
+ "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "nixos-23.05",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs_2": {
+ "locked": {
"lastModified": 1722087241,
"narHash": "sha256-2ShmEaFi0kJVOEEu5gmlykN5dwjWYWYUJmlRTvZQRpU=",
"owner": "nixos",
@@ -221,23 +418,52 @@
"type": "github"
}
},
+ "pre-commit-hooks": {
+ "inputs": {
+ "flake-compat": "flake-compat",
+ "flake-utils": [
+ "agenix-rekey",
+ "flake-utils"
+ ],
+ "gitignore": "gitignore",
+ "nixpkgs": [
+ "agenix-rekey",
+ "nixpkgs"
+ ],
+ "nixpkgs-stable": "nixpkgs-stable"
+ },
+ "locked": {
+ "lastModified": 1694364351,
+ "narHash": "sha256-oadhSCqopYXxURwIA6/Anpe5IAG11q2LhvTJNP5zE6o=",
+ "owner": "cachix",
+ "repo": "pre-commit-hooks.nix",
+ "rev": "4f883a76282bc28eb952570afc3d8a1bf6f481d7",
+ "type": "github"
+ },
+ "original": {
+ "owner": "cachix",
+ "repo": "pre-commit-hooks.nix",
+ "type": "github"
+ }
+ },
"root": {
"inputs": {
+ "agenix": "agenix",
+ "agenix-rekey": "agenix-rekey",
"aux--docs-site": "aux--docs-site",
"aux--wiki": "aux--wiki",
"deploy-rs": "deploy-rs",
- "flake-utils": "flake-utils_2",
- "home-manager": "home-manager",
+ "flake-utils": "flake-utils_3",
+ "home-manager": "home-manager_2",
"impermanence": "impermanence",
- "nixpkgs": "nixpkgs",
+ "nixpkgs": "nixpkgs_2",
"snowfall-lib": "snowfall-lib",
- "sops-nix": "sops-nix",
"unstable": "unstable"
}
},
"snowfall-lib": {
"inputs": {
- "flake-compat": "flake-compat_2",
+ "flake-compat": "flake-compat_3",
"flake-utils-plus": "flake-utils-plus",
"nixpkgs": [
"nixpkgs"
@@ -257,29 +483,6 @@
"type": "github"
}
},
- "sops-nix": {
- "inputs": {
- "nixpkgs": [
- "unstable"
- ],
- "nixpkgs-stable": [
- "nixpkgs"
- ]
- },
- "locked": {
- "lastModified": 1722114803,
- "narHash": "sha256-s6YhI8UHwQvO4cIFLwl1wZ1eS5Cuuw7ld2VzUchdFP0=",
- "owner": "Mic92",
- "repo": "sops-nix",
- "rev": "eb34eb588132d653e4c4925d862f1e5a227cc2ab",
- "type": "github"
- },
- "original": {
- "owner": "Mic92",
- "repo": "sops-nix",
- "type": "github"
- }
- },
"systems": {
"locked": {
"lastModified": 1681028828,
@@ -340,6 +543,51 @@
"type": "github"
}
},
+ "systems_5": {
+ "locked": {
+ "lastModified": 1681028828,
+ "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+ "owner": "nix-systems",
+ "repo": "default",
+ "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-systems",
+ "repo": "default",
+ "type": "github"
+ }
+ },
+ "systems_6": {
+ "locked": {
+ "lastModified": 1681028828,
+ "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+ "owner": "nix-systems",
+ "repo": "default",
+ "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-systems",
+ "repo": "default",
+ "type": "github"
+ }
+ },
+ "systems_7": {
+ "locked": {
+ "lastModified": 1681028828,
+ "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+ "owner": "nix-systems",
+ "repo": "default",
+ "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-systems",
+ "repo": "default",
+ "type": "github"
+ }
+ },
"unstable": {
"locked": {
"lastModified": 1722062969,
@@ -358,7 +606,7 @@
},
"utils": {
"inputs": {
- "systems": "systems_2"
+ "systems": "systems_5"
},
"locked": {
"lastModified": 1701680307,