dln/dotfiles
0
0
Code Issues Pull requests2 Activity

Use ragenix to manage secrets w/tpm bound keys.

Browse source 
Add codestral api key.
This commit is contained in:
Daniel Lundin 2025-06-29 10:42:51 +02:00
commit 5dbdb5d0e2
Signed by: dln
SSH key fingerprint: SHA256:dQy1Xj3UiqJYpKR5ggQ2bxgz4jCH8IF+k3AB8o0kmdI
8 changed files with 276 additions and 31 deletions

254
flake.lock generated
View file

@ -1,5 +1,67 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager_2",
"nixpkgs": [
"ragenix",
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1736955230,
"narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
"owner": "ryantm",
"repo": "agenix",
"rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"crane": {
"locked": {
"lastModified": 1741481578,
"narHash": "sha256-JBTSyJFQdO3V8cgcL08VaBUByEU6P5kXbTJN6R0PFQo=",
"owner": "ipetkov",
"repo": "crane",
"rev": "bb1c9567c43e4434f54e9481eb4b8e8e0d50f0b5",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"ragenix",
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
@ -40,11 +102,11 @@
]
},
"locked": {
"lastModified": 1749398372,
"narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=",
"lastModified": 1751413152,
"narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569",
"rev": "77826244401ea9de6e3bac47c2db46005e1f30b5",
"type": "github"
},
"original": {
@ -74,6 +136,24 @@
"type": "indirect"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"git-hooks": {
"inputs": {
"flake-compat": "flake-compat_2",
@ -148,11 +228,33 @@
]
},
"locked": {
"lastModified": 1750798083,
"narHash": "sha256-DTCCcp6WCFaYXWKFRA6fiI2zlvOLCf5Vwx8+/0R8Wc4=",
"lastModified": 1751729568,
"narHash": "sha256-ay7O1jjalUxkL23QWLv9C2s8rdVGs3hUOPZClIbUHKs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "ff31a4677c1a8ae506aa7e003a3dba08cb203f82",
"rev": "f117b383dd591fd579bce5ee7bac07a3fdc1d050",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"ragenix",
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
@ -172,11 +274,11 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1750920307,
"narHash": "sha256-w1wJ6lxK1fMXwZe8yBjAeRoOCDqmx/fkwfCwrTqc1Rg=",
"lastModified": 1751715639,
"narHash": "sha256-uyIfrCBlK817GU1tivfZXiAYPLs6EGDo2ENdWAc7hpc=",
"owner": "nix-community",
"repo": "neovim-nightly-overlay",
"rev": "da011a3510527ec378ec5504cb74ffc60fc67af7",
"rev": "20773cd148cd965f15aa6631fa28e26c281acf91",
"type": "github"
},
"original": {
@ -188,11 +290,11 @@
"neovim-src": {
"flake": false,
"locked": {
"lastModified": 1750889719,
"narHash": "sha256-QsH4nNNjYItfYwLU25JiAPBo/F5MMdaR3Ho29JdtyZw=",
"lastModified": 1751665574,
"narHash": "sha256-eM9I21Ygc30VIZ1Dm5HCgJDyGpDwBQVmrfEGJ3g9UO0=",
"owner": "neovim",
"repo": "neovim",
"rev": "731e616a79d01e4797badbb4e18d167c51125151",
"rev": "d9465e984b34ab7f98007e52edaf1ebc0ccef038",
"type": "github"
},
"original": {
@ -208,11 +310,11 @@
]
},
"locked": {
"lastModified": 1750565152,
"narHash": "sha256-A6ZIoIgaPPkzIVxKuaxwEJicPOeTwC/MD9iuC3FVhDM=",
"lastModified": 1751170039,
"narHash": "sha256-3EKpUmyGmHYA/RuhZjINTZPU+OFWko0eDwazUOW64nw=",
"owner": "nix-community",
"repo": "nix-index-database",
"rev": "78cd697acc2e492b4e92822a4913ffad279c20e6",
"rev": "9c932ae632d6b5150515e5749b198c175d8565db",
"type": "github"
},
"original": {
@ -223,11 +325,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1750836778,
"narHash": "sha256-sRLyRiC7TezRbbjGJwUFOgb2xMbSr3wQ0oJKfYlQ6s0=",
"lastModified": 1751625545,
"narHash": "sha256-4E7wWftF1ExK5ZEDzj41+9mVgxtuRV3wWCId7QAYMAU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d7bb1922f0bb3d0c990f56f9cdb767fdb20a5f22",
"rev": "c860cf0b3a0829f0f6cf344ca8de83a2bbfab428",
"type": "github"
},
"original": {
@ -239,11 +341,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1750838302,
"narHash": "sha256-aVkL3/yu50oQzi2YuKo0ceiCypVZpZXYd2P2p1FMJM4=",
"lastModified": 1751582995,
"narHash": "sha256-u7ubvtxdTnFPpV27AHpgoKn7qHuE7sgWgza/1oj5nzA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "7284e2decc982b81a296ab35aa46e804baaa1cfe",
"rev": "7a732ed41ca0dd64b4b71b563ab9805a80a7d693",
"type": "github"
},
"original": {
@ -255,11 +357,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1750865895,
"narHash": "sha256-p2dWAQcLVzquy9LxYCZPwyUdugw78Qv3ChvnX755qHA=",
"lastModified": 1751625545,
"narHash": "sha256-4E7wWftF1ExK5ZEDzj41+9mVgxtuRV3wWCId7QAYMAU=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "61c0f513911459945e2cb8bf333dc849f1b976ff",
"rev": "c860cf0b3a0829f0f6cf344ca8de83a2bbfab428",
"type": "github"
},
"original": {
@ -271,11 +373,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1750776420,
"narHash": "sha256-/CG+w0o0oJ5itVklOoLbdn2dGB0wbZVOoDm4np6w09A=",
"lastModified": 1751271578,
"narHash": "sha256-P/SQmKDu06x8yv7i0s8bvnnuJYkxVGBWLWHaU+tt4YY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "30a61f056ac492e3b7cdcb69c1e6abdcf00e39cf",
"rev": "3016b4b15d13f3089db8a41ef937b13a9e33a8df",
"type": "github"
},
"original": {
@ -285,6 +387,44 @@
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1741379970,
"narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "36fd87baa9083f34f7f5027900b62ee6d09b1f2f",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"ragenix": {
"inputs": {
"agenix": "agenix",
"crane": "crane",
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_3",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1744897914,
"narHash": "sha256-GIVU92o2TZBnKQXTb76zpQbWR4zjU2rFqWKNIIpXnqA=",
"owner": "yaxitech",
"repo": "ragenix",
"rev": "40f2e17ecaeab4d78ec323e96a04548c0aaa5223",
"type": "github"
},
"original": {
"owner": "yaxitech",
"repo": "ragenix",
"type": "github"
}
},
"root": {
"inputs": {
"home-manager": "home-manager",
@ -292,7 +432,59 @@
"nix-index-database": "nix-index-database",
"nixpkgs": "nixpkgs_2",
"nixpkgs-stable": "nixpkgs-stable",
"nixpkgs-unstable": "nixpkgs-unstable"
"nixpkgs-unstable": "nixpkgs-unstable",
"ragenix": "ragenix"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": [
"ragenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1741400194,
"narHash": "sha256-tEpgT+q5KlGjHSm8MnINgTPErEl8YDzX3Eps8PVc09g=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "16b6045a232fea0e9e4c69e55a6e269607dd8e3f",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt-nix": {
@ -303,11 +495,11 @@
]
},
"locked": {
"lastModified": 1749194973,
"narHash": "sha256-eEy8cuS0mZ2j/r/FE0/LYBSBcIs/MKOIVakwHVuqTfk=",
"lastModified": 1750931469,
"narHash": "sha256-0IEdQB1nS+uViQw4k3VGUXntjkDp7aAlqcxdewb/hAc=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "a05be418a1af1198ca0f63facb13c985db4cb3c5",
"rev": "ac8e6f32e11e9c7f153823abc3ab007f2a65d3e1",
"type": "github"
},
"original": {

4
flake.nix
View file

@ -24,6 +24,7 @@
home-manager.url = "github:nix-community/home-manager";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
ragenix.url = "github:yaxitech/ragenix";
};
outputs =
@ -33,6 +34,7 @@
nixpkgs,
nixpkgs-unstable,
home-manager,
ragenix,
...
}:
let
@ -57,6 +59,7 @@
inherit inputs outputs;
};
modules = [
ragenix.homeManagerModules.default
./home/common
nix-index-database.hmModules.nix-index
] ++ modules;
@ -73,6 +76,7 @@
nil
nixd
nixfmt-rfc-style
(inputs.ragenix.packages.${system}.default.override { plugins = [ age-plugin-tpm ]; })
];
};

1
home/common/default.nix
View file

@ -11,6 +11,7 @@
./nix.nix
./nvim
./proton.nix
./ragenix.nix
./scripts.nix
./ssh.nix
./tmux.nix

1
home/common/devel.nix
View file

@ -2,6 +2,7 @@
{
home.packages = with pkgs; [
age-plugin-fido2-hmac
age-plugin-tpm
comma
dogdns
file

8
home/common/nvim/default.nix
View file

@ -1,4 +1,5 @@
{
config,
inputs,
lib,
pkgs,
@ -10,6 +11,8 @@ let
text = ''
_sess=$(echo -n "$USER@''${SSH_CONNECTION:-$HOSTNAME}" | tr -c '[:alnum:]@.' '_')
_nvim_sock="''${XDG_RUNTIME_DIR:-/tmp}/nvim.$_sess.sock"
CODESTRAL_API_KEY="$(cat "${config.age.secrets.codestral_api_key.path}")"
export CODESTRAL_API_KEY
exec nvim --listen "$_nvim_sock" --server "$_nvim_sock" "$@"
'';
};
@ -23,9 +26,14 @@ in
programs.man.generateCaches = false;
age.secrets = {
codestral_api_key.file = ../../../secrets/codestral_api_key.age;
};
programs.neovim = {
enable = true;
package = inputs.neovim-nightly-overlay.packages.${pkgs.system}.default;
defaultEditor = true;
viAlias = true;
vimAlias = true;

17
home/common/ragenix.nix Normal file
View file

@ -0,0 +1,17 @@
{
config,
pkgs,
...
}:
{
age = {
package = pkgs.writeShellScriptBin "age-with-plugins" ''
exec env PATH="${pkgs.lib.makeBinPath [ pkgs.age-plugin-tpm ]}" ${pkgs.lib.getExe pkgs.age} "$@"
'';
identityPaths = [
"${config.home.homeDirectory}/.age/id-dotfiles"
];
};
}

11
secrets.nix Normal file
View file

@ -0,0 +1,11 @@
let
dln_dinky = "age1tpm1qtzft9rjkcprk76yd6syxrskezlkafzfanadmlcp03at8fk6a6f27ygky9e";
dln_nemo = "age1tpm1q0jdt4w7r7k2xdwxcxjzkqrfmtesryd2x83pz3lqr335v7mleyn8jn9z7hs";
destinations = [
dln_dinky
dln_nemo
];
in
{
"secrets/codestral_api_key.age".publicKeys = destinations;
}

11
secrets/codestral_api_key.age Normal file
View file

@ -0,0 +1,11 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHRwbS1lY2MgL2FZZ2xnIEF2QXpodFpH
Mk9xTys1TEc4SkdxVGExVmVzTGYva2pReUkvMzYxd0paYkdFCnk3SnZncTB4Sjdi
NkIySWRxdkJoQlZHM0RQckVuVkpUeUJ2T2NJQStLQTAKLT4gdHBtLWVjYyBybVhC
ckEgQXFqTERnTjIvdWNIbHcrN0FTSmZaNS85aUV2WlJuR1YvYi9taW0rd1FyWGoK
Smk1b0k2WnF0elZMNWNLR3IvMnVxK1dSaXNtSEZTNit5dnlCbmdVQmNtOAotPiB0
JjtUK2xkUy1ncmVhc2UgVjozPCAuPgprbFI3ZWZZS1ROMkZvcU95dmhXbFhwWm1j
QUUwZ2UyMgotLS0gWFk0bHN1bXZRQ2I3RUgwTzRuc1FnZWwxYlJ1bXEzeFBCUi9F
M3orV2NPMAoi/zCwjbFifzeCVbepSjgeMmeVsRetfVIP/8nY5etI61F+RYbhYQ5K
jacj392C11JIqU6mrIsinwwQpxx1INXmlg==
-----END AGE ENCRYPTED FILE-----