From 1745932cd85f8beebd5af440b74a51eae80c9757 Mon Sep 17 00:00:00 2001
From: Anthony Rodriguez <anthony@nezia.dev>
Date: Thu, 24 Oct 2024 16:02:14 +0200
Subject: [PATCH] treewide: add server-side secrets management with agenix

---
 flake.lock                  | 130 +++++++++++++++++++++++++++++-------
 flake.nix                   |   8 ++-
 hosts/anastacia/default.nix |   8 ++-
 secrets/searx-env-file.age  | Bin 0 -> 274 bytes
 secrets/secrets.nix         |   5 ++
 system/services/searx.nix   |  10 ++-
 6 files changed, 133 insertions(+), 28 deletions(-)
 create mode 100644 secrets/searx-env-file.age
 create mode 100644 secrets/secrets.nix

diff --git a/flake.lock b/flake.lock
index 57ebe2b..1fe7319 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,9 +1,32 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1723293904,
+        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "ags": {
       "inputs": {
         "nixpkgs": "nixpkgs",
-        "systems": "systems"
+        "systems": "systems_2"
       },
       "locked": {
         "lastModified": 1728326430,
@@ -60,6 +83,28 @@
         "type": "github"
       }
     },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "deploy-rs": {
       "inputs": {
         "flake-compat": "flake-compat_2",
@@ -243,7 +288,7 @@
     },
     "flake-utils_2": {
       "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_4"
       },
       "locked": {
         "lastModified": 1710146030,
@@ -261,7 +306,7 @@
     },
     "flake-utils_3": {
       "inputs": {
-        "systems": "systems_4"
+        "systems": "systems_5"
       },
       "locked": {
         "lastModified": 1710146030,
@@ -279,7 +324,7 @@
     },
     "flake-utils_4": {
       "inputs": {
-        "systems": "systems_7"
+        "systems": "systems_8"
       },
       "locked": {
         "lastModified": 1710146030,
@@ -352,6 +397,27 @@
       }
     },
     "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
@@ -892,7 +958,7 @@
         "plugin-vim-vsnip": "plugin-vim-vsnip",
         "plugin-which-key": "plugin-which-key",
         "rnix-lsp": "rnix-lsp",
-        "systems": "systems_5"
+        "systems": "systems_6"
       },
       "locked": {
         "lastModified": 1728378979,
@@ -2597,11 +2663,12 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "ags": "ags",
         "basix": "basix",
         "deploy-rs": "deploy-rs",
         "firefox-addons": "firefox-addons",
-        "home-manager": "home-manager",
+        "home-manager": "home-manager_2",
         "lanzaboote": "lanzaboote",
         "niri": "niri",
         "nix-index-db": "nix-index-db",
@@ -2609,7 +2676,7 @@
         "nixpkgs": "nixpkgs_5",
         "nvf": "nvf",
         "plasma-manager": "plasma-manager",
-        "systems": "systems_6",
+        "systems": "systems_7",
         "treefmt-nix": "treefmt-nix",
         "wezterm": "wezterm"
       }
@@ -2688,21 +2755,6 @@
       }
     },
     "systems": {
-      "locked": {
-        "lastModified": 1689347949,
-        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
-        "owner": "nix-systems",
-        "repo": "default-linux",
-        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default-linux",
-        "type": "github"
-      }
-    },
-    "systems_2": {
       "locked": {
         "lastModified": 1681028828,
         "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@@ -2717,6 +2769,21 @@
         "type": "github"
       }
     },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1689347949,
+        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
+        "owner": "nix-systems",
+        "repo": "default-linux",
+        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default-linux",
+        "type": "github"
+      }
+    },
     "systems_3": {
       "locked": {
         "lastModified": 1681028828,
@@ -2763,6 +2830,21 @@
       }
     },
     "systems_6": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_7": {
       "locked": {
         "lastModified": 1689347949,
         "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
@@ -2777,7 +2859,7 @@
         "type": "github"
       }
     },
-    "systems_7": {
+    "systems_8": {
       "locked": {
         "lastModified": 1681028828,
         "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@@ -2812,7 +2894,7 @@
     },
     "utils": {
       "inputs": {
-        "systems": "systems_2"
+        "systems": "systems_3"
       },
       "locked": {
         "lastModified": 1701680307,
diff --git a/flake.nix b/flake.nix
index 1c4a530..8ff097f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,8 +5,9 @@
     self,
     nixpkgs,
     systems,
-    treefmt-nix,
+    agenix,
     deploy-rs,
+    treefmt-nix,
     ...
   } @ inputs: let
     eachSystem = f: nixpkgs.lib.genAttrs (import systems) (system: f nixpkgs.legacyPackages.${system});
@@ -18,6 +19,7 @@
           pkgs.alejandra
           pkgs.git
           deploy-rs.packages.${pkgs.system}.default
+          agenix.packages.${pkgs.system}.default
         ];
       };
     });
@@ -45,6 +47,10 @@
     };
 
     # other
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     ags.url = "github:Aylur/ags";
     basix.url = "github:notashelf/basix";
     deploy-rs.url = "github:serokell/deploy-rs";
diff --git a/hosts/anastacia/default.nix b/hosts/anastacia/default.nix
index 13cf655..18cba8e 100644
--- a/hosts/anastacia/default.nix
+++ b/hosts/anastacia/default.nix
@@ -1,10 +1,16 @@
-{self, ...}: let
+{
+  self,
+  inputs,
+  ...
+}: let
   mod = "${self}/system";
 in {
   imports = [
     ./hardware-configuration.nix
     ./networking.nix # generated at runtime by nixos-infect
 
+    inputs.agenix.nixosModules.default
+
     "${mod}/services/forgejo.nix"
     "${mod}/services/searx.nix"
   ];
diff --git a/secrets/searx-env-file.age b/secrets/searx-env-file.age
new file mode 100644
index 0000000000000000000000000000000000000000..8ede9591e75cce658aba966aea81a248a4203ace
GIT binary patch
literal 274
zcmV+t0qy=_XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LPiZrAW>FwC
zbZc2kS!Q)^YeGv*QFJ#_Mn`B;OJQbDLoZHbQDiqcX<BYFFiS&aLt_eVXjoEJcQRK}
zdT?}OctJ!*Om%W(Gi6S6MPWlZO=~MQV^B|FcQ!9%Oj!yoEiE8sVnlZ_WGi)5NmNZs
zZ&Gtta8gY(c|&POLParaT18S&ax+a@V>wV&M>q<NzMeJ-EH%6k2eHYQ!RQJ;*03WJ
z?RUUCveCN$k0^c9OcjIlAL<|@u07ryM}nDvDPk)ufx`#cUso534h1gMk6^EaF1EK+
YCJP#~3yXjcu5U|YQHt5p1JTvLl#k?N82|tP

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..6823de6
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,5 @@
+let
+  anastacia = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEplguGeXCbdz++Ry5pwJylmtAMnwtf1+9JoJnCGfw3A root@anastacia";
+in {
+  "searx-env-file.age".publicKeys = [anastacia];
+}
diff --git a/system/services/searx.nix b/system/services/searx.nix
index 19ef833..14f2a0b 100644
--- a/system/services/searx.nix
+++ b/system/services/searx.nix
@@ -1,8 +1,14 @@
-{pkgs, ...}: {
+{
+  config,
+  pkgs,
+  ...
+}: {
+  age.secrets.searx-env-file.file = ../../secrets/searx-env-file.age;
   services = {
     searx = {
       enable = true;
       package = pkgs.searxng;
+      environmentFile = config.age.secrets.searx-env-file.path;
       settings = {
         search = {
           safe_search = 1; # 0 = None, 1 = Moderate, 2 = Strict
@@ -10,7 +16,7 @@
           default_lang = "en";
         };
         server = {
-          secret_key = "TODO_USE_SOPS_INSTEAD";
+          secret_key = "@SEARX_SECRET_KEY@";
           port = 8888; # Internal port
           bind_address = "localhost"; # Only listen locally
           base_url = "https://search.nezia.dev/";