Set up agenix for secrets management

colmena/local.nix

@@ -1,13 +1,19 @@
 { name, nodes, config, lib, pkgs, ... }:
 
-{
+let sources = import ../npins;
+in {
   deployment = {
     allowLocalDeployment = true;
     targetHost = null;
     tags = [ "local" ];
   };
 
+  nixpkgs.config.packageOverrides = pkgs: {
+    agenix = (import "${sources.agenix}" { inherit pkgs; }).agenix;
+  };
+
   environment.systemPackages = with pkgs; [
+    agenix
     colmena
     npins
   ];

hive.nix

@@ -10,6 +10,7 @@ in {
 
     imports = [
       (import "${sources.home-manager}/nixos")
+      (import "${sources.agenix}/modules/age.nix")
       ./pinning.nix
       ./common/utilities.nix
       ./users/qenya.nix
@@ -29,7 +30,7 @@ in {
   yevaud = { name, nodes, ... }: {
     networking.hostId = "09673d65";
     time.timeZone = "Etc/UTC";
-    
+
     imports = [
       ./colmena/remote.nix
       ./hosts/yevaud/configuration.nix

npins/sources.json

@@ -1,5 +1,20 @@
 {
   "pins": {
+    "agenix": {
+      "type": "GitRelease",
+      "repository": {
+        "type": "GitHub",
+        "owner": "ryantm",
+        "repo": "agenix"
+      },
+      "pre_releases": false,
+      "version_upper_bound": null,
+      "release_prefix": null,
+      "version": "0.15.0",
+      "revision": "564595d0ad4be7277e07fa63b5a991b3c645655d",
+      "url": "https://api.github.com/repos/ryantm/agenix/tarball/0.15.0",
+      "hash": "01dhrghwa7zw93cybvx4gnrskqk97b004nfxgsys0736823956la"
+    },
     "home-manager": {
       "type": "Git",
       "repository": {

secrets/secrets.nix

@@ -0,0 +1,5 @@
+let
+  yevaud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHUAgyQhl390yUObLUI+jEbuNrZ2U6+8px628DolD+T";
+  systems = [ yevaud ];
+in
+{ }