From 6bf38b7814aef843595efbf2d53b983e25143236 Mon Sep 17 00:00:00 2001
From: Katherina Walshe-Grey <git@katherina.rocks>
Date: Tue, 18 Jun 2024 14:20:45 +0100
Subject: [PATCH] Set up agenix for secrets management

---
 colmena/local.nix   |  8 +++++++-
 hive.nix            |  3 ++-
 npins/sources.json  | 15 +++++++++++++++
 secrets/secrets.nix |  5 +++++
 4 files changed, 29 insertions(+), 2 deletions(-)
 create mode 100644 secrets/secrets.nix

diff --git a/colmena/local.nix b/colmena/local.nix
index a610670..51720b9 100644
--- a/colmena/local.nix
+++ b/colmena/local.nix
@@ -1,13 +1,19 @@
 { name, nodes, config, lib, pkgs, ... }:
 
-{
+let sources = import ../npins;
+in {
   deployment = {
     allowLocalDeployment = true;
     targetHost = null;
     tags = [ "local" ];
   };
 
+  nixpkgs.config.packageOverrides = pkgs: {
+    agenix = (import "${sources.agenix}" { inherit pkgs; }).agenix;
+  };
+
   environment.systemPackages = with pkgs; [
+    agenix
     colmena
     npins
   ];
diff --git a/hive.nix b/hive.nix
index 84aa279..d7a8ae9 100644
--- a/hive.nix
+++ b/hive.nix
@@ -10,6 +10,7 @@ in {
 
     imports = [
       (import "${sources.home-manager}/nixos")
+      (import "${sources.agenix}/modules/age.nix")
       ./pinning.nix
       ./common/utilities.nix
       ./users/qenya.nix
@@ -29,7 +30,7 @@ in {
   yevaud = { name, nodes, ... }: {
     networking.hostId = "09673d65";
     time.timeZone = "Etc/UTC";
-    
+
     imports = [
       ./colmena/remote.nix
       ./hosts/yevaud/configuration.nix
diff --git a/npins/sources.json b/npins/sources.json
index 0a2badb..f0a5225 100644
--- a/npins/sources.json
+++ b/npins/sources.json
@@ -1,5 +1,20 @@
 {
   "pins": {
+    "agenix": {
+      "type": "GitRelease",
+      "repository": {
+        "type": "GitHub",
+        "owner": "ryantm",
+        "repo": "agenix"
+      },
+      "pre_releases": false,
+      "version_upper_bound": null,
+      "release_prefix": null,
+      "version": "0.15.0",
+      "revision": "564595d0ad4be7277e07fa63b5a991b3c645655d",
+      "url": "https://api.github.com/repos/ryantm/agenix/tarball/0.15.0",
+      "hash": "01dhrghwa7zw93cybvx4gnrskqk97b004nfxgsys0736823956la"
+    },
     "home-manager": {
       "type": "Git",
       "repository": {
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..15c6b9f
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,5 @@
+let
+  yevaud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHUAgyQhl390yUObLUI+jEbuNrZ2U6+8px628DolD+T";
+  systems = [ yevaud ];
+in
+{ }