all repos — flake @ f54b116972bb4c730b9ba98e570f3d64d90a8a0a

got my cool flake 

init agenix
vi did:web:vt3e.cat
Tue, 05 May 2026 23:20:48 +0100
commit

f54b116972bb4c730b9ba98e570f3d64d90a8a0a

parent

a32e54ad68e4b7d03ced38bea000fed996275977

14 files changed, 156 insertions(+), 11 deletions(-)

jump to
M flake.lockflake.lock 
@@ -1,5 +1,48 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs",
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1770165109,
+        "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "fenix": {
       "inputs": {
         "nixpkgs": [

@@ -41,6 +84,27 @@ },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
           "nixpkgs"
         ]
       },

@@ -136,6 +200,22 @@ }
     },
     "nixpkgs": {
       "locked": {
+        "lastModified": 1754028485,
+        "narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "59e69648d345d6e8fef86158c555730fa12af9de",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
         "lastModified": 1777578337,
         "narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=",
         "owner": "NixOS",

@@ -150,7 +230,7 @@ "repo": "nixpkgs",
         "type": "github"
       }
     },
-    "nixpkgs_2": {
+    "nixpkgs_3": {
       "locked": {
         "lastModified": 1775888245,
         "narHash": "sha256-nwASzrRDD1JBEu/o8ekKYEXm/oJW6EMCzCRdrwcLe90=",

@@ -168,10 +248,11 @@ }
     },
     "root": {
       "inputs": {
-        "home-manager": "home-manager",
+        "agenix": "agenix",
+        "home-manager": "home-manager_2",
         "ironbar": "ironbar",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
         "tranquil": "tranquil"
       }
     },

@@ -192,9 +273,24 @@ "repo": "rust-analyzer",
         "type": "github"
       }
     },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "tranquil": {
       "inputs": {
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs_3"
       },
       "locked": {
         "lastModified": 1777753977,
M flake.nixflake.nix 
@@ -3,6 +3,7 @@ inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
     tranquil.url = "git+https://tangled.org/tranquil.farm/tranquil-pds.git";
+    agenix.url = "github:ryantm/agenix";
 
     home-manager = {
       url = "github:nix-community/home-manager";

@@ -37,6 +38,7 @@
           modules = [
             ./hosts/common
             ./hosts/${hostname}
+            inputs.agenix.nixosModules.default
           ];
         };
     in
M hosts/common/default.nixhosts/common/default.nix 
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ inputs, pkgs, ... }:
 {
   imports = [
     ./users.nix

@@ -46,6 +46,8 @@ };
   };
 
   environment.systemPackages = with pkgs; [
+    inputs.agenix.packages.${stdenv.hostPlatform.system}.default
+
     # dev tools
     htop
     vim
M hosts/common/users.nixhosts/common/users.nix 
@@ -1,11 +1,14 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
 {
+  age.secrets.apr-password.file = ../../secrets/apr-password.age;
+  age.secrets.root-password.file = ../../secrets/root-password.age;
+
   users = {
     mutableUsers = false;
 
     users = {
       apr = {
-        initialPassword = "pass";
+        hashedPasswordFile = config.age.secrets.apr-password.path;
         isNormalUser = true;
         extraGroups = [
           "wheel"

@@ -22,7 +25,7 @@
         shell = pkgs.fish;
       };
       root = {
-        initialPassword = "pass";
+        hashedPasswordFile = config.age.secrets.root-password.path;
         openssh.authorizedKeys.keys = [
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGDXt8vkpi9jOp9dCjoS8u0dC4fDdgb73w8z7VNI42FB did:web:vt3e.cat"
         ];
M hosts/ivy/default.nixhosts/ivy/default.nix 
@@ -11,6 +11,10 @@
     inputs.tranquil.nixosModules.tranquil-pds
   ];
 
+  age.secrets.ivy-vaultwarden.file = ../../secrets/ivy/vaultwarden.age;
+  age.secrets.ivy-immich.file = ../../secrets/ivy/immich.age;
+  age.secrets.ivy-tranquil.file = ../../secrets/ivy/tranquil.age;
+
   nix.settings.trusted-users = [
     "root"
     "@wheel"
M hosts/ivy/services/at/tranquil.nixhosts/ivy/services/at/tranquil.nix 
@@ -6,7 +6,7 @@ {
   services.tranquil-pds = {
     enable = true;
 
-    environmentFiles = [ "/var/secrets/tranquil" ];
+    environmentFiles = [ config.age.secrets.ivy-tranquil.path ];
     database.createLocally = true;
 
     settings = {
M hosts/ivy/services/immich.nixhosts/ivy/services/immich.nix 
@@ -5,7 +5,7 @@ in
 {
   services.immich = {
     enable = true;
-    secretsFile = "/var/secrets/immich";
+    secretsFile = config.age.secrets.ivy-immich.path;
     port = PORT;
     settings = {
       server = {
M hosts/ivy/services/vaultwarden.nixhosts/ivy/services/vaultwarden.nix 
@@ -6,7 +6,7 @@ {
   services.vaultwarden = {
     enable = true;
     backupDir = "/var/backups/vaultwarden";
-    environmentFile = "/var/secrets/vaultwarden";
+    environmentFile = config.age.secrets.ivy-vaultwarden.path;
     config = {
       DOMAIN = "https://vaultwarden.vt3e.cat";
       SIGNUPS_ALLOWED = false;
A secrets/ivy/immich.age 
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 heiLsg agzxtdQbyc3t6XCAH1cMa9spstRDO97K0cCLpNnHnxU
+88wPAfCucIkXdnm+3nOOVYLKJHiNTC6jUGNGcRs//mI
+-> ssh-ed25519 B+fK1Q xkD4+HePvfFgWUOxDNV6SVoDRl3zI3vEk/yMBo/WMQ0
+wFe3/81Pc6WYcCgfltyXgLTdeWSAs7AyAxYK1U6z/Ik
+-> ssh-ed25519 3AUUoQ UQ/oKjfSU8VvltLvtBxlcmjl+TCQf19fDFRdtxGwoBU
++cyo8HM88Sc5O4dahVxbKm7WcHYc+t+yG6HCNph0ktU
+--- esYPCLqBQ0Q51T2O31xHbzkvFXhyPgkV4GvHUfNiavw
+{79TN&Eʽr<uTHt."~
A secrets/ivy/vaultwarden.age 
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 heiLsg K0Id/m3OIwN/VA6HxsVXkjbDyKa9KMG9gMVnfDHmFSs
+klf2wPcyxvewRNy4mNDzqDa8jlJbtOANbMyvwHwkJwQ
+-> ssh-ed25519 B+fK1Q jrR8Lc/ha4wcqCU0R8S29ksqodEE2VWYMN9XmvBknx8
+Z3e4UzunBbu85Llyy9amtGusW5Wh24cuR67KSPJL2Sg
+-> ssh-ed25519 3AUUoQ hwNa9j5bQNmWbOiZdMhkXG9H6xlBc+5pFA43yEsVyjA
+umFQiA2/SQNP/ba/7YSh55qJpx6AXFTeReYP6TO9pDs
+--- kDdYozJX4D/+xh7N9DqhnAEg4Azz1ER+akRg0ITUITg
+WX%@	:kk(8
+:AZV޳
C2FmJyj뗕gҵ
+%w<!D5s408c"A~AEy%2^e2l#Ts"&qޖe3zD[8٤JFʕ|
A secrets/secrets.nix 
@@ -0,0 +1,18 @@
+let
+  apr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGDXt8vkpi9jOp9dCjoS8u0dC4fDdgb73w8z7VNI42FB did:web:vt3e.cat";
+  dahlia = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExiHUu1zgFbdfkCiyh3YzMbr632447OC1njO9HMI9MO root@dahlia";
+  ivy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3z4dGVshqysYW9atQFn8H5EPIcQlnck8ciuXgjWnAV root@nixos";
+
+  meow1 = [
+    apr
+    dahlia
+    ivy
+  ];
+in
+{
+  "apr-password.age".publicKeys = meow1;
+  "root-password.age".publicKeys = meow1;
+  "ivy/vaultwarden.age".publicKeys = meow1;
+  "ivy/immich.age".publicKeys = meow1;
+  "ivy/tranquil.age".publicKeys = meow1;
+}