From e6a497383d1be91662971b37714ce9214b1ed759 Mon Sep 17 00:00:00 2001
From: Stefan Junker <mail@stefanjunker.de>
Date: Fri, 26 Jan 2018 11:54:50 +0100
Subject: [PATCH] use git-encrypt for secrets

---
 .gitattributes                                |   1 +
 .../common/passwords.crypt.nix                | Bin 0 -> 407 bytes
 nixos-configuration/common/user/root.nix      |   5 ++-
 nixos-configuration/steveej-laptop/user.nix   |  41 +++++++++++++-----
 .../steveej-laptop2/configuration.nix         |   8 +++-
 .../steveej-utilitepro/configuration.nix      |   7 ++-
 6 files changed, 45 insertions(+), 17 deletions(-)
 create mode 100644 .gitattributes
 create mode 100644 nixos-configuration/common/passwords.crypt.nix

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..6c24a32
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+*.crypt.* filter=git-crypt diff=git-crypt
diff --git a/nixos-configuration/common/passwords.crypt.nix b/nixos-configuration/common/passwords.crypt.nix
new file mode 100644
index 0000000000000000000000000000000000000000..de6680875c98b85f04ec37d53b2f98a2275791db
GIT binary patch
literal 407
zcmZQ@_Y83kiVO&05Yd;mp8K?G0o#%P`$Es`n_d$0sQ3Gq*Wa73c~?l4Et@oRg~&X)
zzwN94>ePj$Tz7l7@Z&XxH)`we76tNMzt`bz$+609+Ci?3W)sq1@I*0P)0mT;*|1^J
z<j9Q|riuyGFSFEM@Zf>Kr2FCF_szZHqOQ!!YCWZ%cc0nrrf9C1%0uS(=S$Dc>3<{_
zvUTR7B>4bFjw!KbOb0udMby}oSSlJa8NMDpHtE#e%t^oB&D<-LS##zayPU~H{@$6s
zo38MG2~Ol$ZaZ-q|CA}sywAAV4jH|W>P+N3dP%Wa@$p{IMKy;X-~HgRq~yjv6aH-L
zK#83lC%l&&yc#N!^VLByf8OVvcdqKpOk-x*)t_{Fk9J*byx(excJW`8m*$n01=Qze
zF}E7+cP{^9x>e57?5;`V{T++l;|k8q{xkLK54XP6{~4H1XYbzscX9tYp^rz_J>PKF
zOnQcu>?7u^>8CV0J4+bfH~#89a-DJN>z@Ak?kZol-2QesXb!I#hvX+?e}g<Tk6(xC
U&MW?o4NO}p^mu}_`j3CQ0P9xB2><{9

literal 0
HcmV?d00001

diff --git a/nixos-configuration/common/user/root.nix b/nixos-configuration/common/user/root.nix
index b05133a..f8d03de 100644
--- a/nixos-configuration/common/user/root.nix
+++ b/nixos-configuration/common/user/root.nix
@@ -3,11 +3,14 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
 { config, pkgs, ... }:
+let 
+  passwords = import ../passwords.crypt.nix;
+in
 {
   users.mutableUsers = false;
 
   users.extraUsers.root = {
-    hashedPassword = "removed";
+    hashedPassword = passwords.users.root;
     openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop"];
   };
 }
diff --git a/nixos-configuration/steveej-laptop/user.nix b/nixos-configuration/steveej-laptop/user.nix
index 5b58864..9cab86b 100644
--- a/nixos-configuration/steveej-laptop/user.nix
+++ b/nixos-configuration/steveej-laptop/user.nix
@@ -1,16 +1,14 @@
+{ config
+, pkgs
+, ... }:
 
-{ config, pkgs, ... }:
-{
-  imports =
-    [ 
-        ../common/user/root.nix
-    ];
-
-  users.extraUsers.steveej = {
-    uid = 1000;
+let 
+  passwords = import ../common/passwords.crypt.nix;
+  mkUser = {uid, hashedPassword, ... } @ args: args // {
+    inherit uid hashedPassword;
     isNormalUser = true;
-    home = "/home/steveej";
     extraGroups = [
+      "docker"
       "wheel"
       "libvirtd"
       "networkmanager"
@@ -19,9 +17,28 @@
       "input"
       "audio"
       "video"
+      "cdrom"
     ];
-    hashedPassword = "removed";
-    shell = pkgs.zsh;
+  };
+
+in
+{
+  users.mutableUsers = false;
+  users.defaultUserShell = pkgs.zsh;
+
+  users.extraUsers.root = {
+    hashedPassword = passwords.users.root;
+    openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop"];
+  };
+
+  users.extraUsers.steveej = mkUser {
+    uid = 1000;
+    hashedPassword = passwords.users.steveej;
+  };
+
+  users.extraUsers.steveej2 = mkUser {
+    uid = 1001;
+    hashedPassword = passwords.users.steveej2;
   };
 
   security.pam.enableU2F = true;
diff --git a/nixos-configuration/steveej-laptop2/configuration.nix b/nixos-configuration/steveej-laptop2/configuration.nix
index 8f56965..281d497 100644
--- a/nixos-configuration/steveej-laptop2/configuration.nix
+++ b/nixos-configuration/steveej-laptop2/configuration.nix
@@ -4,6 +4,10 @@
 
 { config, pkgs, ... }:
 
+let
+  passwords = import ../common/passwords.crypt.nix;
+
+in
 {
   nixpkgs.config.allowUnfree = true;
 
@@ -121,7 +125,7 @@
 
   users.mutableUsers = false;
   users.extraUsers.root = {
-    hashedPassword = "removed";
+    hashedPassword = passwords.users.root;
     openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop"];
   };
   users.extraUsers.steveej = {
@@ -129,7 +133,7 @@
     isNormalUser = true;
     home = "/home/steveej";
     extraGroups = [ "wheel" "libvirtd" "networkmanager" "vboxusers" ];
-    hashedPassword = "removed";
+    hashedPassword = passwords.users.steveej;
   };
 
   services.gpm.enable = true;
diff --git a/nixos-configuration/steveej-utilitepro/configuration.nix b/nixos-configuration/steveej-utilitepro/configuration.nix
index 07da317..721d3c6 100644
--- a/nixos-configuration/steveej-utilitepro/configuration.nix
+++ b/nixos-configuration/steveej-utilitepro/configuration.nix
@@ -4,6 +4,9 @@
 
 { config, pkgs, ... }:
 
+let
+  passwords = import ../common/passwords.crypt.nix;
+in
 {
   # The NixOS release to be compatible with for stateful data such as databases.
   system.stateVersion = "16.03";
@@ -259,7 +262,7 @@
 
   users.mutableUsers = false;
   users.extraUsers.root = {
-    hashedPassword = "removed";
+    hashedPassword = passwords.users.root;
     openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop"];
   };
   users.extraUsers.steveej = {
@@ -267,7 +270,7 @@
     isNormalUser = true;
     home = "/home/steveej";
     extraGroups = [ "wheel" "libvirtd" ];
-    hashedPassword = "removed";
+    hashedPassword = passwords.users.steveej;
     openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop"];
   };