ctucx.git: nixfiles

secrets/secrets: add buildtime secrets and helper-script for decryption/encryption

diff --git a/configurations/common.nix b/configurations/common.nix
@@ -71,6 +71,7 @@
   environment.systemPackages = with pkgs; [
     alacritty.terminfo
     (pkgs.callPackage <agenix/pkgs/agenix.nix> {})
+    age
  ];
 
   users.users = {

diff --git a/secrets/default.nix.age b/secrets/default.nix.age
@@ -0,0 +1,46 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrYS9JbFE3MTBsellHckhF
+cUhxR1N0eVpvZ0x3bSt2OUdHVmhQbUFjRkh3CkttaGtSLzh6elRJUFc0dlFvazc2
+eGhYOW1RODIrN2Q1UjVUdXZNMzJncTQKLS0tIElPQ3VWbGNNNGwra1lXdnhUZWdM
+L1lVOVZhQm1kU013YzhReGFxNjJrWDAK9xCBk58bSpXKcpHOzqUvO4vfHHGfYDR1
+a/P348hQ6ChqKAbdLG5IWdT7/lyI+8tDBafj9snxV7Tbk4tyzdeyahoRvjdTWpvI
+aDKYZYFwkLls30Zs5DJk1QVGeKWe6w8OckQkXxRoUHnEgDuCwRP5cvKIW2Nq27B0
+PtJPZzgA7ExxdQDZYnSgufOLZ0cxQF21FbldpljPoqMBT8EWwgXc12UdqpCmmctj
+YeXSIoDkUS4t27S3D1nTRYiq4hdhogyitVoFZYxtsMzWlo03N7zWKI7SNkBNGumj
+0zchCUywOR8bamM62Ib/4IgGTEWp40HkPnchuh8uQNrN71JeRZvFBAKrNxrr5FC7
+UhjGwFf7aECIOtIME6EoYVBG3l5pcTa89PtSqb7ESBFut9GwcV3weY8xleTX1/Pi
+EGs7j872mAoHqQiBir4vQ4onYlWuaEKVpcF80D+LfD5METLp8vtTZhzSXHElIGwr
+HvfI0FuRX8pm3YwmTQ1C/PirEoQewWNXjcr96rB3+ZTPZQ6XkwaPGy92FwNDmR3j
+P8aLXKAeeUgvEIFMP3AHqyzuVG6SSb38RlIgpRjkxEB2CBVAnMMqwycR7xqemUKl
+Rc3UZN1zK5NM9HjK0MQ/oBC38FlKyZfC4MxpDylFpSQOupRfmjo5UCgiFGyTxZiQ
+11p9LroPNa4UBJ+7173lyupSZLxkIP0uB8H64L/C9BVTtf5hkxr07/bAg6vpTCJt
+3+yGvdY0iYPW/ywMFXaOWynJyiaqrHkIHt5VTI0ybQxtuWckkCgwi6BpjjXjN7tC
+kayWGYq9klhk6y/7U7Hr6tBFOIWamF0sjYrc5jz5i0ZbH4x/xK2O4q5RpvVSEE3U
+iLBtwkKnyKM+PG4cNmq8EhxvEvQA7J1jmqUsVWQWvxXM20dprnmGCemdljoX95Db
+HKbblsxP4u5gWAUPcxP8XtLO62jpQUCLDd4DH7pmiG+FNZXldUoTW6pip2U8kUNC
+tLfK8s2S48E9ymfwQ9RS4nqSnvvDCjLIpaWIWbp5g0qeHgpwFFaBo6MIeUriitm/
+kK2TLLSHouasPTh3zXZxhnRFL729kTKMhvK4Dflc5NupufZ2AJcBb+x2+twdJvKK
+Wd5MkX4MxeEfTeRmTEEd4dESZZTQ/dpf0RXIBvK+Naz8hbsDZrrhVfflssptWvSt
+XsCKuajIKsobGgKZmJIyFEH7N0Q1qvf/8ZD2Xu7/A/L2ri8ZZ1c8KxFXngqb6LdZ
+yoY5SnXwVc3so8zStyBJnuG93JTc4jIrmgOChdCbXC8NIFKWgEqQL3QwhUp0QOly
+amx59jM94+rOANAGgO5ljpv+VYws50P3Zj/KciVpfuO0/0tFeMjGas1qWsg8JPQV
+0KtjjtsjR7fst3VNyi7IStmx9l3wjEHmKkjMZLlojx5eFhcopafCvLCnyPWxeqa4
+Nh0x9TBc1+XTTzbwlMlUa6vTGzR/3mwZSvaK9utov3cUJKdC1l2sp71kXlGSCxBL
+cj9diiMv52c4fzsE1mj/XuxZeH/TvdnPEvr37B08SIDuJEglcyo9A8ZwwS1dgpX0
+hHyqJ7Ti/gkwpc26sVAHTp0XFIcshDNqDoA74GVr/rWb5VXOPZv7JAbHCI8Ti4P9
+Vj847GAjQ990FHT90PAxjrsGGFuBwMrQw9miRJqSzdz9lxSFkUghWY8flT9Rbjad
+XxyiYz5+N9ALmEkpIKdjMGYlxqy5RZ1lvadxN+ujv+WNPwQLwl3JkCPxsP6UAGmJ
+cb210DGOVylorr71/ciWycPjfL2KrqkxHOtVN8LJs4Tu3Eo3Ef7QmNCfm6BsTdjr
+mYV5Erp3Ru4pcaihE8l/jFLp/efUX7jolVBw5FEoaahCjmGUkJ5+phsJnn9RGj0U
+M8Tydf+XFNXlTyrw0D7GFie6krXdcch5V/a8g9ybRdSvJuhD1auTPyp8q9vH8qj1
+Pb++kOVx/EFzKfaHpcs9b6mDaWJ/Qj41HS989Evpz+l1cmu9LfSUIyf8wfyKgbjP
+ZgNwn86cSlu5O/vMSQYQjEbMpdUS7J4cwJQoSSwSnxcwWhcRaYlnakNugc2M0ZDa
+9kMf20cDTkeVEqMTa/5cpmDpmCs8Rcy3GcAQ6FSZHZ2tsYamgvSJwbg4QoIf5IXF
+BFYpKAzW86GEfGmzWpP9zTkp+XUILzohrwOZzxqc8k7xsZjRDpjhBYI6Dy6BM4EO
+M5eQtVbtjFkukCEuBUyKX7Acmg94Ymr0ky5F3fzTHzA/kdU62yEx92yQezZxChcy
+xGwHadNO1RqBlcbYkdg6hcqQFvNxfxbB0UzmhglHiP8YdB8vLgXBPQRCJiYmvq3v
+gLR2hdAihZwLmlzFGOZplk1BPBv0TrPBZmdeWk1uN8/c0fV6PZcQouPrYmoNKYa6
+HGLTBPiBS/LrCQcAzNZ5EfdgeLr4rF8oJPycXVtvgsU5PaR43ijWLXltFeVoC6Mi
+MZ9hR2LMI9yyHL6reUTS7+j34qDNvYukuK0eaQoGIpB5HqrWQZLLzos3RIpBrfmj
+QEpYumQ=
+-----END AGE ENCRYPTED FILE-----

diff --git a/secrets/secrets b/secrets/secrets
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+set -eo pipefail
+cd "$(dirname "$0")"
+
+tempfile=$(mktemp)
+
+trap "rm -f $tempfile" SIGINT SIGTERM ERR EXIT
+
+touch $tempfile
+chmod 600 $tempfile
+
+echo "$(pass agenix-privkey)" > $tempfile
+
+case $1 in
+  "-e")
+    if [ -f 'default.nix' ]; then
+      age -i $tempfile --encrypt --armor --output default.nix.age default.nix
+    else
+      echo "There is no 'default.nix file!'"
+      exit 1
+    fi
+  ;;
+
+  "-d")
+    age -i $tempfile --decrypt --output default.nix default.nix.age
+  ;;
+
+  "")
+    echo "No option given!"
+    exit 1
+  ;;
+
+  *)
+    echo "Unknown option: $1"
+    exit 1
+  ;;
+
+esac