From b54be3998fa2c35436c32f85a1d7d0e0ce079208 Mon Sep 17 00:00:00 2001
From: Infinidoge <infinidoge@inx.moe>
Date: Tue, 18 Feb 2025 21:47:38 -0500
Subject: [PATCH] flake: migrate to agenix-rekey

---
 flake.lock                                    |  33 +++++++
 flake.nix                                     |  24 ++++-
 hosts/Infini-DESKTOP/default.nix              |   2 +
 hosts/Infini-DL360/default.nix                |   4 +
 hosts/Infini-DL360/forgejo.nix                |   2 +-
 hosts/Infini-DL360/secrets/authentik-ldap.age |  11 +++
 hosts/Infini-DL360/secrets/authentik.age      |  10 +++
 hosts/Infini-DL360/secrets/default.nix        |  17 ++++
 hosts/Infini-DL360/secrets/freshrss.age       |  11 +++
 hosts/Infini-DL360/secrets/hedgedoc.age       | Bin 0 -> 553 bytes
 hosts/Infini-DL360/secrets/hydra.age          |   9 ++
 hosts/Infini-DL360/secrets/ovpn.age           |  10 +++
 hosts/Infini-DL360/secrets/radicale-ldap.age  |  10 +++
 hosts/Infini-DL360/secrets/searx.age          | Bin 0 -> 449 bytes
 hosts/Infini-DL360/secrets/vaultwarden.age    | Bin 0 -> 625 bytes
 hosts/Infini-FRAMEWORK/default.nix            |   2 +
 hosts/Infini-OPTIPLEX/default.nix             |   2 +
 hosts/Infini-RASPBERRY/default.nix            |   3 +
 hosts/Infini-SD/default.nix                   |   2 +
 hosts/Infini-SERVER/default.nix               |   2 +
 hosts/hermes/default.nix                      |   2 +
 hosts/hestia/default.nix                      |   2 +
 hosts/iris/default.nix                        |   4 +-
 lib/default.nix                               |   1 +
 lib/secrets.nix                               |  13 +++
 modules/global/general.nix                    |   2 +-
 modules/global/packages.nix                   |   1 -
 modules/global/security.nix                   |   2 +-
 secrets/binary-cache-private-key.age          | Bin 3064 -> 502 bytes
 secrets/binary-cache-public-key               |   1 -
 secrets/borg-password.age                     |  63 ++------------
 secrets/borg-ssh-key.age                      | Bin 3381 -> 856 bytes
 secrets/default.nix                           |  82 +++---------------
 secrets/dns-cloudflare.age                    |  10 +++
 secrets/{ => old}/authentik-ldap.age          |   0
 secrets/{ => old}/authentik.age               | Bin
 secrets/old/binary-cache-private-key.age      | Bin 0 -> 3064 bytes
 secrets/old/borg-password.age                 |  56 ++++++++++++
 secrets/old/borg-ssh-key.age                  | Bin 0 -> 3381 bytes
 secrets/{ => old}/cloudflare.age              |   0
 secrets/{ => old}/freshrss.age                |   0
 secrets/{ => old}/hedgedoc.age                | Bin
 secrets/{ => old}/hydra.age                   |   0
 secrets/{ => old}/infinidoge-password.age     |   0
 secrets/{ => old}/ovpn.age                    |   0
 secrets/{ => old}/personal-smtp-password.age  |   0
 secrets/{ => old}/radicale-ldap.age           | Bin
 secrets/{ => old}/root-password.age           |   0
 secrets/{ => old}/searx.age                   |   0
 secrets/{ => old}/smtp-password.age           |   0
 secrets/{ => old}/vaultwarden.age             | Bin
 secrets/secrets.nix                           |  52 -----------
 secrets/smtp-noreply.age                      | Bin 0 -> 509 bytes
 shell.nix                                     |   5 +-
 users/infinidoge/default.nix                  |  16 +++-
 users/infinidoge/keys/backup_age.pub          |   7 ++
 users/infinidoge/keys/primary_age.pub         |   7 ++
 users/infinidoge/password.age                 | Bin 0 -> 493 bytes
 users/infinidoge/smtp-personal.age            | Bin 0 -> 488 bytes
 users/root/default.nix                        |   5 +-
 users/root/password.age                       |  11 +++
 61 files changed, 306 insertions(+), 190 deletions(-)
 create mode 100644 hosts/Infini-DL360/secrets/authentik-ldap.age
 create mode 100644 hosts/Infini-DL360/secrets/authentik.age
 create mode 100644 hosts/Infini-DL360/secrets/default.nix
 create mode 100644 hosts/Infini-DL360/secrets/freshrss.age
 create mode 100644 hosts/Infini-DL360/secrets/hedgedoc.age
 create mode 100644 hosts/Infini-DL360/secrets/hydra.age
 create mode 100644 hosts/Infini-DL360/secrets/ovpn.age
 create mode 100644 hosts/Infini-DL360/secrets/radicale-ldap.age
 create mode 100644 hosts/Infini-DL360/secrets/searx.age
 create mode 100644 hosts/Infini-DL360/secrets/vaultwarden.age
 create mode 100644 lib/secrets.nix
 delete mode 100644 secrets/binary-cache-public-key
 create mode 100644 secrets/dns-cloudflare.age
 rename secrets/{ => old}/authentik-ldap.age (100%)
 rename secrets/{ => old}/authentik.age (100%)
 create mode 100644 secrets/old/binary-cache-private-key.age
 create mode 100644 secrets/old/borg-password.age
 create mode 100644 secrets/old/borg-ssh-key.age
 rename secrets/{ => old}/cloudflare.age (100%)
 rename secrets/{ => old}/freshrss.age (100%)
 rename secrets/{ => old}/hedgedoc.age (100%)
 rename secrets/{ => old}/hydra.age (100%)
 rename secrets/{ => old}/infinidoge-password.age (100%)
 rename secrets/{ => old}/ovpn.age (100%)
 rename secrets/{ => old}/personal-smtp-password.age (100%)
 rename secrets/{ => old}/radicale-ldap.age (100%)
 rename secrets/{ => old}/root-password.age (100%)
 rename secrets/{ => old}/searx.age (100%)
 rename secrets/{ => old}/smtp-password.age (100%)
 rename secrets/{ => old}/vaultwarden.age (100%)
 delete mode 100644 secrets/secrets.nix
 create mode 100644 secrets/smtp-noreply.age
 create mode 100644 users/infinidoge/keys/backup_age.pub
 create mode 100644 users/infinidoge/keys/primary_age.pub
 create mode 100644 users/infinidoge/password.age
 create mode 100644 users/infinidoge/smtp-personal.age
 create mode 100644 users/root/password.age

diff --git a/flake.lock b/flake.lock
index 02d2d91..2d9724a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -29,6 +29,38 @@
         "type": "github"
       }
     },
+    "agenix-rekey": {
+      "inputs": {
+        "devshell": [
+          "devshell"
+        ],
+        "flake-parts": [
+          "flake-parts"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks": [
+          "git-hooks"
+        ],
+        "treefmt-nix": [
+          "treefmt-nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1739816852,
+        "narHash": "sha256-QG8aA6hWsi6pqaidaz5a5SL+dM1mT9LMWMrmc1hrOrU=",
+        "owner": "oddlama",
+        "repo": "agenix-rekey",
+        "rev": "5f56d711ffe2aca62cfeeada9ec56692a13b9061",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oddlama",
+        "repo": "agenix-rekey",
+        "type": "github"
+      }
+    },
     "authentik-nix": {
       "inputs": {
         "authentik-src": "authentik-src",
@@ -954,6 +986,7 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "agenix-rekey": "agenix-rekey",
         "authentik-nix": "authentik-nix",
         "blank": "blank",
         "conduwuit": "conduwuit",
diff --git a/flake.nix b/flake.nix
index dd1e558..d676c13 100644
--- a/flake.nix
+++ b/flake.nix
@@ -26,6 +26,7 @@
 
     ### Nix Libraries
     agenix.url = "github:ryantm/agenix";
+    agenix-rekey.url = "github:oddlama/agenix-rekey";
     devshell.url = "github:numtide/devshell";
     disko.url = "github:nix-community/disko/latest";
     flake-parts.url = "github:hercules-ci/flake-parts";
@@ -78,6 +79,11 @@
     systems.url = "github:nix-systems/default";
 
     ## Follow common
+    agenix-rekey.inputs.devshell.follows = "devshell";
+    agenix-rekey.inputs.flake-parts.follows = "flake-parts";
+    agenix-rekey.inputs.nixpkgs.follows = "nixpkgs";
+    agenix-rekey.inputs.pre-commit-hooks.follows = "git-hooks";
+    agenix-rekey.inputs.treefmt-nix.follows = "treefmt-nix";
     agenix.inputs.darwin.follows = "blank";
     agenix.inputs.home-manager.follows = "home-manager";
     agenix.inputs.nixpkgs.follows = "nixpkgs";
@@ -222,13 +228,28 @@
                     ] ++ (self.lib.leaves ./users/modules);
                   };
                 }
+                (
+                  { config, pkgs, ... }:
+                  {
+                    age.rekey = {
+                      storageMode = "local";
+                      generatedSecretsDir = ./secrets/generated;
+                      localStorageDir = ./. + "/secrets/rekeyed/${config.networking.hostName}";
+                      agePlugins = with pkgs; [
+                        age-plugin-fido2-hmac
+                        age-plugin-yubikey
+                      ];
+                    };
+                  }
+                )
 
                 # --- Universe Modules ---
                 ./secrets
                 private.nixosModules.secrets
 
                 # --- Library Modules ---
-                inputs.agenix.nixosModules.age
+                inputs.agenix.nixosModules.default
+                inputs.agenix-rekey.nixosModules.default
                 inputs.disko.nixosModules.disko
                 inputs.home-manager.nixosModules.home-manager
                 inputs.impermanence.nixosModules.impermanence
@@ -273,6 +294,7 @@
           ./pkgs
           ./shell.nix
           ./templates
+          inputs.agenix-rekey.flakeModule
           inputs.devshell.flakeModule
           inputs.treefmt-nix.flakeModule
         ];
diff --git a/hosts/Infini-DESKTOP/default.nix b/hosts/Infini-DESKTOP/default.nix
index f82a1e3..58d06a4 100644
--- a/hosts/Infini-DESKTOP/default.nix
+++ b/hosts/Infini-DESKTOP/default.nix
@@ -14,6 +14,8 @@
 
   info.loc.home = true;
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7uX1myj9ghv7wMoL038oGDCdScdyLd7RvYdnoioSBh root@Infini-DESKTOP";
+
   persist = {
     directories = [
       "/srv"
diff --git a/hosts/Infini-DL360/default.nix b/hosts/Infini-DL360/default.nix
index 11c5439..bc6dd7b 100644
--- a/hosts/Infini-DL360/default.nix
+++ b/hosts/Infini-DL360/default.nix
@@ -10,6 +10,8 @@
     ./hardware-configuration.nix
     ./disks.nix
 
+    ./secrets
+
     ./web.nix
 
     private.nixosModules.minecraft-servers
@@ -37,6 +39,8 @@
 
   info.loc.purdue = true;
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPjmvE76BcPwZSjeNGzlguDQC67Yxa3uyOf5ZmVDWNys root@Infini-DL360";
+
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
   boot.binfmt.addEmulatedSystemsToNixSandbox = true;
 
diff --git a/hosts/Infini-DL360/forgejo.nix b/hosts/Infini-DL360/forgejo.nix
index b0979e4..f900003 100644
--- a/hosts/Infini-DL360/forgejo.nix
+++ b/hosts/Infini-DL360/forgejo.nix
@@ -27,7 +27,7 @@ in
 
     lfs.enable = true;
 
-    secrets.mailer.PASSWD = secrets.smtp-password;
+    secrets.mailer.PASSWD = secrets.smtp-noreply;
     settings = {
       server = {
         ROOT_URL = "https://${domain}/";
diff --git a/hosts/Infini-DL360/secrets/authentik-ldap.age b/hosts/Infini-DL360/secrets/authentik-ldap.age
new file mode 100644
index 0000000..03da50f
--- /dev/null
+++ b/hosts/Infini-DL360/secrets/authentik-ldap.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q AmrcqFPgfqImIMZx45MXeqD5XP2MCpnIIXTjfVZXFOtv
+IgBH5MFAJJ5vP82Jtvmr/NcaCK1F/qSWQHM1PbtKu5Q
+-> piv-p256 5utyxg A80LKCGYw597lm0Oo8kBKLIWcwnOCjDr3FiyIDrAmkSZ
+R9tdgHAfuVNs2nXD+ml7l/jjXvf0cD2b5wALOVzEH9o
+-> BLl-grease d)6dWO5 2P
+/fvI/IO/OJV/4sF+ENnj1AQx9fRf0cLMy90ASBvl9Cdwtdnrx4ly8ZOS57rSNSO1
+JJFsEd9M3lKRElvYsXADC0cOBsK5hg
+--- BNRWm9qA1JnQ71Yf9vAeVa7B5qzUf00mjVHJeFCKjQQ
+£4ráý(	„Œï&@þ»ÖÆO¤‰øªÖ›SÖÉÓAãÛþ®å?¯·,{²ÅÉšPDÃ(¦m|ÒÊö`˜7Ü 8Ómf2ªæìp; 9nÌ}DÐUÃùü™†bùãÏÔÄ‡É(uû?A±¡	V ”Ü(4"’h ÀßÖ“R;,6»?8¶
+È‰“ÙæÙç
\ No newline at end of file
diff --git a/hosts/Infini-DL360/secrets/authentik.age b/hosts/Infini-DL360/secrets/authentik.age
new file mode 100644
index 0000000..e2bd084
--- /dev/null
+++ b/hosts/Infini-DL360/secrets/authentik.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q AwjgvoXQnw3dGl+3NzZwbtobCzYQqSEwu3o68itzJXk3
+9J7aPKsJ/dZOoCKNGZWnxOH8a2TNX5D9hBStFgqDOH4
+-> piv-p256 5utyxg AyFGfXw60hWpTNvCXaVNTk0UN8WX8dEwIOMYkwtHLXJF
+Zy5cd5saG4jfF5ZXkZ9TJpvscxfgDV2xGALY1yyY66w
+-> m(-grease [FxH /SCRkN 2\>
+HvqiMVBno3sBsl9eg4Lkr7F/f/dB8pxihcekBG0ntbQApRwxawj37/wjXKOYAX43
+OL4wHohhU91u+4eOv8E1K3OOpXy3aVn7WTjk/6ftA2oxLCy1QzQKpg
+--- fpnPuiVpzrB09e3CvSUY/Y7tQyCc6v6FuRkml07bqD4
+®D\…ìƒâˆèLUŽx‚¤²“Z5œñõ»ÉEm}"&ËÄù&³©Öø&çð*ÅTwä×ïV2¼ñ‰p‰Z¥YsÅŸtãW­Ý;Z’BO…‘,Œï	’§ˆ—Y§Å¯|mMú$…Â`tŠ‰:÷ÏjÜa›œÃ}1)YxÃtà*øŠIÅœZC|-Ãê~qu‰O]V^™IvØk˜—à:—“R¾%ßŠI'áYÀXóZÕ¢1iV±=bÂÉ‚Iñ*ºYµÝeq™
\ No newline at end of file
diff --git a/hosts/Infini-DL360/secrets/default.nix b/hosts/Infini-DL360/secrets/default.nix
new file mode 100644
index 0000000..7310880
--- /dev/null
+++ b/hosts/Infini-DL360/secrets/default.nix
@@ -0,0 +1,17 @@
+{ lib, ... }:
+let
+  inherit (lib.our.secrets) withGroup withOwnerGroup;
+in
+{
+  age.secrets = {
+    authentik-ldap.rekeyFile = ./authentik-ldap.age;
+    authentik.rekeyFile = ./authentik.age;
+    freshrss = withOwnerGroup "freshrss" ./freshrss.age;
+    hedgedoc = withOwnerGroup "hedgedoc" ./hedgedoc.age;
+    hydra = withGroup "hydra" ./hydra.age;
+    ovpn.rekeyFile = ./ovpn.age;
+    radicale-ldap = withOwnerGroup "radicale" ./radicale-ldap.age;
+    searx.rekeyFile = ./searx.age;
+    vaultwarden.rekeyFile = ./vaultwarden.age;
+  };
+}
diff --git a/hosts/Infini-DL360/secrets/freshrss.age b/hosts/Infini-DL360/secrets/freshrss.age
new file mode 100644
index 0000000..abc5413
--- /dev/null
+++ b/hosts/Infini-DL360/secrets/freshrss.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q AzMC4XpUhKiVaI2xhQRTQoyV+RjMz5Aoj3gZsgc8PBK3
+CGLI4lL+4xWaMviHW7FofruIZVFES0H/WFSzsbXDjcY
+-> piv-p256 5utyxg AieYOjyIS2APXJfkY/qJ0UmoIuHwO3oIH8MSHh5o2M37
+GCEG5cxBQ5k/3UGm76bNtsPsHzv5yGSJ7iEn3h3wops
+-> -W-grease Gh{uU
+RobG9ho0acfDe+0qEBmtRyejJy7E272b3vzuegQ2twAl2xTYinWOx286sVpRPc7W
+vJNCu9BCDGlIFnQoP2R1gm2eQrI6InNOOh3Q/IZ736ieAhbDvJbm/3BWqRmRRylY
+dfEg
+--- 3XHaD7Zc6JTUxZl/ouKGxmCVvkbjLw2E+TDAf6PwLLo
+÷u,MÏHS3JkYÿû5ù`5Œ;m<C¾y?E¬ÙV~jx¶«½ßZff‚Ä!3N}
\ No newline at end of file
diff --git a/hosts/Infini-DL360/secrets/hedgedoc.age b/hosts/Infini-DL360/secrets/hedgedoc.age
new file mode 100644
index 0000000000000000000000000000000000000000..d91986495e7bf588e8411f00ef276334db74fdb2
GIT binary patch
literal 553
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14$Sl(>Ffuh$a1Jr|HVRa5)b`YN(k}Ee
z%m{KU4G)XTC@C@X&33HHHxD-`a?dVt_Xu>fEDsOOvnb2sGBY$W@Gy-u@Nx7HNem20
z^oS_7NHR#ys&EW8G)dFWc1$b}2?{KVEDz2{vCFiyq_QGi!7;bYJE<xp$}-Q_(Z$m>
z(ls<YDXl20$ip?WATS`zt-!G|A|)iP$Sg6vge#{oIm#s8%uhS0A|%SlD8tk&FE!a9
z&)6x_x1zWrveGak%Fi{_*~7%w7i5>Wi$`3UiEesPYGQG!LVBc*l7hZ1muG5tPKB{~
zj%!kwvu9Rfewa%#m#(g^f=NVZu0cg$zLR;OS5;nBWJW<weqd-}m1$}~eny^&r$uN)
zu31h-p^;%aSJdi0Z*EopBWoIu&u)m6jCB`#HCID6NOOLsX~o~n{fTqZSdTwGD|hPG
z$?Jb^x?TBZ&|YP9*2}7O-u>@hN5AFEY!zp}e*O>VidU*#UsNu!-@CopnYF*ldTLQ%
z#ezF)ZZmGZqOP~(#0L(B|0x?@X>WU>m(<`ii?gh^Z|C&;jfT#1zrF~ZUt3+XscU<@
zNUEsdX*Pk$2j+f!^)X0j%e-m6b>c6T80YQ_HBSndwt431vUTF0Ee_pU8p$Yn_xq>l
oRR{jWv)Sl0?BBFuhGN(Az>O;}@9cb9&#^hW<#*1kH<DaC0fJ)Of&c&j

literal 0
HcmV?d00001

diff --git a/hosts/Infini-DL360/secrets/hydra.age b/hosts/Infini-DL360/secrets/hydra.age
new file mode 100644
index 0000000..3908789
--- /dev/null
+++ b/hosts/Infini-DL360/secrets/hydra.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q Ai6/RXPumKBsTij/p4Yzze3wuc+lCeCjrficqXR6a+cX
+gGZZ+9hfSefCPpgkEyxiGLBw6HeIRlihlHpRW0flyHs
+-> piv-p256 5utyxg AmJA1H1XKyJf8SH9aGgJGwgBCsW5c0VbYOih82p73tS7
+MclhdvYabgDkKl+K+rFxiRvbLLudscVAENFacJraIvA
+-> ^4f5%t8(-grease ? G
+aNFXQBBqAcfPE5+Wpw
+--- Rvpkl3gKIXx96JuQEJZYvKm/ZkXDMl/7TCDECeTBa+o
+î@üÿnöº©Uej˜tšÜHbuæ’»KžÌ(ƒÇÕ¹Œr_lmDZ(6•ô¤ãš“h†Æ˜æm¥;–Îk`“³ R´uö:[÷¥›x['*iŽijy‘sÊ¶Ç~`wkÓ¥ˆ}28õ‘’º
\ No newline at end of file
diff --git a/hosts/Infini-DL360/secrets/ovpn.age b/hosts/Infini-DL360/secrets/ovpn.age
new file mode 100644
index 0000000..546f54e
--- /dev/null
+++ b/hosts/Infini-DL360/secrets/ovpn.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q A0NnbNjIggIuH4ZTAs8YyN3zn3V6OAsKrC04WaTveFAD
+fiS6e/cndp7XPg6N9FoFDYJVHzQA1R64QNWyDjrmVJs
+-> piv-p256 5utyxg A1EojHMF4AIcObYpGSRE/8Z2gOmtf9l5d9ZV36RC9jHy
+WbYaIRWeSUbeaZDqQK4rqOTXy0kWQsG3gbC4dWsUNa4
+-> LJP-grease ,)
+qNMbqpxba5Q8KRzrglBoMGsTZdWFTc6wTIFeX74MIDVqE2yPVUVNXcCzM6U3b+/y
+XqtVvPgkILD6
+--- 66jeuKk3OHoA9g4muxmythBRKRc/zq4937NDiLC0cM0
+…¤‰	l1a*¾:©×IÒƒÄö‚%gUcbp ¡Ìr¼Ç5“¼,"‚Dn%H|ßŠ
\ No newline at end of file
diff --git a/hosts/Infini-DL360/secrets/radicale-ldap.age b/hosts/Infini-DL360/secrets/radicale-ldap.age
new file mode 100644
index 0000000..d78aa2c
--- /dev/null
+++ b/hosts/Infini-DL360/secrets/radicale-ldap.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q ApL+8SFBLjq2WTsInFVio8n4RN/U7Cy1I2hvFxNBA2Vu
+IUk5Vd0iqcqPVG8JKmEoTmPePeRpO/+e/mA2MWWatVI
+-> piv-p256 5utyxg A2ndIHeH3WUg1D6Og35thBxlL8Oji+vc2Ru7B6aSZwMd
+loQZbjmAoS1hhiRKkr6wgGmE9Olzstw4zfGCkd0IK7Y
+-> AQvw>-grease `Pf
+PpONBRKybtkIwA3qrv0X0WaHlHcTd3VeDNOF0MUu4M+qrO1bI71sDL1+sPz/Hm/2
+bkOFCT1xxYFwBQYaRrWY5/3qSKWi
+--- zp9aNIrYy+Z55Fp+bQ4D0BhLkOAwx5gb5vH4+qkXJmY
+Þˆ7òé=1uF‡`Òdþ	b–Õ×ò‘©åÿëdgN°M¤q^ðbE¬Ûhå ÌI¸O…{:ú!FWÜŒjyßcÇ²ñk§§)cƒ¢íópÝ¶dµƒ
\ No newline at end of file
diff --git a/hosts/Infini-DL360/secrets/searx.age b/hosts/Infini-DL360/secrets/searx.age
new file mode 100644
index 0000000000000000000000000000000000000000..5ff279aa99a5479e981af6a4cafdb02d69f1eb98
GIT binary patch
literal 449
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14$Sl(>Ffuh$a1Jr|HVRa5tPIMk(hsTf
z%{TG!&5HCcERP6s*47WnaZS=U%u3F+^eamXsR%LBwg`3RGBofr4T<p7FL4VgOYy97
zPftoTN-i@mHLD8G$<7HbFUWFBH*(BOG0{#(vCFiyq_QGi!7(q<D@i*f+sQfHAU)H-
zKhM(9(cL4&GBmIv(m&9v+|9(_u{_Ps+c4BHg3G6(B-r1xGS9;+I4~-&G$N$Z%`c<G
z#K<Mvv&7$`Dm@}2GPN`%%|*XB6l9mRyLp^$dQoa(ajJrggF%|Uib8yTu4+!0LXJa{
zPpm(eS5$ghV2QSKl8=#bsHu6eqk&;gjz?~;zeQnEy1st0rM_R1Q(;bewj-CWuC78!
zVo-i)YKfP#zk6^}QG`!Xjz@-XZeqGeu1lq}vwo>(NP2KyQiXekWhj@3+kL4k>0Qd_
zoD!KCZoe{|@a>&y3cpQK>-?n#|L&cST-LTTqs4Hl=L-L+KWop{xakKOC2hN6mDRbc
fn1kavzp2%SW~1l*(q6iH>*IpDkLsDa<?aFi{f3&+

literal 0
HcmV?d00001

diff --git a/hosts/Infini-DL360/secrets/vaultwarden.age b/hosts/Infini-DL360/secrets/vaultwarden.age
new file mode 100644
index 0000000000000000000000000000000000000000..db3ff8e40c55ea0b1d6bdc092d192fbadcb8bfb1
GIT binary patch
literal 625
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14$Sl(>Ffuh$a1Jr|HVRa5G%Gd@Om?fv
z@lG!AC@3&2P4V~8&kb?%$o2HD%*qQZE-g3C%gAskOAK)3DoZysGPTUk3-e1(t+Gh+
z3d%4nGS0}(@G5aJ_DKuL^fmG<cTEbZa4GRcvCFiyq_QGi!LdBM(!kl<G`PwoD$%*h
zFVUhPJI$a#+u2;(F;Cm5u)s2-BD*-sxFortgv;D8JftYVJG|1wF|8!r*UZ2;Ey>V1
z%CsOrU)v}mGfX=<+@dlu*T`4j5oDKIzLi#lZhBE_VsWZMfmN=xf>)f0dxCwiLZo_)
zj)H2gXAxI;xTR-NQgV5olUJx~qMuoEm1#hxk7G!Bse4(lQ?Or7IhU@ku7anTZ$`3@
zm%m@Gvs*=^Q-(#bqqA#KN=}q<N>F%OTE2gjezK2iMT$X0KG)&SFYiiO*Xe$JWParY
zkMr~E{k_d8+s}U&kx#xGk>s>jtWA;GC1Z-k)0){GOE>&;%YXc4=fNDE&4uwV=Qw06
zJknL3Hr>GI%gy)V&z;O=r>>XKoH-@e)kFOMYDIT3HMw8QEut#Ux!Z|7sji#0y+CC_
zPDM!YRq^#L&bfXcZ#-3yVKU_2XYG0L(0+4{x*47uTawSI{GZh|e`BvghjWmX{_Ds+
zOJ7_S`Mo5hH@)oYy4epH=G*^}Jin#$zz+9IzY@Qg@@!f0d$!ZhvNsynOD*eKo!03e
zZ7Qz*;T`jJ?LHBA#n89Dsl{HaTxWFG^#%!i`fx`tX5aKDYxeFf*|f>M)9zPSeZ<Xa
JjP=|G`vC~``Fa2V

literal 0
HcmV?d00001

diff --git a/hosts/Infini-FRAMEWORK/default.nix b/hosts/Infini-FRAMEWORK/default.nix
index e8e1940..9636d12 100644
--- a/hosts/Infini-FRAMEWORK/default.nix
+++ b/hosts/Infini-FRAMEWORK/default.nix
@@ -16,6 +16,8 @@
 
   info.loc.purdue = true;
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF7PmPq/7e+YIVAvIcs6EOJ3pZVJhinwus6ZauJ3aVp0 root@Infini-FRAMEWORK";
+
   persist = {
     directories = [
       {
diff --git a/hosts/Infini-OPTIPLEX/default.nix b/hosts/Infini-OPTIPLEX/default.nix
index 45f6c6c..c786bb1 100644
--- a/hosts/Infini-OPTIPLEX/default.nix
+++ b/hosts/Infini-OPTIPLEX/default.nix
@@ -9,6 +9,8 @@
 
   info.loc.purdue = true;
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG8fY684SPKeOUsJqaV6LJwwztWxztaU9nAHPBxBtyU root@Infini-OPTIPLEX";
+
   boot.loader.timeout = 1;
 
   modules = {
diff --git a/hosts/Infini-RASPBERRY/default.nix b/hosts/Infini-RASPBERRY/default.nix
index 57366d5..1a6bedb 100644
--- a/hosts/Infini-RASPBERRY/default.nix
+++ b/hosts/Infini-RASPBERRY/default.nix
@@ -13,6 +13,9 @@ with lib;
   ];
 
   system.stateVersion = "23.11";
+
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwPqTFCztLbYFFUej42hRzzCBzG6BCZIb7zXi2cxeJp root@Infini-RASPBERRY";
+
   modules = {
     hardware.form.raspi = true;
   };
diff --git a/hosts/Infini-SD/default.nix b/hosts/Infini-SD/default.nix
index 06441ed..ab446eb 100644
--- a/hosts/Infini-SD/default.nix
+++ b/hosts/Infini-SD/default.nix
@@ -7,6 +7,8 @@
 
   networking.hostId = "3275c7d3";
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8oViHNz64NG51uyll/q/hrSGwoHRgvYI3luD/IWTUT root@Infini-SD";
+
   boot.kernelPackages = pkgs.linuxPackages;
 
   hardware.infiniband = {
diff --git a/hosts/Infini-SERVER/default.nix b/hosts/Infini-SERVER/default.nix
index 8d870ef..154a69b 100644
--- a/hosts/Infini-SERVER/default.nix
+++ b/hosts/Infini-SERVER/default.nix
@@ -9,6 +9,8 @@
 
   info.loc.home = true;
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8ptHWTesaUzglq01O8OVqeAGxFhXutUZpkgPpBFqzY root@Infini-SERVER";
+
   modules = {
     hardware = {
       # gpu.nvidia = true;
diff --git a/hosts/hermes/default.nix b/hosts/hermes/default.nix
index 8a640a4..c42051b 100644
--- a/hosts/hermes/default.nix
+++ b/hosts/hermes/default.nix
@@ -8,6 +8,8 @@
   system.stateVersion = "24.11";
   networking.hostId = "deadbeef";
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0fWuozCHyPrkFKPcnqX1MyUAgnn2fJEpDSoD7bhDA4 root@Infini-STICK";
+
   boot.kernelPackages = pkgs.linuxPackages;
 
   modules = {
diff --git a/hosts/hestia/default.nix b/hosts/hestia/default.nix
index e0aecf3..630bfe8 100644
--- a/hosts/hestia/default.nix
+++ b/hosts/hestia/default.nix
@@ -8,6 +8,8 @@
   system.stateVersion = "25.05";
   networking.hostId = "85eb2d89"; # "hestia" in base64->hex
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBanlhzmtBf5stg2yYdxqb9FzFZmum/rlWod/akWQI3c root@hestia";
+
   modules.hardware.form.server = true;
   modules.backups.enable = false; # hestia is a backup target
   boot.loader.timeout = 1;
diff --git a/hosts/iris/default.nix b/hosts/iris/default.nix
index 87cb452..0a3e051 100644
--- a/hosts/iris/default.nix
+++ b/hosts/iris/default.nix
@@ -1,13 +1,15 @@
 { ... }:
 {
   imports = [
-    ./hardware-configuration.nix
+    #./hardware-configuration.nix
     ./disks.nix
   ];
 
   system.stateVersion = "25.05";
   networking.hostId = "8ab8acd3"; # "iris00" in base64->hex
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsdARqD3MibvnpcUxOZVtstIu9djk+umwFR5tzqKATH root@iris";
+
   modules.hardware.form.server = true;
   modules.backups.enable = false; # testing server
   boot.loader.timeout = 1;
diff --git a/lib/default.nix b/lib/default.nix
index a13185c..55ace2d 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -126,6 +126,7 @@ lib.makeExtensible (
 
     disko = import ./disko.nix { inherit lib; };
     filesystems = import ./filesystems.nix { inherit lib self; };
+    secrets = import ./secrets.nix;
   }
   // (import ./digga.nix { inherit lib; })
   // (import ./hosts.nix { inherit lib; })
diff --git a/lib/secrets.nix b/lib/secrets.nix
new file mode 100644
index 0000000..246254d
--- /dev/null
+++ b/lib/secrets.nix
@@ -0,0 +1,13 @@
+{
+  withOwnerGroup = name: rekeyFile: {
+    owner = name;
+    group = name;
+    mode = "440";
+    inherit rekeyFile;
+  };
+  withOwner = owner: rekeyFile: { inherit owner rekeyFile; };
+  withGroup = group: rekeyFile: {
+    inherit group rekeyFile;
+    mode = "440";
+  };
+}
diff --git a/modules/global/general.nix b/modules/global/general.nix
index 55b850e..f3035c1 100644
--- a/modules/global/general.nix
+++ b/modules/global/general.nix
@@ -57,7 +57,7 @@
     accounts = rec {
       noreply = {
         user = outgoing;
-        passwordeval = "cat ${secrets.smtp-password}";
+        passwordeval = "cat ${secrets.smtp-noreply}";
       };
       default = noreply // {
         from = withSubaddress "%U-%H";
diff --git a/modules/global/packages.nix b/modules/global/packages.nix
index 7484612..80d3388 100644
--- a/modules/global/packages.nix
+++ b/modules/global/packages.nix
@@ -17,7 +17,6 @@
     [
       universe-cli
 
-      agenix
       bat
       cloc
       cryptsetup
diff --git a/modules/global/security.nix b/modules/global/security.nix
index d4461b1..fea807f 100644
--- a/modules/global/security.nix
+++ b/modules/global/security.nix
@@ -19,7 +19,7 @@ in
       defaults = {
         email = "infinidoge@inx.moe";
         dnsProvider = "cloudflare";
-        environmentFile = config.secrets.cloudflare;
+        environmentFile = config.secrets.dns-cloudflare;
       };
     };
     pki.certificateFiles = [
diff --git a/secrets/binary-cache-private-key.age b/secrets/binary-cache-private-key.age
index bdf033d5de03d33f9835ac4f56d10bed96b1017a..aae97466e6b54359a145aff017a3bdc480267028 100644
GIT binary patch
delta 487
zcmew%{*8HpWPL$qnQnoRshNUvh`F~>pn{{ZzNxc$q@ll`L8W1ivq?oonRk`8c2Q|^
zP-R(Zs)uP#frUYuXP`xyyD^uKn|Gmmeuk63S46IFda;XJx_*V5yOCv9g+Y2mQE+l)
zMpT(&NtS7GVLq3xodVo0)6$a4igX3XOpp4a%m{bmaBcI_+;HQ9z+i9h@CeJoh|FBq
zAWLr#Z++*eq8t~u+zOvkt}Gw-+=3|Wuw)}Q_h7fmGVRplVsB4(=VH^W%!*t?w~DAj
zqo^WZKkwvpkY#q2HhP&3im|%sMX8C!sazJmp&^MDenyokPL`%FCMjtZ{_X{C_1dBS
z1u0dPMaKFj89teLF4@MJX~vZ$#>H;N<wdDMKA~lWo)wj0<y^YDx(Z%N=Gg_sk&(_}
zmMNLpzIl%M&XxMc0nQcfsoL(^`YGmF#aUhzVIi3Tfn3)XS6S&VXl`1xEJiixd9LgB
zSF_Ep-^t9H$zpcSMeaxX3#stR#S0P^w2PkD;rt?xGgD~y?9OQc>ntZU{Y<Qh@|Sw<
zFt;uI#mo)URvecO^PMJ^lm0TWQa${gTy~b&h2z<dJw_9bZ5Qa0^SZEu=}=$s^Q5K!
Ze;l;zY|7WYWOC<EfM(Iot~E=h000!UwmJX+

literal 3064
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH4%9b@bW|{N3-Kwe
z%y!AMEQ|{COs)vaORv&54vz53Fb^n9)2{UQ4@?XS4a_UcHQ+KacFQsi_Hc7gbusX$
z2++2yG;^}>aW4sS3(8E4C^GO2O7i#2bx(FFbwsx<F)}A4Gf*KfRo^4iE4Zw(N;@Ji
zDZ-`HG|?n5KSI0E#XLCO$JxZuvcSBs)T}D9+><NF+tWNU&o{Kf(AX^{&pFIIve+vs
z&myGKC@j%AG9WZRAkWX-#V0MjI27HsOv?&)Z%2jf9P^YM7mGyyyb|NEoCw3DC_i`a
zR3HDyV55xml0tX?2;aPb%rw);a96It$^rxJ48v3(_v|P$3%`Oi|A^8+Xa5XKzv8k&
z|6u*XOw*9$+zg|v6b!#rrc@NUrz_|i7iWbBq!)%6g+zK+8bldI1$ntRx)+ptnU;ll
zS|kSqJ85TERfSZh=X04GSEZ&#7UyP^yLf~r2bnn)Sfm=~85TyE7f0kJSLT}do8|as
z6(pNyxuW|mztBnBKTyFV)y&i}(l}Ayx2(L_F+al7-?K2#*~i1puuwlWu+S~fH^QjI
zH6^PmE14@IB|AIaGAP_AJj%m7tSq1^D$pn>)g&Ovq{2MYEYC8?q|&{hyfisGG7#Oi
zbWbn8Bu9m+a)ZheSHpbYz#La|pQvyTC#Q@Y{fyjP@6b$3pTJNfN7E8xZ}Wo8^lUC~
z7yZ<9m;B<~qAKI`bk|_Nq)_bu|IEt7$RvaEvM}SUs1)B)?aE-&N{o2R$nw#zELR9A
z3il23)i(1BaLTnv&GR(0@X1I`PAl>V57rJhaY^<y&2TX-@~nsqHsLbYE^<zcbjeKf
z$*=SY^eOOk*LMpp_H*}-iU_udEDK68bM+4o3bJ%}jzssHXSzXAak@fESye`Ap_xIJ
zNnU}mV}3=RadK8pXi>UlN@iJ3hHr&sRB>)po^zP5K`~cIk%eE7nL&nUfuCVvl~HPh
zuXCw~Ymt$+g-LdiMUZPwazsT|KtZ8FAx0_*H3>*fOIL7qGfFfIOv?_A%J3<1^^QzS
z3~<X$^YaV#iwF&NO07)KPb>>7FD*!SPUp&YG1s@uN%Yh9EcVtn2`(z}_m0$d)3!)-
z%JYv1%<wHQ_SR3Vsw_6}#t6ya!rYvwKn0^*#}wbtRBhKF4-=2XfCwM=z$mA}0&PS8
z0+ZZ;^dw^s&+tm8U>E0d11`r5pJbo3tdbmmr_6$2{|r~t(!5+_W2d5wupG;R@+u=Y
zFW;Q9;H;!zU-Xc44>1ZZNmr<Fiu5hi4v5Om@u?^buMF~W@d@xS_VW!cc214-DXsDh
ziLxv(Gja>fa^xzqbcymYa1IXC*S9oq53)>43w87M2{JWw_X#ieax8Q=$t|f&bv5wu
z^+dNV-_f_SEM1|{!ZR~F-#9ca%fcYFD%;$kq{2DNCD1dZ%*`*t(LAC!SUaH9A}Uxv
zyPPY)y)rAgG9;<o+rqfeyS&gR(>OUOt=KEf&CoeA$-l}qBc~v^DBHrV48yiCPmipK
zbOqx|(-NOx$GnQrBK?rUYy%(n5c53kJP*sXw5-r<f9G(Qip-SY<jSfn6E3e1gR;=_
z#5A`=v$909QuFY<)QGh5oYJD;5MQsrq+(YOr|<ynWM51DWOToUxt1AMr7QRZyJxsq
zCIwjPCnsyW_!nhc1SF*=W)_B21)3U}r<mqcMd*7u>4z7GrE_JvnUoc{IR_h+7*=@X
zW;=(Jo2EJDg}Vl5hvk>&ggKT+dK6{kR#gP$WTV@bYwl%knXXV+lpPu5>m3@E6p<Q|
zSLLp)?OPcT>FHsT?&??Ml^5dcshy`EVeakc7RpsnSXEvTW@#SclCN*%=^GeOnC)2^
zks6ujSK?lf?BZ8uoM&#79N<@`jgjAsg3ZH|(-r)@TrAT)+!Ou$Onn?HQqu}Ey+VsK
zB0NJ)QvHew@|+5S%S|jRd@X#OO}G+s%e|b9O2VSjvnxCb{T$89v)s+nEpkH&lM-{y
z3iNX=a=rXr0-W-~i_!h&>YE>sTCQMNs9)$|;pLPWVOZi3nj2uIUyzxUWEhd`R^a89
zTI%NP5tUmS8c-f?5Xt3N<{6ygA7+weS(2Vrm||$CooMXr?U+{?Q0k?hR8$gDm7Qjo
zmX+sWhEXbKRz(@R1u7IJItFT+hx-PmrMmf~h9yO6rv?}XJ4Y0_x<*BLqy)O<`K9Gp
zMj4w#7;qJ4<d;WSl!T>}o8%d~l_ymhMH!VxdZd(Qy9K9u`TLrCn)>?WJ3G1+VC3#9
zza$HnKn3$ize4ZyVhaO5LzmP-%hd41GDp+OH1o0)&vHwBZ@0*Ra`UJpUsETie6A?h
z;xu1p6JyijOv{|mR1fo%u%cXpEK7sH6z{z9AdhSppNv2sbGQ5;j2z(ZWaJwas8D6#
zS!(R>WE_y6oR*jpkyxBmZV~EeqMf3jmFb#iU|D6Flp5k!6j&AJ$dzd79Tiq$P*#+Z
znVX(xW}1>1o>G;Qno?|LUJ_!OQREk4nw6Rs=<k?<;WxL`9M7zB1uxS=^I{A0s1!@H
zM8Be}vZ_S0%#1MSQiD8K@8H~wiok;8;Nn1&sH#d=t{iQnGK=K$lu)M>pF-pEV*Maf
z<J17tz@$KP$Hd?umq5>SFYP2p*Px(u^i&cORN#?auHcdr5@uHBX`bxjU92AxQBq*x
zS7un0=BS^nZD8r0W#DXF;2ssFofPa^%;m1{>6@ZmZ0_b5;O&@H;G7zeQEpjWTIK7S
zoEKb_U*P7E=NPJ=R$x?xkpqgn3xcWw6&x*{^4)#CJi|=Q4N}dW{WIL7TqAr!iVZ7*
ziu03-O3e!W^MZoYbMkZ2xsq}`v`g}HT#NNhE&TP34Z@rPoh)67%nPebTnrLD+)^_f
z)BO?)jC}nua)5=tOI2aHLUNKvj(Lb#gj<E5Z-7f_KxJx`nUTMKs$-=^T8XQRw~=pX
zQKCUgczKltSE8?HWl)f7sdIW*U|x7ZiDPh@c44+@QDJ4ac4E4DdSQNGTB%8>xrZ}G
z9Z=#`S(;w1;GCFZT;QMOTpD5Qmt;^JVrr0Qn&YV*o>^X6lHy_zRFds%;F(xjmg^kK
zl@;!mn-}GgQf5$AT;-%)lx<;DVwn`0;}embWEq<6k!e)!ljvU<Ug(99CUXh`LL<u+
zGP8XmGIA@*L-PH@N{rn?O(HG)DvPoV+)cd=(%js9%_>X_LtQGvJhKeAJp7D`0}Hi-
z3*2(U%gfC@Lqqa&ObT*cBg)JZ(~Pt|y|mLjic8WWlPin4baizVJS|+(GxV!0{c`hD
zOnt*5vYiu?jf;W<z09;NbB!ueDpGul+{=n`gA<dvOr+HLBCo97`ACY<BR%8#iek65
zWx=<W)izwa-G6+-!{ZzDIfK*}ziWKjCou6*jJl@m<JI}=ZgHy@-@m}Sr20wJ-yMoi
zy|S!B-R^(CQFYC!qv*?n9edX7xbocMar3`y9`!ZnnbQu3J$#(g>v`n7aB<N-FU9$m
Xr3cR!yk}5-c73(o(x45UQ|AHz$Gz-c

diff --git a/secrets/binary-cache-public-key b/secrets/binary-cache-public-key
deleted file mode 100644
index e223bde..0000000
--- a/secrets/binary-cache-public-key
+++ /dev/null
@@ -1 +0,0 @@
-infinidoge-1:uw2A6JHHdGJ9GPk0NEDnrdfVkPp0CUY3zIvwVgNlrSk=
\ No newline at end of file
diff --git a/secrets/borg-password.age b/secrets/borg-password.age
index 10ef521..b82be6b 100644
--- a/secrets/borg-password.age
+++ b/secrets/borg-password.age
@@ -1,56 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 sQ/0YA 5/8hTMh6CloNFOxL7nqpRWx6EHXfJ22s5Qm+lkFStwU
-5Virolfv5xEn9d2We37ciIrIT6hLSZF78iAwkHl16KI
--> ssh-ed25519 aYlTiQ JSJJ4EC6v8VcSS13n6h0+K+sApNulYBphu7Ny+dYZhU
-PAIeYvIlsPbBSUs5t2KUxXu9sk1Yb/rSIKPlEZHj3Ls
--> ssh-ed25519 i9xGKA YhZ3NCliAzg62D4LrfCNpcSwoJ+wKe+avbdUCQXMj1M
-pVOnIU43mqtFY0pRiSQBUigdoxq532p7wv0nS2MWPYs
--> ssh-ed25519 ydxrGg OYE8RmU2XB3Vi5yxW2TExllNbUBzo6fFUWRUrfAl6Xc
-j1vTMqWvAu894eZzGA5wEk+3EvyQUBk/m3Xho5bDgAE
--> ssh-ed25519 oqB+OQ bWopOtx5LLDGCQ2/TgxM4tpKWYjH9QODfDpxx9in01E
-4NT1npZomt0mSQSpLtTvFxLvV5NPMphG8J8LKcL5Wjw
--> ssh-ed25519 gIJNbA QnW3sLf5LcofKLuAZz2f5y7qZMMVfmgNDXM6wBY57CQ
-l9Dl5+IJ7CswosXwijyOepxS5P6g+bA8wUfNQVF01fA
--> ssh-ed25519 hjL/yw IqwsP6XXOoVgTdGMcgm+Ev0pvAHgRIEwaWcTaB6hNVQ
-olJ4WbQW58vI0TjkHww+iCTUgio7kZmPlcvJEc4IQGE
--> ssh-ed25519 Ig0rsg 3ZiWNnm9DFiAKnwpyYQiSP5kZgNwLArraC32lqKtITQ
-1e74EWfTnOS7UdSJfMxTlzbr58fIn+rw/qeN6TxAKWk
--> ssh-ed25519 U4Pefg yXsLnpVhhud1LAp+rgMqa4UH7mHsEbgrEb7SZzvyGDA
-UjF3i1PLn/jqMeStZmRcV/hA8SGkQkAOJ4E04W0d2Mg
--> ssh-ed25519 SqmlZQ 44N/cMPg4R/6ntv/ZleB3tpjdyIi4F8HSJy03zyj1DA
-3SyM8OnvcbT2/PGiBj1EcTUr4q2T6H0+s+9UP4cpZps
--> ssh-ed25519 GT2Stg 9vBE4i87f287MpgTama/5g6wQseDfng/fj6fKLKP1QY
-d7JvhmUrIOxxKEr3trtv4NRJKdLlf+LBbECpxnIpTxk
--> ssh-ed25519 oAMyvg fjJmTln1QI4uw4TE4YMq0E8b0q/sZ2TLIgEP0zYlLyE
-7VHmeg6zpnzKWL5AC8qx6wAvYcdxulAMh/zPKt4eS1w
--> ssh-ed25519 VIHjXg XdmRVbvEvARws7bCPn529MTPT1p/cb0U62hOtAfW33A
-8c0OrrMRip7KjeE2+VtbU/QDWl7KiVTvbv+lSIs7UNg
--> ssh-ed25519 VEv3zg Umgx52XORKFXYdEsGzvKfvUy6SHJoJbvAKX3NHrVxko
-o3Phua7fSn5alLQDdU2PJBFvJBDqF+H+F3V/s4v4EgE
--> ssh-ed25519 m7J79g CkPOHoXFHcMMk/xlmCAMd2ikZWJCqPhW7UvtymJ9FiE
-p+agR0jOtshNZjF0Gox3Njr7qwMzsk2nsstSUaScOH4
--> ssh-ed25519 2S7Wcg XqhSc/NbSCGTMU8kZCk2Xu7fAFg+hQ4W4wSwzx9e9jA
-rNepa1tbXPRCfTSaAKgs+aLvCyRloAb340Ufw8DVi9w
--> ssh-ed25519 EMoPew bK7hR3fKibZb47MyOR5n3gfyh7HzpDqC3ZlcaSigNQM
-NsYE8aU/wic0N1tVFbWykRfghsGmws4Xg8kdrJLisps
--> ssh-ed25519 izZ3FQ 7UWEjg98xHo/9s9+onUSbrMh0uPLTDQVEbPgPAWVu3k
-GrBRLSIBdCHIHZNQIORZGFk93/l01CgOhfDx1eJqgvo
--> ssh-ed25519 zNb8DQ XuvULuWzBe3DRVrEHM6fShYGh5MexG6XNxNpznJr1Fk
-MBOeY+DZ4HQ69ifOKr+2gv5Bkpg5WQa7zKm+NeC8Wec
--> ssh-ed25519 GB2MZQ C6bFo1mneQHotAZLSn6sClt35+uUwPJLuHOYoE3aRkw
-DeDM1yv2FZo0dUXttP0d62fRgU/A8MJ99oHpGhr0Y/M
--> ssh-ed25519 FelIjw E7fL8omx+HGv75MUsC/IZAXQNw4G1vb7LLT6FdTdkU0
-I7ix1MlBnH+wT9PxL64b5EYex3yjk3+U1EO0WLhzPjU
--> ssh-ed25519 TRpHkw LHWFmWM6uKa7+MLlxKsdhBA5HmjsCnBz81MR2hIJCDQ
-IJOsuUtXmp91t226YrW+5lvAGiLygv598b0zCVBNHTc
--> ssh-ed25519 rKpRzQ Qk96yw6dOkE7zIcBo/6SXpO9o6OrPykkT4knw8fj/0k
-SCa84kZ/e/vs4caIklF2LqwkVHgxbLoyWQIdXYsKC8I
--> ssh-ed25519 8/Dzqw blUGZhhmVedopPKAbFNPfSxc58OoS5o5oW5plYltTiI
-WPFPl6bXvewmISOp8/S1ronk9jT8O57qNPZUCFvTxxE
--> ssh-ed25519 tJyugw UUi6VCLSfg3oyutzwg+xskDCtE1mFQTvHrGBkXuIT1Q
-+rk2mBJRrYrUfsv4o0keEAKsXahjEIintcoA+38RL/o
--> ssh-ed25519 lpPUYw TFf9vRCAv2005EC1giIkVfy/AwpU/t5WPX3bSLDDHgw
-vbLC5pesZRyuw/vMAv2X1ZYVNwrYUx+P/ZV8BLrpELo
---- EpxlXztYxi3N6dCswIYXZxAxmFv3XYSkU34LmUIM0fE
-3´%"xR·É«@(£qOŸEL^¾§íS„%#ç4„€×8mEü—eš(­Jò
-üAÌN>DïœŒ£E+&þ@Ë8b5~‚l«-ùÂì MÔ#Œ8	•õ±‘»2•=vñÒæ¹P•ï­4¢ä|âÔñ[}Oyñ
\ No newline at end of file
+-> piv-p256 CT7K2Q Atat1p1wMEaZVi0DxSmUYN3H79RO1XK26pmJFnrMUW+N
+4IUFdkcSJnVthch8NgWV/mRsPqs5/NbxRgTP1DTq6Js
+-> piv-p256 5utyxg AhOyUzfDfgFTgoSZ/Ram2/AKwXT0RoJ/g4cGvQoCHwMR
+7W5e76JbGDvEiUwbJrOK2/9pSzEKUk+4LAtnJd6Au9A
+-> A(v,}OT8-grease iv$<6^
+qJk7RvKMoJ/OCb1L15x8ur6Q5MxpDcXkwA
+--- FrURRINPBWKnkfeCAsUecvz0nSlH8cUmpuxzgpUc9sA
+w«m¤ ²ƒ‹56#x&g£@ ™n´ªM2]-9¤ˆ`³”†±Ò`$8þŸ6š‡E££Ö¡Üt»o³±¬Û0 zÐEµD>»<T×/]ºˆ'¿±2\sÎCöU0í—i¡Wý<ûÄÑ÷›Y6¶q¼jô¾1d~cÙÌÉÏÞüB
\ No newline at end of file
diff --git a/secrets/borg-ssh-key.age b/secrets/borg-ssh-key.age
index 68eeafbb18d3f0f35b7f3c0b819f666f7167c5c3..f99a5277accaea49b3ae9c43018d6145288a8272 100644
GIT binary patch
delta 844
zcmdlgb%Sk!WPL$qnQnoRshNUvh`F~>pn_v|gkO}2Yf4afPG+`&zHeH2n!86%p|**4
zadEz{OPNQOd0DQjwo##DNB~!GkXx9GaY%SsvRPP4c~WV*Q*e2ZwpV(ZSBiUzUtWl5
ziCeB^ah|6^b~cx;odVo0)6$a4igX3X?Cknf6E_q8pp3FKGh^Rm?V=KoV&9Um5+}ca
zNbRtQEHC%eLW^Y6upFZ@uH=Z|96vXoZ1YUNs=T0xvOMo1!_Y!Q$727;0;9sDq6m-R
z0%ubnx1?+nkY#F`y6Hu!iN&c3>7my86}C1C`CJ+0VFg}k7Cz=td1d-}6)qk=^@Uj_
zo`w4U0ZA@JnQ3WJp{YiBA?Xobmid|4mKpy3UgoLB1{Jv$rX@vTW!gDhC4SyMW+r8s
zUfE`uriDKG`ud(ed6A|O6{Qs=>E&Fyy1EK(+Wsj)2E~yj0Y!nHhJnd}5y62*hMu00
zeqn_rDJBM9#o2**xtSpu`X*c|_5UU)E&1TOFZ0Q}>*v0ERaZ_q{-QdoWy5I=kFSjE
z?B+}N_vQS*Bl=9D*>r7oU-S;wa?#p^)q18$YPFH!JGE@~T#?&)A>?ao;N<K@iOuIT
z)YTsga&+}i6AquW&+q8Z6KTouY^A~Lr|JahdYn~~*cUNZExciY^_~Um`#o~FuFtN2
zxpsx;vBe2YV)M6(pU-VD;F+bn+G?ZClg3TuTaT@JP;vI;*@WNcXHPl(cX8njwV275
z54Fl(4L!U^R3uGX|KRGI`ZH!-m^D3_<JBegt#6Glu`e@PpQYKVBJZ$Wz|ZEM%*p=7
zXT6o{3~d;n2&SJY^ZjkFBK78lLP=RovEQM6KMLv<b*CRR+CAx<x&79Hvj10nK5D-G
z8EeG;^<b-c&r+SIh1o0fGWI`+OyaqB@%5DIM^>6Dvrfmzow&0y=x*GfKAvtbld41;
zsV(sZNsk^+%riRPv$j`Y&0Vt-MuC5$wz+@*wPC}ZMeApmtgP3*Uu&=|;nW%DBvp4#
z+b^&6r)``VBjKvy@pkv0>A%@x>pT9K_)QHt{`$%ByHkxjzlHzZIO(4IIrEi43Nx>#
lJrTLqEgE@ek4x&|*XK`08^3TnvGaZI&Lo#4*G<zd0|2NBXq^B6

literal 3381
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH4%9b@bX3SFbI$TL
zcXT%^%T0C(G0qS0DvAsb3o;KXaY^y^C<ycp@it2>b#W>QP3F=L$;v7#j;z#nHVN=6
z$_)q($@I-lkM!~{%u6jV^!6)sF)S)D(hn~WcSN@>F)}A4Gf*L?$}%dTz$r7y-=r|n
z*Ff7S!#N<))y2igG{V?3)iJa@%RSN9wJgfVC6vp<B_hx@FvK_8u*k(J)gs(HFi+ni
z-#g5pT)(QcFek&uIo~Y5u&5-(H4@#nOv?&)Z%2hF=c2p-$0VZ)1GAip9P`Xd7c)ys
zeP^@0vdltnZGD#vH^;I-mvUnR_fRfvKmA1SRP9pF%#4uG40B)eQuiQ>RHLFY=OC}Z
zu!!)KjH<MtN~h2?&vJCzDpM+o+|w1pT??~AjSVBp^Q$U-ll^lt!u6w~oU6P;Dgu0+
zGm^bMf~$%m4b08Wvm?0@Qv$1;JpGe0wTryMv%K>4JzUJ46OHtPoP7#hvXc!f^Ma!S
z(u@kq!;;Z$%P(}&_77BWHx4Q@@lDIqwhZx&^vVbbF|u?ru?+Lgt}srlG;j-WGfOrw
zHY+kN3AW&}aEfp-aVab^aWgRT^$7O1$n_~TO7bZycMR|~OwI~4wFoUU%Sg>K3^qZx
zE#1@0FUe8CxWv6Or!YMvBrqx^EH@;l#5lvO*fq~2v@*0XJSx{REZp0@%r~UUAUK~Z
zC@bC6Jjq!*JR;ja!Y#-n)i~55&o9tPJ3PrvyPz!1Bvjix$}FeAEW{Pvwu~$v{mOC$
z&&1M_9Cz(}L&LJl01xe|0I$3>caKCPA2Sc{Ff)I*^yKi2q<l-y5My61bAzb-q6|Yf
z<HS%eW8d;}vy4I?!(gWz$I8_3ibRvN^pxxX3qKd1k~9l++dR_^ii*<}as#45g9FS9
zi~OVV%t{@-igP29(!*UXLcJoBwZjTbeT|CE4a?07+{5#^T%0|UeJ%72vrVfE{ByJY
ze3O&hOVadBwVfj@BMXd@vP<(SOQQT;LwpU;Z3{ICNKH#uNbxTV3GvCYFv`hrN-K2B
z2ucr1PqFmO^YKoP49{~jiEy<vOwLKO^sNl!s&EM?h)fO7_9`?=4Gl_h^6-r+HgR<>
zG>J4w(GM>PNb~aXj0$rtw{*cslfi|#IZ=TMx$gS@scGS9PLcVkz8*<QY2n(1Rf!o+
z9?s>3Ug@dkZmCI@IT4kvVc7;;x%qk81{FpHDcV`i#!mWP!I_!HZcb&HRe65ixy4@E
zjt1^kNhJ}++GZHGxrZ19m!vCbhdLD&ghZBRCsr0zMmpyDq~wMbCRJsX8|4}q8<$jS
zyCj7>rF)0wx`lGNI+dm7rkkZ?x@fy3n}>TOYA1#T>AR$chnnc8ha@^idgX<?6nSSD
z<$9urWWJ+sWm&pHs(Dppet2khSVgG0hf8T@TA-V6kgutJcBGq|TZVo_xn-JHT2Wqb
zUS={^zNx2qfmwP;uCJe~fq%GTv0-FbrKf30Ns5b?fn}PuM?rpIcyXRfT2eN;ZDF1s
zSrO?9CIKF%mD!brmKh~E?nV(|u9*R8k!fZ5CO+D(6{g9dnT{^`UXey-;f~2%Wkx|k
zIiaRGf%)NK0oks}P8Q+jWqD>95fS<3nfcD?Y2mpRMyW}@sihbtSD0&=aaFoPez93)
zc|o>;o0(^-Q&vR2M|Opyc}A*!L}`^tdALETr)yzRV0dXxrkep*aaf?Cvy-K9x<O8e
zldoA-NRVZ)M_^7xib;5&hmo6ce!0JIWvaeoVtOFD-*U~p%q`Ou^b69>G7VDQe4RqF
zQj?7eom_lMECalXJ)#OqJ@QIYBOUWXGgIC5!;BocJX5uUk^|Fy@;u#)11wE4B3(+|
zDnl~L@+>^G^YeU+z1#yT0+K4-gF-QKw^6WpcyhXeM^sdvOPOh~SAls{a%gIvcXmic
zaaOTqVOF+jsJ?fVyLpkfznOVTZf-i4r(>{Fgk?~QYnrQpqo1}>x?xFhrMatrm7$AS
zV1}_%Vz_&Np^uN7uM0-W<?5RskXo(~>}%lemG19n=#!J_72s)E85&Zlonzo(Xqi|V
zpq*mqr*Gz1VVIVgU+&9gk!ECERT$--8*E`z8Jh3qWTx-pQ<<(G8J?Z)9B2`lUg_iG
z>*VX4<AxEEnN?B7Zh;EH+R28gW+qOdrBz1B-pN5ezEwqTW>x-yZWT%CRi+_D9*M3c
z$*Eb!MiyM=PL72^d1i^(A)yhG#fDBvK9$)K`r$6ceu-gaE<Ub_VdW|L;fXo^#u%xj
z$}h>nB~YQ<GRrlzu)@pH)Wb8X#KR+}&?qg+&(FuvtuolNEYZY0z%$j;qBP9NJ(5e`
zyU4r9$1*soFgMWMr`S!~Ex#hU%reW^Pha22JSwQrzcSgtBCEpE5F-b;I~n;#1uE!A
z78Dp8_=ROfB&AkVmWO2eMrN3lSD2P~<%VeMr>7fhClwdDr$yw3gmQ%@8ta#*CmZP}
z6=#<iMn#xrYP(rR1iJ^D7bWFanP#TCmzsH*r{rpT=cA`dx6~ZZta1f|fI^c3BX@rj
z6Qfk0T!S*#ij+j3G|zHF57*L6BkiKx)U*Ig#{%E1Dg&<E#IVW`?^Lg#)PmA-=gf!*
zgOoJy#0+CY7lX*MWFM~}7vHihGe7SzCyZ1Q5>()kU9M1Co)%~l>13{-@91Be=Is{|
zP-bqD8&DJ!Wl|KF>=J6|=3Nq+WEfzW>ByDp=8{uUm|mP%mL25cn{8g{l4lT{S7BCc
z7@Fae>FA-I>t~W-8EBeoff15L-UUHbfeOW`6|UyRd8Q>{j-@HaN!j7y;f`L~g@r!;
zjv3zG<t8r0Sw+FQWyVz%j$CEsPFcoL`ca8)5hecN>6Km~!Nnn=k)G}auKM1A-W3&v
z9{MI_DN!Ysq39uLq3=>vSgzokoSRitpzRu3VCa_<6qK!>l<pc8<m#51k{FPjmhPTm
z;#^W3?&MdPQO;#(9$pxc9^tNU?2=j)pq*qA9_Som>}P4_6p~eCY?hf5Z0QwI9_;Mv
zf>E26cvY6Bmn)<@YkQexIHnZ^rW(1pmX>7t`e%ihoA?!nMS5H4YkRnO7w2lH23Z!n
z7jtEJq*hhr>gSm`78s?JXJ@#1C#Px~gq!CWC8wnLL}n+MJ7(wyxhGZVr=$BVryw9S
zvRolE&$Xb;C^J0FJu1&JDk9V@rMM*0!X>bxq$oANxFRjmDIzq-!#L8XvYac`*(59}
zTR+&*v`pVQBRnd~E7M!QD$Ky#$FR&er^>86JSe$5JJ7SL(1c4@S69IzyRb0dGSk$&
zG|jm%&)qU3Dc#Gcz%9kiGtA4hGRw~**vTj~G$g;wH<YX8na;UKUA|(sKK{`B*swrh
zR>uE~tsc*W7NqRXKW=*Pd!zji)tJ<$ht@=<oimYYsfs;u?`f5B%TdAKj|HqMCO!Xi
zJV*MWJ+qa41Y7qUVXyRp+k1B`cot=K)24U9Z`Ss%JM!B@j-{?H_2&38J*M_tea@B5
zcRbi^i@7#jkN=}=*z)%-!-4Aa(HGuK@!IF0o~OO*xyheh94D4-3w^s}o7>}aylNNk
z9KKK$Xv*AB{5>({nfa;RNxHokZT2yh9{-V%_&V-#?0)mtT_L<z%BsFD|0g`x)c>*3
zk8^+38RvPkyk&d)cgwmoZ^h8L*Ix@sTNiPgXPww`NaUBP%I+_o8+K|g)w>iunLBvC
zQEtWh^Z&i|72-bJu!y=obHk<ZA6zzVQ%;72A2EEKw6^I_`HwXZ<7Eonp4|*|y`hzm
z{B6BVt^()G$)dg7>GsyMXH9+-FuTk`b;B8((saS){SVhZ_r3V7gw?Qm$ArY`MR#vb
ztZ)*)qOP;S;DY(ml|R?-`M9U!uwPN*i;Zi|&xs$GTfh=x8r;BYf6(@E_(_|CHtY=>
w*9zL2-hQmCwYl=X%(d6;-(x1S3Yo9Ai&(fK-pl=@&qk~Dr<PTh=gyl20Gm35fB*mh

diff --git a/secrets/default.nix b/secrets/default.nix
index 44238d8..6a5989e 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -1,89 +1,29 @@
 {
   lib,
-  self,
   config,
   ...
 }:
 with lib;
 let
-  inherit (lib.our) mkOpt;
-  inherit (lib.types) bool attrsOf path;
-
-  mkSecret = name: nameValuePair (removeSuffix ".age" name) { file = "${./.}/${name}"; };
-  secrets = listToAttrs (map mkSecret (attrNames (import ./secrets.nix)));
-
-  withOwnerGroup =
-    name: secret:
-    secret
-    // {
-      owner = name;
-      group = name;
-      mode = "440";
-    };
-  withOwner = name: secret: secret // { owner = name; };
-  withGroup =
-    name: secret:
-    secret
-    // {
-      group = name;
-      mode = "440";
-    };
+  inherit (lib.our) mkOpt mkBoolOpt;
+  inherit (lib.types) attrsOf path;
+  inherit (lib.our.secrets) withGroup;
 in
 {
   options = {
-    modules.secrets.enable = mkOpt bool true;
+    modules.secrets.enable = mkBoolOpt true;
     secrets = mkOpt (attrsOf path) { };
   };
 
   config = mkIf config.modules.secrets.enable {
     _module.args.secrets = config.secrets;
     secrets = mapAttrs (n: v: v.path) config.age.secrets;
-    age.secrets = mkMerge [
-      {
-        inherit (secrets)
-          "infinidoge-password"
-          "root-password"
-          "borg-ssh-key"
-          "ovpn"
-          ;
-
-        "borg-password" = secrets."borg-password" // {
-          group = "borg";
-          mode = "440";
-        };
-        "binary-cache-private-key" =
-          secrets.binary-cache-private-key
-          // lib.optionalAttrs config.services.hydra.enable {
-            group = "hydra";
-            mode = "440";
-          };
-        "smtp-password" = withGroup "smtp" secrets."smtp-password";
-        "personal-smtp-password" = withOwner "infinidoge" secrets."personal-smtp-password";
-      }
-      (mkIf config.services.nginx.enable {
-        inherit (secrets) "cloudflare";
-      })
-      (mkIf config.services.vaultwarden.enable {
-        "vaultwarden" = withOwnerGroup "vaultwarden" secrets."vaultwarden";
-      })
-      (mkIf config.services.freshrss.enable {
-        "freshrss" = withOwnerGroup "freshrss" secrets."freshrss";
-      })
-      (mkIf config.services.hydra.enable {
-        inherit (secrets) hydra;
-      })
-      (mkIf config.services.hedgedoc.enable {
-        "hedgedoc" = withOwnerGroup "hedgedoc" secrets."hedgedoc";
-      })
-      (mkIf config.services.searx.enable {
-        inherit (secrets) searx;
-      })
-      (mkIf config.services.authentik.enable {
-        inherit (secrets) authentik authentik-ldap;
-      })
-      (mkIf config.services.radicale.enable {
-        radicale-ldap = withOwnerGroup "radicale" secrets.radicale-ldap;
-      })
-    ];
+    age.secrets = {
+      borg-ssh-key.rekeyFile = ./borg-ssh-key.age;
+      borg-password = withGroup "borg" ./borg-password.age;
+      binary-cache-private-key = withGroup "hydra" ./binary-cache-private-key.age;
+      smtp-noreply = withGroup "smtp" ./smtp-noreply.age;
+      dns-cloudflare.rekeyFile = ./dns-cloudflare.age;
+    };
   };
 }
diff --git a/secrets/dns-cloudflare.age b/secrets/dns-cloudflare.age
new file mode 100644
index 0000000..bd340df
--- /dev/null
+++ b/secrets/dns-cloudflare.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q A0qTlw/zQp903Xk08cjrAX7zoPL2xc6KCBD1ZQhpDP9H
+kCuhwrAe91AXCEcXw7xGfb4ypYpAhCm/MCFv7cQJcXY
+-> piv-p256 5utyxg A+dmEbRvkJuqaMp2ZaamaLTdRLWTlkBxwJDE0e4cP7jG
+ai+6s1mDIsxx5bHcnZQscjjTQnV8/C146n2YJy4gF+w
+-> kQ'0sT4p-grease kVUsHd] ^ 3z#4aLz zmwIUo\
+m88fb8byPiryipImWibRNuzZ/mXFVYe0bDeM
+--- uRfolk520znGni9GMw2SxyYUqYsK0Mxw6WnTd23T9zY
+€¿°“®/ŸvjŒœùh¸ê²³¬¼7e*ÑvkË ~¼þM®QKþ§ÐêKÂé„OÉJø‘0”ÏEåˆ†é³gÿ[%m–N¢\•	×®Ùi ‘ÑŒ­È»9™5Š¶—ã€ˆÎhæŽôîÂ°‘*.
+*j’5j³ƒZ?^O}ZbkBÀ†þã|åÛYæƒƒÃÞgîþ™@_óC	m¿J,z<uëºµ®}(_
\ No newline at end of file
diff --git a/secrets/authentik-ldap.age b/secrets/old/authentik-ldap.age
similarity index 100%
rename from secrets/authentik-ldap.age
rename to secrets/old/authentik-ldap.age
diff --git a/secrets/authentik.age b/secrets/old/authentik.age
similarity index 100%
rename from secrets/authentik.age
rename to secrets/old/authentik.age
diff --git a/secrets/old/binary-cache-private-key.age b/secrets/old/binary-cache-private-key.age
new file mode 100644
index 0000000000000000000000000000000000000000..bdf033d5de03d33f9835ac4f56d10bed96b1017a
GIT binary patch
literal 3064
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH4%9b@bW|{N3-Kwe
z%y!AMEQ|{COs)vaORv&54vz53Fb^n9)2{UQ4@?XS4a_UcHQ+KacFQsi_Hc7gbusX$
z2++2yG;^}>aW4sS3(8E4C^GO2O7i#2bx(FFbwsx<F)}A4Gf*KfRo^4iE4Zw(N;@Ji
zDZ-`HG|?n5KSI0E#XLCO$JxZuvcSBs)T}D9+><NF+tWNU&o{Kf(AX^{&pFIIve+vs
z&myGKC@j%AG9WZRAkWX-#V0MjI27HsOv?&)Z%2jf9P^YM7mGyyyb|NEoCw3DC_i`a
zR3HDyV55xml0tX?2;aPb%rw);a96It$^rxJ48v3(_v|P$3%`Oi|A^8+Xa5XKzv8k&
z|6u*XOw*9$+zg|v6b!#rrc@NUrz_|i7iWbBq!)%6g+zK+8bldI1$ntRx)+ptnU;ll
zS|kSqJ85TERfSZh=X04GSEZ&#7UyP^yLf~r2bnn)Sfm=~85TyE7f0kJSLT}do8|as
z6(pNyxuW|mztBnBKTyFV)y&i}(l}Ayx2(L_F+al7-?K2#*~i1puuwlWu+S~fH^QjI
zH6^PmE14@IB|AIaGAP_AJj%m7tSq1^D$pn>)g&Ovq{2MYEYC8?q|&{hyfisGG7#Oi
zbWbn8Bu9m+a)ZheSHpbYz#La|pQvyTC#Q@Y{fyjP@6b$3pTJNfN7E8xZ}Wo8^lUC~
z7yZ<9m;B<~qAKI`bk|_Nq)_bu|IEt7$RvaEvM}SUs1)B)?aE-&N{o2R$nw#zELR9A
z3il23)i(1BaLTnv&GR(0@X1I`PAl>V57rJhaY^<y&2TX-@~nsqHsLbYE^<zcbjeKf
z$*=SY^eOOk*LMpp_H*}-iU_udEDK68bM+4o3bJ%}jzssHXSzXAak@fESye`Ap_xIJ
zNnU}mV}3=RadK8pXi>UlN@iJ3hHr&sRB>)po^zP5K`~cIk%eE7nL&nUfuCVvl~HPh
zuXCw~Ymt$+g-LdiMUZPwazsT|KtZ8FAx0_*H3>*fOIL7qGfFfIOv?_A%J3<1^^QzS
z3~<X$^YaV#iwF&NO07)KPb>>7FD*!SPUp&YG1s@uN%Yh9EcVtn2`(z}_m0$d)3!)-
z%JYv1%<wHQ_SR3Vsw_6}#t6ya!rYvwKn0^*#}wbtRBhKF4-=2XfCwM=z$mA}0&PS8
z0+ZZ;^dw^s&+tm8U>E0d11`r5pJbo3tdbmmr_6$2{|r~t(!5+_W2d5wupG;R@+u=Y
zFW;Q9;H;!zU-Xc44>1ZZNmr<Fiu5hi4v5Om@u?^buMF~W@d@xS_VW!cc214-DXsDh
ziLxv(Gja>fa^xzqbcymYa1IXC*S9oq53)>43w87M2{JWw_X#ieax8Q=$t|f&bv5wu
z^+dNV-_f_SEM1|{!ZR~F-#9ca%fcYFD%;$kq{2DNCD1dZ%*`*t(LAC!SUaH9A}Uxv
zyPPY)y)rAgG9;<o+rqfeyS&gR(>OUOt=KEf&CoeA$-l}qBc~v^DBHrV48yiCPmipK
zbOqx|(-NOx$GnQrBK?rUYy%(n5c53kJP*sXw5-r<f9G(Qip-SY<jSfn6E3e1gR;=_
z#5A`=v$909QuFY<)QGh5oYJD;5MQsrq+(YOr|<ynWM51DWOToUxt1AMr7QRZyJxsq
zCIwjPCnsyW_!nhc1SF*=W)_B21)3U}r<mqcMd*7u>4z7GrE_JvnUoc{IR_h+7*=@X
zW;=(Jo2EJDg}Vl5hvk>&ggKT+dK6{kR#gP$WTV@bYwl%knXXV+lpPu5>m3@E6p<Q|
zSLLp)?OPcT>FHsT?&??Ml^5dcshy`EVeakc7RpsnSXEvTW@#SclCN*%=^GeOnC)2^
zks6ujSK?lf?BZ8uoM&#79N<@`jgjAsg3ZH|(-r)@TrAT)+!Ou$Onn?HQqu}Ey+VsK
zB0NJ)QvHew@|+5S%S|jRd@X#OO}G+s%e|b9O2VSjvnxCb{T$89v)s+nEpkH&lM-{y
z3iNX=a=rXr0-W-~i_!h&>YE>sTCQMNs9)$|;pLPWVOZi3nj2uIUyzxUWEhd`R^a89
zTI%NP5tUmS8c-f?5Xt3N<{6ygA7+weS(2Vrm||$CooMXr?U+{?Q0k?hR8$gDm7Qjo
zmX+sWhEXbKRz(@R1u7IJItFT+hx-PmrMmf~h9yO6rv?}XJ4Y0_x<*BLqy)O<`K9Gp
zMj4w#7;qJ4<d;WSl!T>}o8%d~l_ymhMH!VxdZd(Qy9K9u`TLrCn)>?WJ3G1+VC3#9
zza$HnKn3$ize4ZyVhaO5LzmP-%hd41GDp+OH1o0)&vHwBZ@0*Ra`UJpUsETie6A?h
z;xu1p6JyijOv{|mR1fo%u%cXpEK7sH6z{z9AdhSppNv2sbGQ5;j2z(ZWaJwas8D6#
zS!(R>WE_y6oR*jpkyxBmZV~EeqMf3jmFb#iU|D6Flp5k!6j&AJ$dzd79Tiq$P*#+Z
znVX(xW}1>1o>G;Qno?|LUJ_!OQREk4nw6Rs=<k?<;WxL`9M7zB1uxS=^I{A0s1!@H
zM8Be}vZ_S0%#1MSQiD8K@8H~wiok;8;Nn1&sH#d=t{iQnGK=K$lu)M>pF-pEV*Maf
z<J17tz@$KP$Hd?umq5>SFYP2p*Px(u^i&cORN#?auHcdr5@uHBX`bxjU92AxQBq*x
zS7un0=BS^nZD8r0W#DXF;2ssFofPa^%;m1{>6@ZmZ0_b5;O&@H;G7zeQEpjWTIK7S
zoEKb_U*P7E=NPJ=R$x?xkpqgn3xcWw6&x*{^4)#CJi|=Q4N}dW{WIL7TqAr!iVZ7*
ziu03-O3e!W^MZoYbMkZ2xsq}`v`g}HT#NNhE&TP34Z@rPoh)67%nPebTnrLD+)^_f
z)BO?)jC}nua)5=tOI2aHLUNKvj(Lb#gj<E5Z-7f_KxJx`nUTMKs$-=^T8XQRw~=pX
zQKCUgczKltSE8?HWl)f7sdIW*U|x7ZiDPh@c44+@QDJ4ac4E4DdSQNGTB%8>xrZ}G
z9Z=#`S(;w1;GCFZT;QMOTpD5Qmt;^JVrr0Qn&YV*o>^X6lHy_zRFds%;F(xjmg^kK
zl@;!mn-}GgQf5$AT;-%)lx<;DVwn`0;}embWEq<6k!e)!ljvU<Ug(99CUXh`LL<u+
zGP8XmGIA@*L-PH@N{rn?O(HG)DvPoV+)cd=(%js9%_>X_LtQGvJhKeAJp7D`0}Hi-
z3*2(U%gfC@Lqqa&ObT*cBg)JZ(~Pt|y|mLjic8WWlPin4baizVJS|+(GxV!0{c`hD
zOnt*5vYiu?jf;W<z09;NbB!ueDpGul+{=n`gA<dvOr+HLBCo97`ACY<BR%8#iek65
zWx=<W)izwa-G6+-!{ZzDIfK*}ziWKjCou6*jJl@m<JI}=ZgHy@-@m}Sr20wJ-yMoi
zy|S!B-R^(CQFYC!qv*?n9edX7xbocMar3`y9`!ZnnbQu3J$#(g>v`n7aB<N-FU9$m
Xr3cR!yk}5-c73(o(x45UQ|AHz$Gz-c

literal 0
HcmV?d00001

diff --git a/secrets/old/borg-password.age b/secrets/old/borg-password.age
new file mode 100644
index 0000000..10ef521
--- /dev/null
+++ b/secrets/old/borg-password.age
@@ -0,0 +1,56 @@
+age-encryption.org/v1
+-> ssh-ed25519 sQ/0YA 5/8hTMh6CloNFOxL7nqpRWx6EHXfJ22s5Qm+lkFStwU
+5Virolfv5xEn9d2We37ciIrIT6hLSZF78iAwkHl16KI
+-> ssh-ed25519 aYlTiQ JSJJ4EC6v8VcSS13n6h0+K+sApNulYBphu7Ny+dYZhU
+PAIeYvIlsPbBSUs5t2KUxXu9sk1Yb/rSIKPlEZHj3Ls
+-> ssh-ed25519 i9xGKA YhZ3NCliAzg62D4LrfCNpcSwoJ+wKe+avbdUCQXMj1M
+pVOnIU43mqtFY0pRiSQBUigdoxq532p7wv0nS2MWPYs
+-> ssh-ed25519 ydxrGg OYE8RmU2XB3Vi5yxW2TExllNbUBzo6fFUWRUrfAl6Xc
+j1vTMqWvAu894eZzGA5wEk+3EvyQUBk/m3Xho5bDgAE
+-> ssh-ed25519 oqB+OQ bWopOtx5LLDGCQ2/TgxM4tpKWYjH9QODfDpxx9in01E
+4NT1npZomt0mSQSpLtTvFxLvV5NPMphG8J8LKcL5Wjw
+-> ssh-ed25519 gIJNbA QnW3sLf5LcofKLuAZz2f5y7qZMMVfmgNDXM6wBY57CQ
+l9Dl5+IJ7CswosXwijyOepxS5P6g+bA8wUfNQVF01fA
+-> ssh-ed25519 hjL/yw IqwsP6XXOoVgTdGMcgm+Ev0pvAHgRIEwaWcTaB6hNVQ
+olJ4WbQW58vI0TjkHww+iCTUgio7kZmPlcvJEc4IQGE
+-> ssh-ed25519 Ig0rsg 3ZiWNnm9DFiAKnwpyYQiSP5kZgNwLArraC32lqKtITQ
+1e74EWfTnOS7UdSJfMxTlzbr58fIn+rw/qeN6TxAKWk
+-> ssh-ed25519 U4Pefg yXsLnpVhhud1LAp+rgMqa4UH7mHsEbgrEb7SZzvyGDA
+UjF3i1PLn/jqMeStZmRcV/hA8SGkQkAOJ4E04W0d2Mg
+-> ssh-ed25519 SqmlZQ 44N/cMPg4R/6ntv/ZleB3tpjdyIi4F8HSJy03zyj1DA
+3SyM8OnvcbT2/PGiBj1EcTUr4q2T6H0+s+9UP4cpZps
+-> ssh-ed25519 GT2Stg 9vBE4i87f287MpgTama/5g6wQseDfng/fj6fKLKP1QY
+d7JvhmUrIOxxKEr3trtv4NRJKdLlf+LBbECpxnIpTxk
+-> ssh-ed25519 oAMyvg fjJmTln1QI4uw4TE4YMq0E8b0q/sZ2TLIgEP0zYlLyE
+7VHmeg6zpnzKWL5AC8qx6wAvYcdxulAMh/zPKt4eS1w
+-> ssh-ed25519 VIHjXg XdmRVbvEvARws7bCPn529MTPT1p/cb0U62hOtAfW33A
+8c0OrrMRip7KjeE2+VtbU/QDWl7KiVTvbv+lSIs7UNg
+-> ssh-ed25519 VEv3zg Umgx52XORKFXYdEsGzvKfvUy6SHJoJbvAKX3NHrVxko
+o3Phua7fSn5alLQDdU2PJBFvJBDqF+H+F3V/s4v4EgE
+-> ssh-ed25519 m7J79g CkPOHoXFHcMMk/xlmCAMd2ikZWJCqPhW7UvtymJ9FiE
+p+agR0jOtshNZjF0Gox3Njr7qwMzsk2nsstSUaScOH4
+-> ssh-ed25519 2S7Wcg XqhSc/NbSCGTMU8kZCk2Xu7fAFg+hQ4W4wSwzx9e9jA
+rNepa1tbXPRCfTSaAKgs+aLvCyRloAb340Ufw8DVi9w
+-> ssh-ed25519 EMoPew bK7hR3fKibZb47MyOR5n3gfyh7HzpDqC3ZlcaSigNQM
+NsYE8aU/wic0N1tVFbWykRfghsGmws4Xg8kdrJLisps
+-> ssh-ed25519 izZ3FQ 7UWEjg98xHo/9s9+onUSbrMh0uPLTDQVEbPgPAWVu3k
+GrBRLSIBdCHIHZNQIORZGFk93/l01CgOhfDx1eJqgvo
+-> ssh-ed25519 zNb8DQ XuvULuWzBe3DRVrEHM6fShYGh5MexG6XNxNpznJr1Fk
+MBOeY+DZ4HQ69ifOKr+2gv5Bkpg5WQa7zKm+NeC8Wec
+-> ssh-ed25519 GB2MZQ C6bFo1mneQHotAZLSn6sClt35+uUwPJLuHOYoE3aRkw
+DeDM1yv2FZo0dUXttP0d62fRgU/A8MJ99oHpGhr0Y/M
+-> ssh-ed25519 FelIjw E7fL8omx+HGv75MUsC/IZAXQNw4G1vb7LLT6FdTdkU0
+I7ix1MlBnH+wT9PxL64b5EYex3yjk3+U1EO0WLhzPjU
+-> ssh-ed25519 TRpHkw LHWFmWM6uKa7+MLlxKsdhBA5HmjsCnBz81MR2hIJCDQ
+IJOsuUtXmp91t226YrW+5lvAGiLygv598b0zCVBNHTc
+-> ssh-ed25519 rKpRzQ Qk96yw6dOkE7zIcBo/6SXpO9o6OrPykkT4knw8fj/0k
+SCa84kZ/e/vs4caIklF2LqwkVHgxbLoyWQIdXYsKC8I
+-> ssh-ed25519 8/Dzqw blUGZhhmVedopPKAbFNPfSxc58OoS5o5oW5plYltTiI
+WPFPl6bXvewmISOp8/S1ronk9jT8O57qNPZUCFvTxxE
+-> ssh-ed25519 tJyugw UUi6VCLSfg3oyutzwg+xskDCtE1mFQTvHrGBkXuIT1Q
++rk2mBJRrYrUfsv4o0keEAKsXahjEIintcoA+38RL/o
+-> ssh-ed25519 lpPUYw TFf9vRCAv2005EC1giIkVfy/AwpU/t5WPX3bSLDDHgw
+vbLC5pesZRyuw/vMAv2X1ZYVNwrYUx+P/ZV8BLrpELo
+--- EpxlXztYxi3N6dCswIYXZxAxmFv3XYSkU34LmUIM0fE
+3´%"xR·É«@(£qOŸEL^¾§íS„%#ç4„€×8mEü—eš(­Jò
+üAÌN>DïœŒ£E+&þ@Ë8b5~‚l«-ùÂì MÔ#Œ8	•õ±‘»2•=vñÒæ¹P•ï­4¢ä|âÔñ[}Oyñ
\ No newline at end of file
diff --git a/secrets/old/borg-ssh-key.age b/secrets/old/borg-ssh-key.age
new file mode 100644
index 0000000000000000000000000000000000000000..68eeafbb18d3f0f35b7f3c0b819f666f7167c5c3
GIT binary patch
literal 3381
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH4%9b@bX3SFbI$TL
zcXT%^%T0C(G0qS0DvAsb3o;KXaY^y^C<ycp@it2>b#W>QP3F=L$;v7#j;z#nHVN=6
z$_)q($@I-lkM!~{%u6jV^!6)sF)S)D(hn~WcSN@>F)}A4Gf*L?$}%dTz$r7y-=r|n
z*Ff7S!#N<))y2igG{V?3)iJa@%RSN9wJgfVC6vp<B_hx@FvK_8u*k(J)gs(HFi+ni
z-#g5pT)(QcFek&uIo~Y5u&5-(H4@#nOv?&)Z%2hF=c2p-$0VZ)1GAip9P`Xd7c)ys
zeP^@0vdltnZGD#vH^;I-mvUnR_fRfvKmA1SRP9pF%#4uG40B)eQuiQ>RHLFY=OC}Z
zu!!)KjH<MtN~h2?&vJCzDpM+o+|w1pT??~AjSVBp^Q$U-ll^lt!u6w~oU6P;Dgu0+
zGm^bMf~$%m4b08Wvm?0@Qv$1;JpGe0wTryMv%K>4JzUJ46OHtPoP7#hvXc!f^Ma!S
z(u@kq!;;Z$%P(}&_77BWHx4Q@@lDIqwhZx&^vVbbF|u?ru?+Lgt}srlG;j-WGfOrw
zHY+kN3AW&}aEfp-aVab^aWgRT^$7O1$n_~TO7bZycMR|~OwI~4wFoUU%Sg>K3^qZx
zE#1@0FUe8CxWv6Or!YMvBrqx^EH@;l#5lvO*fq~2v@*0XJSx{REZp0@%r~UUAUK~Z
zC@bC6Jjq!*JR;ja!Y#-n)i~55&o9tPJ3PrvyPz!1Bvjix$}FeAEW{Pvwu~$v{mOC$
z&&1M_9Cz(}L&LJl01xe|0I$3>caKCPA2Sc{Ff)I*^yKi2q<l-y5My61bAzb-q6|Yf
z<HS%eW8d;}vy4I?!(gWz$I8_3ibRvN^pxxX3qKd1k~9l++dR_^ii*<}as#45g9FS9
zi~OVV%t{@-igP29(!*UXLcJoBwZjTbeT|CE4a?07+{5#^T%0|UeJ%72vrVfE{ByJY
ze3O&hOVadBwVfj@BMXd@vP<(SOQQT;LwpU;Z3{ICNKH#uNbxTV3GvCYFv`hrN-K2B
z2ucr1PqFmO^YKoP49{~jiEy<vOwLKO^sNl!s&EM?h)fO7_9`?=4Gl_h^6-r+HgR<>
zG>J4w(GM>PNb~aXj0$rtw{*cslfi|#IZ=TMx$gS@scGS9PLcVkz8*<QY2n(1Rf!o+
z9?s>3Ug@dkZmCI@IT4kvVc7;;x%qk81{FpHDcV`i#!mWP!I_!HZcb&HRe65ixy4@E
zjt1^kNhJ}++GZHGxrZ19m!vCbhdLD&ghZBRCsr0zMmpyDq~wMbCRJsX8|4}q8<$jS
zyCj7>rF)0wx`lGNI+dm7rkkZ?x@fy3n}>TOYA1#T>AR$chnnc8ha@^idgX<?6nSSD
z<$9urWWJ+sWm&pHs(Dppet2khSVgG0hf8T@TA-V6kgutJcBGq|TZVo_xn-JHT2Wqb
zUS={^zNx2qfmwP;uCJe~fq%GTv0-FbrKf30Ns5b?fn}PuM?rpIcyXRfT2eN;ZDF1s
zSrO?9CIKF%mD!brmKh~E?nV(|u9*R8k!fZ5CO+D(6{g9dnT{^`UXey-;f~2%Wkx|k
zIiaRGf%)NK0oks}P8Q+jWqD>95fS<3nfcD?Y2mpRMyW}@sihbtSD0&=aaFoPez93)
zc|o>;o0(^-Q&vR2M|Opyc}A*!L}`^tdALETr)yzRV0dXxrkep*aaf?Cvy-K9x<O8e
zldoA-NRVZ)M_^7xib;5&hmo6ce!0JIWvaeoVtOFD-*U~p%q`Ou^b69>G7VDQe4RqF
zQj?7eom_lMECalXJ)#OqJ@QIYBOUWXGgIC5!;BocJX5uUk^|Fy@;u#)11wE4B3(+|
zDnl~L@+>^G^YeU+z1#yT0+K4-gF-QKw^6WpcyhXeM^sdvOPOh~SAls{a%gIvcXmic
zaaOTqVOF+jsJ?fVyLpkfznOVTZf-i4r(>{Fgk?~QYnrQpqo1}>x?xFhrMatrm7$AS
zV1}_%Vz_&Np^uN7uM0-W<?5RskXo(~>}%lemG19n=#!J_72s)E85&Zlonzo(Xqi|V
zpq*mqr*Gz1VVIVgU+&9gk!ECERT$--8*E`z8Jh3qWTx-pQ<<(G8J?Z)9B2`lUg_iG
z>*VX4<AxEEnN?B7Zh;EH+R28gW+qOdrBz1B-pN5ezEwqTW>x-yZWT%CRi+_D9*M3c
z$*Eb!MiyM=PL72^d1i^(A)yhG#fDBvK9$)K`r$6ceu-gaE<Ub_VdW|L;fXo^#u%xj
z$}h>nB~YQ<GRrlzu)@pH)Wb8X#KR+}&?qg+&(FuvtuolNEYZY0z%$j;qBP9NJ(5e`
zyU4r9$1*soFgMWMr`S!~Ex#hU%reW^Pha22JSwQrzcSgtBCEpE5F-b;I~n;#1uE!A
z78Dp8_=ROfB&AkVmWO2eMrN3lSD2P~<%VeMr>7fhClwdDr$yw3gmQ%@8ta#*CmZP}
z6=#<iMn#xrYP(rR1iJ^D7bWFanP#TCmzsH*r{rpT=cA`dx6~ZZta1f|fI^c3BX@rj
z6Qfk0T!S*#ij+j3G|zHF57*L6BkiKx)U*Ig#{%E1Dg&<E#IVW`?^Lg#)PmA-=gf!*
zgOoJy#0+CY7lX*MWFM~}7vHihGe7SzCyZ1Q5>()kU9M1Co)%~l>13{-@91Be=Is{|
zP-bqD8&DJ!Wl|KF>=J6|=3Nq+WEfzW>ByDp=8{uUm|mP%mL25cn{8g{l4lT{S7BCc
z7@Fae>FA-I>t~W-8EBeoff15L-UUHbfeOW`6|UyRd8Q>{j-@HaN!j7y;f`L~g@r!;
zjv3zG<t8r0Sw+FQWyVz%j$CEsPFcoL`ca8)5hecN>6Km~!Nnn=k)G}auKM1A-W3&v
z9{MI_DN!Ysq39uLq3=>vSgzokoSRitpzRu3VCa_<6qK!>l<pc8<m#51k{FPjmhPTm
z;#^W3?&MdPQO;#(9$pxc9^tNU?2=j)pq*qA9_Som>}P4_6p~eCY?hf5Z0QwI9_;Mv
zf>E26cvY6Bmn)<@YkQexIHnZ^rW(1pmX>7t`e%ihoA?!nMS5H4YkRnO7w2lH23Z!n
z7jtEJq*hhr>gSm`78s?JXJ@#1C#Px~gq!CWC8wnLL}n+MJ7(wyxhGZVr=$BVryw9S
zvRolE&$Xb;C^J0FJu1&JDk9V@rMM*0!X>bxq$oANxFRjmDIzq-!#L8XvYac`*(59}
zTR+&*v`pVQBRnd~E7M!QD$Ky#$FR&er^>86JSe$5JJ7SL(1c4@S69IzyRb0dGSk$&
zG|jm%&)qU3Dc#Gcz%9kiGtA4hGRw~**vTj~G$g;wH<YX8na;UKUA|(sKK{`B*swrh
zR>uE~tsc*W7NqRXKW=*Pd!zji)tJ<$ht@=<oimYYsfs;u?`f5B%TdAKj|HqMCO!Xi
zJV*MWJ+qa41Y7qUVXyRp+k1B`cot=K)24U9Z`Ss%JM!B@j-{?H_2&38J*M_tea@B5
zcRbi^i@7#jkN=}=*z)%-!-4Aa(HGuK@!IF0o~OO*xyheh94D4-3w^s}o7>}aylNNk
z9KKK$Xv*AB{5>({nfa;RNxHokZT2yh9{-V%_&V-#?0)mtT_L<z%BsFD|0g`x)c>*3
zk8^+38RvPkyk&d)cgwmoZ^h8L*Ix@sTNiPgXPww`NaUBP%I+_o8+K|g)w>iunLBvC
zQEtWh^Z&i|72-bJu!y=obHk<ZA6zzVQ%;72A2EEKw6^I_`HwXZ<7Eonp4|*|y`hzm
z{B6BVt^()G$)dg7>GsyMXH9+-FuTk`b;B8((saS){SVhZ_r3V7gw?Qm$ArY`MR#vb
ztZ)*)qOP;S;DY(ml|R?-`M9U!uwPN*i;Zi|&xs$GTfh=x8r;BYf6(@E_(_|CHtY=>
w*9zL2-hQmCwYl=X%(d6;-(x1S3Yo9Ai&(fK-pl=@&qk~Dr<PTh=gyl20Gm35fB*mh

literal 0
HcmV?d00001

diff --git a/secrets/cloudflare.age b/secrets/old/cloudflare.age
similarity index 100%
rename from secrets/cloudflare.age
rename to secrets/old/cloudflare.age
diff --git a/secrets/freshrss.age b/secrets/old/freshrss.age
similarity index 100%
rename from secrets/freshrss.age
rename to secrets/old/freshrss.age
diff --git a/secrets/hedgedoc.age b/secrets/old/hedgedoc.age
similarity index 100%
rename from secrets/hedgedoc.age
rename to secrets/old/hedgedoc.age
diff --git a/secrets/hydra.age b/secrets/old/hydra.age
similarity index 100%
rename from secrets/hydra.age
rename to secrets/old/hydra.age
diff --git a/secrets/infinidoge-password.age b/secrets/old/infinidoge-password.age
similarity index 100%
rename from secrets/infinidoge-password.age
rename to secrets/old/infinidoge-password.age
diff --git a/secrets/ovpn.age b/secrets/old/ovpn.age
similarity index 100%
rename from secrets/ovpn.age
rename to secrets/old/ovpn.age
diff --git a/secrets/personal-smtp-password.age b/secrets/old/personal-smtp-password.age
similarity index 100%
rename from secrets/personal-smtp-password.age
rename to secrets/old/personal-smtp-password.age
diff --git a/secrets/radicale-ldap.age b/secrets/old/radicale-ldap.age
similarity index 100%
rename from secrets/radicale-ldap.age
rename to secrets/old/radicale-ldap.age
diff --git a/secrets/root-password.age b/secrets/old/root-password.age
similarity index 100%
rename from secrets/root-password.age
rename to secrets/old/root-password.age
diff --git a/secrets/searx.age b/secrets/old/searx.age
similarity index 100%
rename from secrets/searx.age
rename to secrets/old/searx.age
diff --git a/secrets/smtp-password.age b/secrets/old/smtp-password.age
similarity index 100%
rename from secrets/smtp-password.age
rename to secrets/old/smtp-password.age
diff --git a/secrets/vaultwarden.age b/secrets/old/vaultwarden.age
similarity index 100%
rename from secrets/vaultwarden.age
rename to secrets/old/vaultwarden.age
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
deleted file mode 100644
index 07e6967..0000000
--- a/secrets/secrets.nix
+++ /dev/null
@@ -1,52 +0,0 @@
-with builtins;
-let
-  flatten = x: if isList x then concatMap (y: flatten y) x else [ x ];
-  hasPrefix = pref: str: (substring 0 (stringLength pref) str == pref);
-  isValidKey =
-    key:
-    all (keyPrefix: !(hasPrefix keyPrefix key)) [
-      "sk-ssh-ed25519"
-    ];
-
-  systems = {
-    Infini-DESKTOP = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7uX1myj9ghv7wMoL038oGDCdScdyLd7RvYdnoioSBh root@Infini-DESKTOP";
-    Infini-FRAMEWORK = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF7PmPq/7e+YIVAvIcs6EOJ3pZVJhinwus6ZauJ3aVp0 root@Infini-FRAMEWORK";
-    Infini-SERVER = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8ptHWTesaUzglq01O8OVqeAGxFhXutUZpkgPpBFqzY root@Infini-SERVER";
-    Infini-OPTIPLEX = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG8fY684SPKeOUsJqaV6LJwwztWxztaU9nAHPBxBtyU root@Infini-OPTIPLEX";
-    Infini-STICK = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0fWuozCHyPrkFKPcnqX1MyUAgnn2fJEpDSoD7bhDA4 root@Infini-STICK";
-    Infini-SD = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8oViHNz64NG51uyll/q/hrSGwoHRgvYI3luD/IWTUT root@Infini-SD";
-    Infini-DL360 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPjmvE76BcPwZSjeNGzlguDQC67Yxa3uyOf5ZmVDWNys root@Infini-DL360";
-    Infini-RASPBERRY = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwPqTFCztLbYFFUej42hRzzCBzG6BCZIb7zXi2cxeJp root@Infini-RASPBERRY";
-    hestia = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBanlhzmtBf5stg2yYdxqb9FzFZmum/rlWod/akWQI3c root@hestia";
-    iris = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsdARqD3MibvnpcUxOZVtstIu9djk+umwFR5tzqKATH root@iris";
-  };
-  users = {
-    infinidoge = import ../users/infinidoge/ssh-keys.nix;
-    root = import ../users/root/ssh-keys.nix;
-  };
-  allKeys = filter isValidKey (flatten [
-    (attrValues systems)
-    (attrValues users)
-  ]);
-
-  generate = secrets: foldl' (a: b: a // b) { } (map (n: { ${n}.publicKeys = allKeys; }) secrets);
-in
-generate [
-  "infinidoge-password.age"
-  "root-password.age"
-  "binary-cache-private-key.age"
-  "vaultwarden.age"
-  "freshrss.age"
-  "borg-password.age"
-  "borg-ssh-key.age"
-  "cloudflare.age"
-  "smtp-password.age"
-  "hydra.age"
-  "hedgedoc.age"
-  "searx.age"
-  "ovpn.age"
-  "authentik.age"
-  "authentik-ldap.age"
-  "radicale-ldap.age"
-  "personal-smtp-password.age"
-]
diff --git a/secrets/smtp-noreply.age b/secrets/smtp-noreply.age
new file mode 100644
index 0000000000000000000000000000000000000000..8d9ca3f21e9d6e416b8c0eb598e149682a2eb71a
GIT binary patch
literal 509
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14$Sl(>Ffuh$a1Jr|HVRa5tPF7uu?Ti`
z@(cBd3Jo`K@d_(*_VG;hG|O@^NKMuDGEC2R4RtI@&CoXDO3AKr4R?16w#aq~j7TXh
zFHdwg$%-g*HuulSPAQHs3ra7mG&0D_2s86UvCFiyq_QGi!LcaK#30!@)IUErB-qT@
z!!w}NH8o$`DALul)WFy?IK|N@ILbTO)G^D%ldD48(bv_zAjm>HCp0i1w5lS~+a)<M
ztu!Sos=_S5*WE}vz%xDD)7#fM5@eTlv2J=%YGQG!LXw|PiJHEaCs$@xzE^IrV}XIQ
zkB?udhf$PUkzt;(OIUJJRY1P6MO0==vSqqUu(L~AnqP*WS#Y|SVMS@GYq_(rQL%Aw
zsTY^0Q*e=MMTV<Ixs#bmM3{4SW=N%_Pp)ZbzP@p!L1t!Rm`|F8YjTola(HBVj-P3w
zi*Z_Mn0|1$X=R3)XDFAhuC9VdNmZdiKv_URN?}-KdZuw?SfZ~%Mp=H4e{fKlv9EK5
zWrlOIp}BjgQ8}05hsrPa9#mct(aNz==6L={nC;uwt0EkX3_GH>?tZZ-!uX-Yy`A&)
n)<l<od1PWGV`y<_NBWdWRj2RxR|~&>&3&DziNWYRXG0+Xq(`jC

literal 0
HcmV?d00001

diff --git a/shell.nix b/shell.nix
index 2aabb81..6accab5 100644
--- a/shell.nix
+++ b/shell.nix
@@ -24,9 +24,12 @@
           devshell.name = "universe";
           devshell.motd = "";
 
-          devshell.packages = [
+          devshell.packages = with pkgs; [
             pythonEnv
             inputs'.disko.packages.disko
+            config.agenix-rekey.package
+            age-plugin-fido2-hmac
+            age-plugin-yubikey
           ];
 
           env = [
diff --git a/users/infinidoge/default.nix b/users/infinidoge/default.nix
index cd96e92..49ed655 100644
--- a/users/infinidoge/default.nix
+++ b/users/infinidoge/default.nix
@@ -43,7 +43,7 @@ in
         POP_SMTP_HOST = common.email.smtp.address;
         POP_SMTP_PORT = common.email.smtp.STARTTLS;
         POP_SMTP_USERNAME = common.email.withUser "infinidoge";
-        POP_SMTP_PASSWORD = "$(cat ${secrets.personal-smtp-password})";
+        POP_SMTP_PASSWORD = "$(cat ${secrets.smtp-personal})";
       };
 
       home.packages =
@@ -110,10 +110,22 @@ in
     adb.enable = config.info.graphical;
   };
 
+  age.rekey.masterIdentities = [
+    ./keys/primary_age.pub
+    ./keys/backup_age.pub
+  ];
+
+  age.secrets = {
+    password-infinidoge.rekeyFile = ./password.age;
+    smtp-personal.rekeyFile = ./smtp-personal.age;
+    smtp-personal.owner = "infinidoge";
+  };
+
+  user.hashedPasswordFile = mkIf config.modules.secrets.enable secrets.password-infinidoge;
+
   user = {
     name = "infinidoge";
     uid = 1000;
-    hashedPasswordFile = mkIf config.modules.secrets.enable config.secrets.infinidoge-password;
     description = "Infinidoge, primary user of the system";
     group = "users";
     isNormalUser = true;
diff --git a/users/infinidoge/keys/backup_age.pub b/users/infinidoge/keys/backup_age.pub
new file mode 100644
index 0000000..3c6f399
--- /dev/null
+++ b/users/infinidoge/keys/backup_age.pub
@@ -0,0 +1,7 @@
+#       Serial: 26969244, Slot: 1
+#         Name: BACKUP_AGE
+#      Created: Wed, 19 Feb 2025 01:58:28 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
+#    Recipient: age1yubikey1q2dxqlvpp0jpjumgmm3rk952dqexy6r2ff4ul62luman3uga6s0l5llfumw
+AGE-PLUGIN-YUBIKEY-1NJZFKQVZUM4H93SSLXN5A
diff --git a/users/infinidoge/keys/primary_age.pub b/users/infinidoge/keys/primary_age.pub
new file mode 100644
index 0000000..2eff10a
--- /dev/null
+++ b/users/infinidoge/keys/primary_age.pub
@@ -0,0 +1,7 @@
+#       Serial: 24623451, Slot: 1
+#         Name: PRIMARY_AGE
+#      Created: Wed, 19 Feb 2025 00:53:27 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
+#    Recipient: age1yubikey1q2mfklp6cectpmkefv6edr9elreeypdzwhpzsnwry9nzjq3epnswstkyq5w
+AGE-PLUGIN-YUBIKEY-1TWUHWQVZPYLV4KGFG23L9
diff --git a/users/infinidoge/password.age b/users/infinidoge/password.age
new file mode 100644
index 0000000000000000000000000000000000000000..25a8e84fb428af37cb0815057a0b6e13e9cce7ba
GIT binary patch
literal 493
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14$Sl(>Ffuh$a1Jr|HVRa5EcG+XurxIa
z&DT!L%+C+0iqJ0c49y7%Ht=!Pwg~jpPD)P8G7r)>Ff@zc3NR@ub1Y2_tPD@~2shMs
zcM1zF%5qNfb&E_*_x1EN&nwO@tuRbBFLuvIvCFiyq_QGi!7)FiEZj0LPd_KWB017a
zzbMP3(BC4=Alo(Hsj?y@BrGG)J<2!HKiI=0lFKwV(9*Hc*)Q2FB{;&ZswCJY(KRB>
z(5*5&G19`jv??n+IM}?xJE|<y6J%GKZhBE_VsWa1Td1FBc%_d*VyT9AWrRYujg4If
zm$`enZ)%=zxrez&lv$~-eyNFXcvXs5h`UEsQFwuOK!qchuCA_vfk{}Bv!8i!m|tjt
zPflp2zNbr=w`*~rdvcyZrJG-IdStF^sbNG;QIIRw6T_=Z&L7IV;FhSo@nwC!zv213
z`;{+Ty%halK0YmSQl#~_>@S_gYd_wv4%y~?chdWE<v*2f-8nM%`OX|pbXlv}5%53P
zP{Ba<?Vr|l7q!H$`BpY39-i?}VvSI<K}YG)<ki1-g=hHP-gsr^p@t}D2EHFUW^XoB
br7Bb$d2(pi#Mu*g84o4Bi#%4s&HNVt0X?~n

literal 0
HcmV?d00001

diff --git a/users/infinidoge/smtp-personal.age b/users/infinidoge/smtp-personal.age
new file mode 100644
index 0000000000000000000000000000000000000000..0023e8f7ea949351eb17f4a2ba70fe7938b5aba9
GIT binary patch
literal 488
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14$Sl(>Ffuh$a1Jr|HVRa5H1-KKcXKhx
z3lA&scP%vZ@-Ox^O?FK;NH=i`bP7uKj4BB)4zMf?PI1ZLD)bFW%E`zt%k~d-DGUlJ
zc1`k6PB!x^^)w7BHOjOIH1$a`%QdPhEzGb$vCFiyq_QGi!Lh15BsAGDqawtmGCjB~
zIN3FzFf<}F(b(A0HP<pNJJ%w=I3*<4-^C=-lFOvrC!;X9Dkndv#J?)f&s*Ct&)e86
zDLCIVA|=Yj+c?oVHNxE@KPA`I5oDLMhi-aNYGQG!LYQfFY??wqesP4eooOytNqK06
zZ%S5qm0?g~wwrcHUQvmKrJtLAka1*&p<}jwpu4YgMxI-?YguWDYj{|2iit<5nSWM5
zVs5std4Z=BS5Q_!qJMslrK?+JQCU!ce{Qa6YI;#*PK0Ala(GEtL|9pVo_|(Fo~3I}
zh<>PlVXA+AVo+{rE|;#Zu0m>Vc3N1lS6Hw~N~Lj7nQ2Bvc5acSPo76`WT<&?zI(cR
zd6HqUX|_*LITynx^Yeo4JRbyR<XwOEDd_%$uxFtO_gD3l9r|q<uDYnAZbhwhgg8r*
Rg4n#tVT;e_tp0FJ82~6LsUH9U

literal 0
HcmV?d00001

diff --git a/users/root/default.nix b/users/root/default.nix
index 1d400ba..3ecaf16 100644
--- a/users/root/default.nix
+++ b/users/root/default.nix
@@ -2,14 +2,15 @@
   config,
   lib,
   pkgs,
+  secrets,
   ...
 }:
 {
   users.users.root = {
     shell = pkgs.zsh;
-    hashedPasswordFile = lib.mkIf config.modules.secrets.enable config.secrets.root-password;
+    hashedPasswordFile = lib.mkIf config.modules.secrets.enable secrets.password-root;
     openssh.authorizedKeys.keys = import ./ssh-keys.nix;
   };
 
-  home-manager.users.root = { ... }: { };
+  age.secrets.password-root.rekeyFile = ./password.age;
 }
diff --git a/users/root/password.age b/users/root/password.age
new file mode 100644
index 0000000..d91fb60
--- /dev/null
+++ b/users/root/password.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q AooiXHg+vA2jBkxQ00aC81gCRIuo9Xe4c4uOaWCMU4X6
+4Aaaywj9vKAj/cv+yb6gFeiV+ROTeTxnPDrgAO29ODM
+-> piv-p256 5utyxg Apti8vz8VE2kLk8pvWIYk0f+AnuHItXpH3x2MDs3iv+0
++OhtPhXmsLZXimQuAIdB54OD1Qde18ZDVBUsGNafRR8
+-> M_nrH-grease hj"xH( *8 dX]
+Ld3SIuXFJqz/gbDEnDxroU188XFJjoRkqHnYWpRLauCpcSbG2kHuKdYKDQ
+--- Wp70IAXPdmf99j5ccFzGM8FDfcTl05nz01d5cc0tVgI
+Ô4µ«ôã,DXU»»›ª‘Ú›
+Gx(Í¹ÝE'(þgìK&h¡µÍ½È$ÈEÿ…/g¼¦{öBJö“ÃQ«³a¤öèNö,j'3î(ÝÝ4¡î„j¸ØQÚ¾Ä)
+[C…ø¯AJf&êœÍ°Üaf¥™Í¸~Õ*öÝ¥Žx9*äI
\ No newline at end of file