flake: migrate to agenix-rekey

secrets/binary-cache-public-key

@@ -1 +0,0 @@
-infinidoge-1:uw2A6JHHdGJ9GPk0NEDnrdfVkPp0CUY3zIvwVgNlrSk=

secrets/borg-password.age

@@ -1,56 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 sQ/0YA 5/8hTMh6CloNFOxL7nqpRWx6EHXfJ22s5Qm+lkFStwU
-5Virolfv5xEn9d2We37ciIrIT6hLSZF78iAwkHl16KI
--> ssh-ed25519 aYlTiQ JSJJ4EC6v8VcSS13n6h0+K+sApNulYBphu7Ny+dYZhU
-PAIeYvIlsPbBSUs5t2KUxXu9sk1Yb/rSIKPlEZHj3Ls
--> ssh-ed25519 i9xGKA YhZ3NCliAzg62D4LrfCNpcSwoJ+wKe+avbdUCQXMj1M
-pVOnIU43mqtFY0pRiSQBUigdoxq532p7wv0nS2MWPYs
--> ssh-ed25519 ydxrGg OYE8RmU2XB3Vi5yxW2TExllNbUBzo6fFUWRUrfAl6Xc
-j1vTMqWvAu894eZzGA5wEk+3EvyQUBk/m3Xho5bDgAE
--> ssh-ed25519 oqB+OQ bWopOtx5LLDGCQ2/TgxM4tpKWYjH9QODfDpxx9in01E
-4NT1npZomt0mSQSpLtTvFxLvV5NPMphG8J8LKcL5Wjw
--> ssh-ed25519 gIJNbA QnW3sLf5LcofKLuAZz2f5y7qZMMVfmgNDXM6wBY57CQ
-l9Dl5+IJ7CswosXwijyOepxS5P6g+bA8wUfNQVF01fA
--> ssh-ed25519 hjL/yw IqwsP6XXOoVgTdGMcgm+Ev0pvAHgRIEwaWcTaB6hNVQ
-olJ4WbQW58vI0TjkHww+iCTUgio7kZmPlcvJEc4IQGE
--> ssh-ed25519 Ig0rsg 3ZiWNnm9DFiAKnwpyYQiSP5kZgNwLArraC32lqKtITQ
-1e74EWfTnOS7UdSJfMxTlzbr58fIn+rw/qeN6TxAKWk
--> ssh-ed25519 U4Pefg yXsLnpVhhud1LAp+rgMqa4UH7mHsEbgrEb7SZzvyGDA
-UjF3i1PLn/jqMeStZmRcV/hA8SGkQkAOJ4E04W0d2Mg
--> ssh-ed25519 SqmlZQ 44N/cMPg4R/6ntv/ZleB3tpjdyIi4F8HSJy03zyj1DA
-3SyM8OnvcbT2/PGiBj1EcTUr4q2T6H0+s+9UP4cpZps
--> ssh-ed25519 GT2Stg 9vBE4i87f287MpgTama/5g6wQseDfng/fj6fKLKP1QY
-d7JvhmUrIOxxKEr3trtv4NRJKdLlf+LBbECpxnIpTxk
--> ssh-ed25519 oAMyvg fjJmTln1QI4uw4TE4YMq0E8b0q/sZ2TLIgEP0zYlLyE
-7VHmeg6zpnzKWL5AC8qx6wAvYcdxulAMh/zPKt4eS1w
--> ssh-ed25519 VIHjXg XdmRVbvEvARws7bCPn529MTPT1p/cb0U62hOtAfW33A
-8c0OrrMRip7KjeE2+VtbU/QDWl7KiVTvbv+lSIs7UNg
--> ssh-ed25519 VEv3zg Umgx52XORKFXYdEsGzvKfvUy6SHJoJbvAKX3NHrVxko
-o3Phua7fSn5alLQDdU2PJBFvJBDqF+H+F3V/s4v4EgE
--> ssh-ed25519 m7J79g CkPOHoXFHcMMk/xlmCAMd2ikZWJCqPhW7UvtymJ9FiE
-p+agR0jOtshNZjF0Gox3Njr7qwMzsk2nsstSUaScOH4
--> ssh-ed25519 2S7Wcg XqhSc/NbSCGTMU8kZCk2Xu7fAFg+hQ4W4wSwzx9e9jA
-rNepa1tbXPRCfTSaAKgs+aLvCyRloAb340Ufw8DVi9w
--> ssh-ed25519 EMoPew bK7hR3fKibZb47MyOR5n3gfyh7HzpDqC3ZlcaSigNQM
-NsYE8aU/wic0N1tVFbWykRfghsGmws4Xg8kdrJLisps
--> ssh-ed25519 izZ3FQ 7UWEjg98xHo/9s9+onUSbrMh0uPLTDQVEbPgPAWVu3k
-GrBRLSIBdCHIHZNQIORZGFk93/l01CgOhfDx1eJqgvo
--> ssh-ed25519 zNb8DQ XuvULuWzBe3DRVrEHM6fShYGh5MexG6XNxNpznJr1Fk
-MBOeY+DZ4HQ69ifOKr+2gv5Bkpg5WQa7zKm+NeC8Wec
--> ssh-ed25519 GB2MZQ C6bFo1mneQHotAZLSn6sClt35+uUwPJLuHOYoE3aRkw
-DeDM1yv2FZo0dUXttP0d62fRgU/A8MJ99oHpGhr0Y/M
--> ssh-ed25519 FelIjw E7fL8omx+HGv75MUsC/IZAXQNw4G1vb7LLT6FdTdkU0
-I7ix1MlBnH+wT9PxL64b5EYex3yjk3+U1EO0WLhzPjU
--> ssh-ed25519 TRpHkw LHWFmWM6uKa7+MLlxKsdhBA5HmjsCnBz81MR2hIJCDQ
-IJOsuUtXmp91t226YrW+5lvAGiLygv598b0zCVBNHTc
--> ssh-ed25519 rKpRzQ Qk96yw6dOkE7zIcBo/6SXpO9o6OrPykkT4knw8fj/0k
-SCa84kZ/e/vs4caIklF2LqwkVHgxbLoyWQIdXYsKC8I
--> ssh-ed25519 8/Dzqw blUGZhhmVedopPKAbFNPfSxc58OoS5o5oW5plYltTiI
-WPFPl6bXvewmISOp8/S1ronk9jT8O57qNPZUCFvTxxE
--> ssh-ed25519 tJyugw UUi6VCLSfg3oyutzwg+xskDCtE1mFQTvHrGBkXuIT1Q
-+rk2mBJRrYrUfsv4o0keEAKsXahjEIintcoA+38RL/o
--> ssh-ed25519 lpPUYw TFf9vRCAv2005EC1giIkVfy/AwpU/t5WPX3bSLDDHgw
-vbLC5pesZRyuw/vMAv2X1ZYVNwrYUx+P/ZV8BLrpELo
---- EpxlXztYxi3N6dCswIYXZxAxmFv3XYSkU34LmUIM0fE
-3´%"xR·É«@(£qOŸE<0E>L<>^¾§íS„%#ç4„<34>€×8mEü—eš(­Jò
-üAÌN<>>D£E<13>+&þ@Ë
8b5~‚l«-ùÂì MÔ#Œ8	•õ±‘»2•=vñÒæ¹P•ï­
4¢ä|âÔñ[}Oyñ
+-> piv-p256 CT7K2Q Atat1p1wMEaZVi0DxSmUYN3H79RO1XK26pmJFnrMUW+N
+4IUFdkcSJnVthch8NgWV/mRsPqs5/NbxRgTP1DTq6Js
+-> piv-p256 5utyxg AhOyUzfDfgFTgoSZ/Ram2/AKwXT0RoJ/g4cGvQoCHwMR
+7W5e76JbGDvEiUwbJrOK2/9pSzEKUk+4LAtnJd6Au9A
+-> A(v,}OT8-grease iv$<6^
+qJk7RvKMoJ/OCb1L15x8ur6Q5MxpDcXkwA
+--- FrURRINPBWKnkfeCAsUecvz0nSlH8cUmpuxzgpUc9sA
+w«m¤Ź ˛<>‹56#x&ŹgŁ@ ™<>n´ŞM2]-9¤<>`ł”†±Ň`
$8ţź6š‡EŁŁÖˇÜ<CB87>t»oł±¬Ű0 zĐEµD>»<T×/]ş<>'ż±2\sÎCöU0í—iˇWý<űÄŃ÷›Y6¶qĽjôľ1d~cŮĚÉĎŢüB

secrets/default.nix

@@ -1,89 +1,29 @@
 {
   lib,
-  self,
   config,
   ...
 }:
 with lib;
 let
-  inherit (lib.our) mkOpt;
-  inherit (lib.types) bool attrsOf path;
-
-  mkSecret = name: nameValuePair (removeSuffix ".age" name) { file = "${./.}/${name}"; };
-  secrets = listToAttrs (map mkSecret (attrNames (import ./secrets.nix)));
-
-  withOwnerGroup =
-    name: secret:
-    secret
-    // {
-      owner = name;
-      group = name;
-      mode = "440";
-    };
-  withOwner = name: secret: secret // { owner = name; };
-  withGroup =
-    name: secret:
-    secret
-    // {
-      group = name;
-      mode = "440";
-    };
+  inherit (lib.our) mkOpt mkBoolOpt;
+  inherit (lib.types) attrsOf path;
+  inherit (lib.our.secrets) withGroup;
 in
 {
   options = {
-    modules.secrets.enable = mkOpt bool true;
+    modules.secrets.enable = mkBoolOpt true;
     secrets = mkOpt (attrsOf path) { };
   };
 
   config = mkIf config.modules.secrets.enable {
     _module.args.secrets = config.secrets;
     secrets = mapAttrs (n: v: v.path) config.age.secrets;
-    age.secrets = mkMerge [
-      {
-        inherit (secrets)
-          "infinidoge-password"
-          "root-password"
-          "borg-ssh-key"
-          "ovpn"
-          ;
-
-        "borg-password" = secrets."borg-password" // {
-          group = "borg";
-          mode = "440";
-        };
-        "binary-cache-private-key" =
-          secrets.binary-cache-private-key
-          // lib.optionalAttrs config.services.hydra.enable {
-            group = "hydra";
-            mode = "440";
-          };
-        "smtp-password" = withGroup "smtp" secrets."smtp-password";
-        "personal-smtp-password" = withOwner "infinidoge" secrets."personal-smtp-password";
-      }
-      (mkIf config.services.nginx.enable {
-        inherit (secrets) "cloudflare";
-      })
-      (mkIf config.services.vaultwarden.enable {
-        "vaultwarden" = withOwnerGroup "vaultwarden" secrets."vaultwarden";
-      })
-      (mkIf config.services.freshrss.enable {
-        "freshrss" = withOwnerGroup "freshrss" secrets."freshrss";
-      })
-      (mkIf config.services.hydra.enable {
-        inherit (secrets) hydra;
-      })
-      (mkIf config.services.hedgedoc.enable {
-        "hedgedoc" = withOwnerGroup "hedgedoc" secrets."hedgedoc";
-      })
-      (mkIf config.services.searx.enable {
-        inherit (secrets) searx;
-      })
-      (mkIf config.services.authentik.enable {
-        inherit (secrets) authentik authentik-ldap;
-      })
-      (mkIf config.services.radicale.enable {
-        radicale-ldap = withOwnerGroup "radicale" secrets.radicale-ldap;
-      })
-    ];
+    age.secrets = {
+      borg-ssh-key.rekeyFile = ./borg-ssh-key.age;
+      borg-password = withGroup "borg" ./borg-password.age;
+      binary-cache-private-key = withGroup "hydra" ./binary-cache-private-key.age;
+      smtp-noreply = withGroup "smtp" ./smtp-noreply.age;
+      dns-cloudflare.rekeyFile = ./dns-cloudflare.age;
+    };
   };
 }

secrets/dns-cloudflare.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q A0qTlw/zQp903Xk08cjrAX7zoPL2xc6KCBD1ZQhpDP9H
+kCuhwrAe91AXCEcXw7xGfb4ypYpAhCm/MCFv7cQJcXY
+-> piv-p256 5utyxg A+dmEbRvkJuqaMp2ZaamaLTdRLWTlkBxwJDE0e4cP7jG
+ai+6s1mDIsxx5bHcnZQscjjTQnV8/C146n2YJy4gF+w
+-> kQ'0sT4p-grease kVUsHd] ^ 3z#4aLz zmwIUo\
+m88fb8byPiryipImWibRNuzZ/mXFVYe0bDeM
+--- uRfolk520znGni9GMw2SxyYUqYsK0Mxw6WnTd23T9zY
+€¿°“®/Ÿvj<76>Œœùh¸ê²³¬¼7e*ÑvkË ~¼þM®QKþ§ÐêKÂé„OÉJø‘0”Ï<E2809D>E分é³gÿ[%m–N¢\•	×®Ùi ‘ÑŒ­È»9™5Š¶—〈ÎhæŽôî°‘*.
+*j’5j³ƒZ?^O}ZbkBÀ†þã|åÛY惃ÃÞgîþ™@_óC	m¿J,z<u뺵<C2BA>®}(_

secrets/old/borg-password.age

@@ -0,0 +1,56 @@
+age-encryption.org/v1
+-> ssh-ed25519 sQ/0YA 5/8hTMh6CloNFOxL7nqpRWx6EHXfJ22s5Qm+lkFStwU
+5Virolfv5xEn9d2We37ciIrIT6hLSZF78iAwkHl16KI
+-> ssh-ed25519 aYlTiQ JSJJ4EC6v8VcSS13n6h0+K+sApNulYBphu7Ny+dYZhU
+PAIeYvIlsPbBSUs5t2KUxXu9sk1Yb/rSIKPlEZHj3Ls
+-> ssh-ed25519 i9xGKA YhZ3NCliAzg62D4LrfCNpcSwoJ+wKe+avbdUCQXMj1M
+pVOnIU43mqtFY0pRiSQBUigdoxq532p7wv0nS2MWPYs
+-> ssh-ed25519 ydxrGg OYE8RmU2XB3Vi5yxW2TExllNbUBzo6fFUWRUrfAl6Xc
+j1vTMqWvAu894eZzGA5wEk+3EvyQUBk/m3Xho5bDgAE
+-> ssh-ed25519 oqB+OQ bWopOtx5LLDGCQ2/TgxM4tpKWYjH9QODfDpxx9in01E
+4NT1npZomt0mSQSpLtTvFxLvV5NPMphG8J8LKcL5Wjw
+-> ssh-ed25519 gIJNbA QnW3sLf5LcofKLuAZz2f5y7qZMMVfmgNDXM6wBY57CQ
+l9Dl5+IJ7CswosXwijyOepxS5P6g+bA8wUfNQVF01fA
+-> ssh-ed25519 hjL/yw IqwsP6XXOoVgTdGMcgm+Ev0pvAHgRIEwaWcTaB6hNVQ
+olJ4WbQW58vI0TjkHww+iCTUgio7kZmPlcvJEc4IQGE
+-> ssh-ed25519 Ig0rsg 3ZiWNnm9DFiAKnwpyYQiSP5kZgNwLArraC32lqKtITQ
+1e74EWfTnOS7UdSJfMxTlzbr58fIn+rw/qeN6TxAKWk
+-> ssh-ed25519 U4Pefg yXsLnpVhhud1LAp+rgMqa4UH7mHsEbgrEb7SZzvyGDA
+UjF3i1PLn/jqMeStZmRcV/hA8SGkQkAOJ4E04W0d2Mg
+-> ssh-ed25519 SqmlZQ 44N/cMPg4R/6ntv/ZleB3tpjdyIi4F8HSJy03zyj1DA
+3SyM8OnvcbT2/PGiBj1EcTUr4q2T6H0+s+9UP4cpZps
+-> ssh-ed25519 GT2Stg 9vBE4i87f287MpgTama/5g6wQseDfng/fj6fKLKP1QY
+d7JvhmUrIOxxKEr3trtv4NRJKdLlf+LBbECpxnIpTxk
+-> ssh-ed25519 oAMyvg fjJmTln1QI4uw4TE4YMq0E8b0q/sZ2TLIgEP0zYlLyE
+7VHmeg6zpnzKWL5AC8qx6wAvYcdxulAMh/zPKt4eS1w
+-> ssh-ed25519 VIHjXg XdmRVbvEvARws7bCPn529MTPT1p/cb0U62hOtAfW33A
+8c0OrrMRip7KjeE2+VtbU/QDWl7KiVTvbv+lSIs7UNg
+-> ssh-ed25519 VEv3zg Umgx52XORKFXYdEsGzvKfvUy6SHJoJbvAKX3NHrVxko
+o3Phua7fSn5alLQDdU2PJBFvJBDqF+H+F3V/s4v4EgE
+-> ssh-ed25519 m7J79g CkPOHoXFHcMMk/xlmCAMd2ikZWJCqPhW7UvtymJ9FiE
+p+agR0jOtshNZjF0Gox3Njr7qwMzsk2nsstSUaScOH4
+-> ssh-ed25519 2S7Wcg XqhSc/NbSCGTMU8kZCk2Xu7fAFg+hQ4W4wSwzx9e9jA
+rNepa1tbXPRCfTSaAKgs+aLvCyRloAb340Ufw8DVi9w
+-> ssh-ed25519 EMoPew bK7hR3fKibZb47MyOR5n3gfyh7HzpDqC3ZlcaSigNQM
+NsYE8aU/wic0N1tVFbWykRfghsGmws4Xg8kdrJLisps
+-> ssh-ed25519 izZ3FQ 7UWEjg98xHo/9s9+onUSbrMh0uPLTDQVEbPgPAWVu3k
+GrBRLSIBdCHIHZNQIORZGFk93/l01CgOhfDx1eJqgvo
+-> ssh-ed25519 zNb8DQ XuvULuWzBe3DRVrEHM6fShYGh5MexG6XNxNpznJr1Fk
+MBOeY+DZ4HQ69ifOKr+2gv5Bkpg5WQa7zKm+NeC8Wec
+-> ssh-ed25519 GB2MZQ C6bFo1mneQHotAZLSn6sClt35+uUwPJLuHOYoE3aRkw
+DeDM1yv2FZo0dUXttP0d62fRgU/A8MJ99oHpGhr0Y/M
+-> ssh-ed25519 FelIjw E7fL8omx+HGv75MUsC/IZAXQNw4G1vb7LLT6FdTdkU0
+I7ix1MlBnH+wT9PxL64b5EYex3yjk3+U1EO0WLhzPjU
+-> ssh-ed25519 TRpHkw LHWFmWM6uKa7+MLlxKsdhBA5HmjsCnBz81MR2hIJCDQ
+IJOsuUtXmp91t226YrW+5lvAGiLygv598b0zCVBNHTc
+-> ssh-ed25519 rKpRzQ Qk96yw6dOkE7zIcBo/6SXpO9o6OrPykkT4knw8fj/0k
+SCa84kZ/e/vs4caIklF2LqwkVHgxbLoyWQIdXYsKC8I
+-> ssh-ed25519 8/Dzqw blUGZhhmVedopPKAbFNPfSxc58OoS5o5oW5plYltTiI
+WPFPl6bXvewmISOp8/S1ronk9jT8O57qNPZUCFvTxxE
+-> ssh-ed25519 tJyugw UUi6VCLSfg3oyutzwg+xskDCtE1mFQTvHrGBkXuIT1Q
++rk2mBJRrYrUfsv4o0keEAKsXahjEIintcoA+38RL/o
+-> ssh-ed25519 lpPUYw TFf9vRCAv2005EC1giIkVfy/AwpU/t5WPX3bSLDDHgw
+vbLC5pesZRyuw/vMAv2X1ZYVNwrYUx+P/ZV8BLrpELo
+--- EpxlXztYxi3N6dCswIYXZxAxmFv3XYSkU34LmUIM0fE
+3´%"xR·É«@(£qOŸE<0E>L<>^¾§íS„%#ç4„<34>€×8mEü—eš(­Jò
+üAÌN<>>D£E<13>+&þ@Ë
8b5~‚l«-ùÂì MÔ#Œ8	•õ±‘»2•=vñÒæ¹P•ï­
4¢ä|âÔñ[}Oyñ

secrets/secrets.nix

@@ -1,52 +0,0 @@
-with builtins;
-let
-  flatten = x: if isList x then concatMap (y: flatten y) x else [ x ];
-  hasPrefix = pref: str: (substring 0 (stringLength pref) str == pref);
-  isValidKey =
-    key:
-    all (keyPrefix: !(hasPrefix keyPrefix key)) [
-      "sk-ssh-ed25519"
-    ];
-
-  systems = {
-    Infini-DESKTOP = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7uX1myj9ghv7wMoL038oGDCdScdyLd7RvYdnoioSBh root@Infini-DESKTOP";
-    Infini-FRAMEWORK = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF7PmPq/7e+YIVAvIcs6EOJ3pZVJhinwus6ZauJ3aVp0 root@Infini-FRAMEWORK";
-    Infini-SERVER = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8ptHWTesaUzglq01O8OVqeAGxFhXutUZpkgPpBFqzY root@Infini-SERVER";
-    Infini-OPTIPLEX = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG8fY684SPKeOUsJqaV6LJwwztWxztaU9nAHPBxBtyU root@Infini-OPTIPLEX";
-    Infini-STICK = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0fWuozCHyPrkFKPcnqX1MyUAgnn2fJEpDSoD7bhDA4 root@Infini-STICK";
-    Infini-SD = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8oViHNz64NG51uyll/q/hrSGwoHRgvYI3luD/IWTUT root@Infini-SD";
-    Infini-DL360 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPjmvE76BcPwZSjeNGzlguDQC67Yxa3uyOf5ZmVDWNys root@Infini-DL360";
-    Infini-RASPBERRY = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwPqTFCztLbYFFUej42hRzzCBzG6BCZIb7zXi2cxeJp root@Infini-RASPBERRY";
-    hestia = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBanlhzmtBf5stg2yYdxqb9FzFZmum/rlWod/akWQI3c root@hestia";
-    iris = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsdARqD3MibvnpcUxOZVtstIu9djk+umwFR5tzqKATH root@iris";
-  };
-  users = {
-    infinidoge = import ../users/infinidoge/ssh-keys.nix;
-    root = import ../users/root/ssh-keys.nix;
-  };
-  allKeys = filter isValidKey (flatten [
-    (attrValues systems)
-    (attrValues users)
-  ]);
-
-  generate = secrets: foldl' (a: b: a // b) { } (map (n: { ${n}.publicKeys = allKeys; }) secrets);
-in
-generate [
-  "infinidoge-password.age"
-  "root-password.age"
-  "binary-cache-private-key.age"
-  "vaultwarden.age"
-  "freshrss.age"
-  "borg-password.age"
-  "borg-ssh-key.age"
-  "cloudflare.age"
-  "smtp-password.age"
-  "hydra.age"
-  "hedgedoc.age"
-  "searx.age"
-  "ovpn.age"
-  "authentik.age"
-  "authentik-ldap.age"
-  "radicale-ldap.age"
-  "personal-smtp-password.age"
-]