flake: migrate to agenix-rekey

2025-02-18 21:47:38 -05:00 · 2025-02-18 21:47:38 -05:00 · b54be3998f
commit b54be3998f
parent 26734c2196
61 changed files with 306 additions and 190 deletions
--- a/users/infinidoge/default.nix
+++ b/users/infinidoge/default.nix
@ -43,7 +43,7 @@ in
        POP_SMTP_HOST = common.email.smtp.address;
        POP_SMTP_PORT = common.email.smtp.STARTTLS;
        POP_SMTP_USERNAME = common.email.withUser "infinidoge";
-        POP_SMTP_PASSWORD = "$(cat ${secrets.personal-smtp-password})";
+        POP_SMTP_PASSWORD = "$(cat ${secrets.smtp-personal})";
      };

      home.packages =
@ -110,10 +110,22 @@ in
    adb.enable = config.info.graphical;
  };

+  age.rekey.masterIdentities = [
+    ./keys/primary_age.pub
+    ./keys/backup_age.pub
+  ];
+
+  age.secrets = {
+    password-infinidoge.rekeyFile = ./password.age;
+    smtp-personal.rekeyFile = ./smtp-personal.age;
+    smtp-personal.owner = "infinidoge";
+  };
+
+  user.hashedPasswordFile = mkIf config.modules.secrets.enable secrets.password-infinidoge;
+
  user = {
    name = "infinidoge";
    uid = 1000;
-    hashedPasswordFile = mkIf config.modules.secrets.enable config.secrets.infinidoge-password;
    description = "Infinidoge, primary user of the system";
    group = "users";
    isNormalUser = true;
--- a/users/infinidoge/keys/backup_age.pub
+++ b/users/infinidoge/keys/backup_age.pub
@ -0,0 +1,7 @@
+#       Serial: 26969244, Slot: 1
+#         Name: BACKUP_AGE
+#      Created: Wed, 19 Feb 2025 01:58:28 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
+#    Recipient: age1yubikey1q2dxqlvpp0jpjumgmm3rk952dqexy6r2ff4ul62luman3uga6s0l5llfumw
+AGE-PLUGIN-YUBIKEY-1NJZFKQVZUM4H93SSLXN5A
--- a/users/infinidoge/keys/primary_age.pub
+++ b/users/infinidoge/keys/primary_age.pub
@ -0,0 +1,7 @@
+#       Serial: 24623451, Slot: 1
+#         Name: PRIMARY_AGE
+#      Created: Wed, 19 Feb 2025 00:53:27 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
+#    Recipient: age1yubikey1q2mfklp6cectpmkefv6edr9elreeypdzwhpzsnwry9nzjq3epnswstkyq5w
+AGE-PLUGIN-YUBIKEY-1TWUHWQVZPYLV4KGFG23L9
--- a/users/infinidoge/password.age
+++ b/users/infinidoge/password.age
--- a/users/infinidoge/smtp-personal.age
+++ b/users/infinidoge/smtp-personal.age
--- a/users/root/default.nix
+++ b/users/root/default.nix
@ -2,14 +2,15 @@
  config,
  lib,
  pkgs,
+  secrets,
  ...
 }:
 {
  users.users.root = {
    shell = pkgs.zsh;
-    hashedPasswordFile = lib.mkIf config.modules.secrets.enable config.secrets.root-password;
+    hashedPasswordFile = lib.mkIf config.modules.secrets.enable secrets.password-root;
    openssh.authorizedKeys.keys = import ./ssh-keys.nix;
  };

-  home-manager.users.root = { ... }: { };
+  age.secrets.password-root.rekeyFile = ./password.age;
 }
--- a/users/root/password.age
+++ b/users/root/password.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q AooiXHg+vA2jBkxQ00aC81gCRIuo9Xe4c4uOaWCMU4X6
+4Aaaywj9vKAj/cv+yb6gFeiV+ROTeTxnPDrgAO29ODM
+-> piv-p256 5utyxg Apti8vz8VE2kLk8pvWIYk0f+AnuHItXpH3x2MDs3iv+0
+OhtPhXmsLZXimQuAIdB54OD1Qde18ZDVBUsGNafRR8
+-> M_nrH-grease hj"xH( *8 dX]
+Ld3SIuXFJqz/gbDEnDxroU188XFJjoRkqHnYWpRLauCpcSbG2kHuKdYKDQ
+--- Wp70IAXPdmf99j5ccFzGM8FDfcTl05nz01d5cc0tVgI
+Ô4µ«ôã,DXU»»›ª‘Ú›
+Gx(Í¹ÝE'(þgìK&h¡µÍ½È$ÈEÿ…<>/g¼¦{öBJö“ÃQ«³a¤öèNö,j'3î(ÝÝ4¡î„j¸ØQÚ¾Ä)
+<EFBFBD>[C…ø¯AJf&êœÍ°Üaf¥<66>™Í¸~Õ<>*öÝ¥Žx9*äI