flake: migrate to agenix-rekey

flake.lock

@@ -29,6 +29,38 @@
         "type": "github"
       }
     },
+    "agenix-rekey": {
+      "inputs": {
+        "devshell": [
+          "devshell"
+        ],
+        "flake-parts": [
+          "flake-parts"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks": [
+          "git-hooks"
+        ],
+        "treefmt-nix": [
+          "treefmt-nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1739816852,
+        "narHash": "sha256-QG8aA6hWsi6pqaidaz5a5SL+dM1mT9LMWMrmc1hrOrU=",
+        "owner": "oddlama",
+        "repo": "agenix-rekey",
+        "rev": "5f56d711ffe2aca62cfeeada9ec56692a13b9061",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oddlama",
+        "repo": "agenix-rekey",
+        "type": "github"
+      }
+    },
     "authentik-nix": {
       "inputs": {
         "authentik-src": "authentik-src",
@@ -954,6 +986,7 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "agenix-rekey": "agenix-rekey",
         "authentik-nix": "authentik-nix",
         "blank": "blank",
         "conduwuit": "conduwuit",

flake.nix

@@ -26,6 +26,7 @@
 
     ### Nix Libraries
     agenix.url = "github:ryantm/agenix";
+    agenix-rekey.url = "github:oddlama/agenix-rekey";
     devshell.url = "github:numtide/devshell";
     disko.url = "github:nix-community/disko/latest";
     flake-parts.url = "github:hercules-ci/flake-parts";
@@ -78,6 +79,11 @@
     systems.url = "github:nix-systems/default";
 
     ## Follow common
+    agenix-rekey.inputs.devshell.follows = "devshell";
+    agenix-rekey.inputs.flake-parts.follows = "flake-parts";
+    agenix-rekey.inputs.nixpkgs.follows = "nixpkgs";
+    agenix-rekey.inputs.pre-commit-hooks.follows = "git-hooks";
+    agenix-rekey.inputs.treefmt-nix.follows = "treefmt-nix";
     agenix.inputs.darwin.follows = "blank";
     agenix.inputs.home-manager.follows = "home-manager";
     agenix.inputs.nixpkgs.follows = "nixpkgs";
@@ -222,13 +228,28 @@
                     ] ++ (self.lib.leaves ./users/modules);
                   };
                 }
+                (
+                  { config, pkgs, ... }:
+                  {
+                    age.rekey = {
+                      storageMode = "local";
+                      generatedSecretsDir = ./secrets/generated;
+                      localStorageDir = ./. + "/secrets/rekeyed/${config.networking.hostName}";
+                      agePlugins = with pkgs; [
+                        age-plugin-fido2-hmac
+                        age-plugin-yubikey
+                      ];
+                    };
+                  }
+                )
 
                 # --- Universe Modules ---
                 ./secrets
                 private.nixosModules.secrets
 
                 # --- Library Modules ---
-                inputs.agenix.nixosModules.age
+                inputs.agenix.nixosModules.default
+                inputs.agenix-rekey.nixosModules.default
                 inputs.disko.nixosModules.disko
                 inputs.home-manager.nixosModules.home-manager
                 inputs.impermanence.nixosModules.impermanence
@@ -273,6 +294,7 @@
           ./pkgs
           ./shell.nix
           ./templates
+          inputs.agenix-rekey.flakeModule
           inputs.devshell.flakeModule
           inputs.treefmt-nix.flakeModule
         ];

hosts/Infini-DESKTOP/default.nix

@@ -14,6 +14,8 @@
 
   info.loc.home = true;
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7uX1myj9ghv7wMoL038oGDCdScdyLd7RvYdnoioSBh root@Infini-DESKTOP";
+
   persist = {
     directories = [
       "/srv"

hosts/Infini-DL360/default.nix

@@ -10,6 +10,8 @@
     ./hardware-configuration.nix
     ./disks.nix
 
+    ./secrets
+
     ./web.nix
 
     private.nixosModules.minecraft-servers
@@ -37,6 +39,8 @@
 
   info.loc.purdue = true;
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPjmvE76BcPwZSjeNGzlguDQC67Yxa3uyOf5ZmVDWNys root@Infini-DL360";
+
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
   boot.binfmt.addEmulatedSystemsToNixSandbox = true;
 

hosts/Infini-DL360/forgejo.nix

@@ -27,7 +27,7 @@ in
 
     lfs.enable = true;
 
-    secrets.mailer.PASSWD = secrets.smtp-password;
+    secrets.mailer.PASSWD = secrets.smtp-noreply;
     settings = {
       server = {
         ROOT_URL = "https://${domain}/";

hosts/Infini-DL360/secrets/authentik-ldap.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q AmrcqFPgfqImIMZx45MXeqD5XP2MCpnIIXTjfVZXFOtv
+IgBH5MFAJJ5vP82Jtvmr/NcaCK1F/qSWQHM1PbtKu5Q
+-> piv-p256 5utyxg A80LKCGYw597lm0Oo8kBKLIWcwnOCjDr3FiyIDrAmkSZ
+R9tdgHAfuVNs2nXD+ml7l/jjXvf0cD2b5wALOVzEH9o
+-> BLl-grease d)6dWO5 2P
+/fvI/IO/OJV/4sF+ENnj1AQx9fRf0cLMy90ASBvl9Cdwtdnrx4ly8ZOS57rSNSO1
+JJFsEd9M3lKRElvYsXADC0cOBsK5hg
+--- BNRWm9qA1JnQ71Yf9vAeVa7B5qzUf00mjVHJeFCKjQQ
+£4ráý(	„Œï&@þ
»ÖÆO¤‰øªÖ›SÖÉÓAãÛþ®å?¯·,{²ÅÉšPDÃ(¦m|ÒÊö`˜7Ü 8Ómf2ªæìp; 9nÌ}DÐUÃùü™†bùãÏÔćÉ(uû?A±¡	V ”Ü(4"’h ÀßÖ“R;,6»?8¶
+ȉ“ÙæÙç

hosts/Infini-DL360/secrets/authentik.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q AwjgvoXQnw3dGl+3NzZwbtobCzYQqSEwu3o68itzJXk3
+9J7aPKsJ/dZOoCKNGZWnxOH8a2TNX5D9hBStFgqDOH4
+-> piv-p256 5utyxg AyFGfXw60hWpTNvCXaVNTk0UN8WX8dEwIOMYkwtHLXJF
+Zy5cd5saG4jfF5ZXkZ9TJpvscxfgDV2xGALY1yyY66w
+-> m(-grease [FxH /SCRkN 2\>
+HvqiMVBno3sBsl9eg4Lkr7F/f/dB8pxihcekBG0ntbQApRwxawj37/wjXKOYAX43
+OL4wHohhU91u+4eOv8E1K3OOpXy3aVn7WTjk/6ftA2oxLCy1QzQKpg
+--- fpnPuiVpzrB09e3CvSUY/Y7tQyCc6v6FuRkml07bqD4
+®D\…ìƒâˆèLUŽx‚¤²“Z<E2809C>5œñõ»ÉEm}"&<26>ËÄù&³©Öø&çð*ÅTwä×ïV2¼ñ‰p‰Z¥<02>YsÅŸtãW­Ý;<3B>Z’BO…‘,Œï	’§ˆ—Y§Å¯|mMú$…Â`tŠ‰:÷ÏjÜa›œÃ}1)YxÃtà*øŠIÅœZC|-Ãê~qu‰O]V^™IvØk˜
—à:—“R¾%ߊI'áYÀXóZÕ¢1iV±=bÂÉ‚Iñ<49>*ºYµÝeq™

hosts/Infini-DL360/secrets/default.nix

@@ -0,0 +1,17 @@
+{ lib, ... }:
+let
+  inherit (lib.our.secrets) withGroup withOwnerGroup;
+in
+{
+  age.secrets = {
+    authentik-ldap.rekeyFile = ./authentik-ldap.age;
+    authentik.rekeyFile = ./authentik.age;
+    freshrss = withOwnerGroup "freshrss" ./freshrss.age;
+    hedgedoc = withOwnerGroup "hedgedoc" ./hedgedoc.age;
+    hydra = withGroup "hydra" ./hydra.age;
+    ovpn.rekeyFile = ./ovpn.age;
+    radicale-ldap = withOwnerGroup "radicale" ./radicale-ldap.age;
+    searx.rekeyFile = ./searx.age;
+    vaultwarden.rekeyFile = ./vaultwarden.age;
+  };
+}

hosts/Infini-DL360/secrets/freshrss.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q AzMC4XpUhKiVaI2xhQRTQoyV+RjMz5Aoj3gZsgc8PBK3
+CGLI4lL+4xWaMviHW7FofruIZVFES0H/WFSzsbXDjcY
+-> piv-p256 5utyxg AieYOjyIS2APXJfkY/qJ0UmoIuHwO3oIH8MSHh5o2M37
+GCEG5cxBQ5k/3UGm76bNtsPsHzv5yGSJ7iEn3h3wops
+-> -W-grease Gh{uU
+RobG9ho0acfDe+0qEBmtRyejJy7E272b3vzuegQ2twAl2xTYinWOx286sVpRPc7W
+vJNCu9BCDGlIFnQoP2R1gm2eQrI6InNOOh3Q/IZ736ieAhbDvJbm/3BWqRmRRylY
+dfEg
+--- 3XHaD7Zc6JTUxZl/ouKGxmCVvkbjLw2E+TDAf6PwLLo
+÷u,MÏ<4D>HS3JkYÿû5ù`5Œ;m<C¾y?E¬
ÙV~jx¶«½ßZ<C39F>ff‚Ä!3N}

hosts/Infini-DL360/secrets/hydra.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q Ai6/RXPumKBsTij/p4Yzze3wuc+lCeCjrficqXR6a+cX
+gGZZ+9hfSefCPpgkEyxiGLBw6HeIRlihlHpRW0flyHs
+-> piv-p256 5utyxg AmJA1H1XKyJf8SH9aGgJGwgBCsW5c0VbYOih82p73tS7
+MclhdvYabgDkKl+K+rFxiRvbLLudscVAENFacJraIvA
+-> ^4f5%t8(-grease ? G
+aNFXQBBqAcfPE5+Wpw
+--- Rvpkl3gKIXx96JuQEJZYvKm/ZkXDMl/7TCDECeTBa+o
+î@<40><>üÿnöº©Uej
˜tšÜHbuæ’»KžÌ<C5BE>(ƒÇÕ¹Œr_lmDZ(6•ô¤ãš“h†Æ˜æm¥;–Îk`“³ R´uö:[÷¥›x['*iŽij
y‘sʶÇ~`wkÓ¥ˆ}28õ‘’º

hosts/Infini-DL360/secrets/ovpn.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q A0NnbNjIggIuH4ZTAs8YyN3zn3V6OAsKrC04WaTveFAD
+fiS6e/cndp7XPg6N9FoFDYJVHzQA1R64QNWyDjrmVJs
+-> piv-p256 5utyxg A1EojHMF4AIcObYpGSRE/8Z2gOmtf9l5d9ZV36RC9jHy
+WbYaIRWeSUbeaZDqQK4rqOTXy0kWQsG3gbC4dWsUNa4
+-> LJP-grease ,)
+qNMbqpxba5Q8KRzrglBoMGsTZdWFTc6wTIFeX74MIDVqE2yPVUVNXcCzM6U3b+/y
+XqtVvPgkILD6
+--- 66jeuKk3OHoA9g4muxmythBRKRc/zq4937NDiLC0cM0
+…¤‰	l1a*¾:©×IÒƒÄö‚%gUcbp ¡Ìr¼Ç5“¼,"‚Dn%H|
ß<>Š

hosts/Infini-DL360/secrets/radicale-ldap.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q ApL+8SFBLjq2WTsInFVio8n4RN/U7Cy1I2hvFxNBA2Vu
+IUk5Vd0iqcqPVG8JKmEoTmPePeRpO/+e/mA2MWWatVI
+-> piv-p256 5utyxg A2ndIHeH3WUg1D6Og35thBxlL8Oji+vc2Ru7B6aSZwMd
+loQZbjmAoS1hhiRKkr6wgGmE9Olzstw4zfGCkd0IK7Y
+-> AQvw>-grease `Pf
+PpONBRKybtkIwA3qrv0X0WaHlHcTd3VeDNOF0MUu4M+qrO1bI71sDL1+sPz/Hm/2
+bkOFCT1xxYFwBQYaRrWY5/3qSKWi
+--- zp9aNIrYy+Z55Fp+bQ4D0BhLkOAwx5gb5vH4+qkXJmY
+<EFBFBD>Þˆ7òé=1uF‡`Òdþ	b–Õ×ò‘<C3B2>©åÿëdgN°M¤q^ðb<C3B0>E¬Ûhå ÌI¸O…{:ú!FWÜŒjyßcDzñk§§)c<08>ƒ¢íópݶdµƒ

hosts/Infini-FRAMEWORK/default.nix

@@ -16,6 +16,8 @@
 
   info.loc.purdue = true;
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF7PmPq/7e+YIVAvIcs6EOJ3pZVJhinwus6ZauJ3aVp0 root@Infini-FRAMEWORK";
+
   persist = {
     directories = [
       {

hosts/Infini-OPTIPLEX/default.nix

@@ -9,6 +9,8 @@
 
   info.loc.purdue = true;
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG8fY684SPKeOUsJqaV6LJwwztWxztaU9nAHPBxBtyU root@Infini-OPTIPLEX";
+
   boot.loader.timeout = 1;
 
   modules = {

hosts/Infini-RASPBERRY/default.nix

@@ -13,6 +13,9 @@ with lib;
   ];
 
   system.stateVersion = "23.11";
+
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwPqTFCztLbYFFUej42hRzzCBzG6BCZIb7zXi2cxeJp root@Infini-RASPBERRY";
+
   modules = {
     hardware.form.raspi = true;
   };

hosts/Infini-SD/default.nix

@@ -7,6 +7,8 @@
 
   networking.hostId = "3275c7d3";
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8oViHNz64NG51uyll/q/hrSGwoHRgvYI3luD/IWTUT root@Infini-SD";
+
   boot.kernelPackages = pkgs.linuxPackages;
 
   hardware.infiniband = {

hosts/Infini-SERVER/default.nix

@@ -9,6 +9,8 @@
 
   info.loc.home = true;
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8ptHWTesaUzglq01O8OVqeAGxFhXutUZpkgPpBFqzY root@Infini-SERVER";
+
   modules = {
     hardware = {
       # gpu.nvidia = true;

hosts/hermes/default.nix

@@ -8,6 +8,8 @@
   system.stateVersion = "24.11";
   networking.hostId = "deadbeef";
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0fWuozCHyPrkFKPcnqX1MyUAgnn2fJEpDSoD7bhDA4 root@Infini-STICK";
+
   boot.kernelPackages = pkgs.linuxPackages;
 
   modules = {

hosts/hestia/default.nix

@@ -8,6 +8,8 @@
   system.stateVersion = "25.05";
   networking.hostId = "85eb2d89"; # "hestia" in base64->hex
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBanlhzmtBf5stg2yYdxqb9FzFZmum/rlWod/akWQI3c root@hestia";
+
   modules.hardware.form.server = true;
   modules.backups.enable = false; # hestia is a backup target
   boot.loader.timeout = 1;

hosts/iris/default.nix

@@ -1,13 +1,15 @@
 { ... }:
 {
   imports = [
-    ./hardware-configuration.nix
+    #./hardware-configuration.nix
     ./disks.nix
   ];
 
   system.stateVersion = "25.05";
   networking.hostId = "8ab8acd3"; # "iris00" in base64->hex
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsdARqD3MibvnpcUxOZVtstIu9djk+umwFR5tzqKATH root@iris";
+
   modules.hardware.form.server = true;
   modules.backups.enable = false; # testing server
   boot.loader.timeout = 1;

lib/default.nix

@@ -126,6 +126,7 @@ lib.makeExtensible (
 
     disko = import ./disko.nix { inherit lib; };
     filesystems = import ./filesystems.nix { inherit lib self; };
+    secrets = import ./secrets.nix;
   }
   // (import ./digga.nix { inherit lib; })
   // (import ./hosts.nix { inherit lib; })

lib/secrets.nix

@@ -0,0 +1,13 @@
+{
+  withOwnerGroup = name: rekeyFile: {
+    owner = name;
+    group = name;
+    mode = "440";
+    inherit rekeyFile;
+  };
+  withOwner = owner: rekeyFile: { inherit owner rekeyFile; };
+  withGroup = group: rekeyFile: {
+    inherit group rekeyFile;
+    mode = "440";
+  };
+}

modules/global/general.nix

@@ -57,7 +57,7 @@
     accounts = rec {
       noreply = {
         user = outgoing;
-        passwordeval = "cat ${secrets.smtp-password}";
+        passwordeval = "cat ${secrets.smtp-noreply}";
       };
       default = noreply // {
         from = withSubaddress "%U-%H";

modules/global/packages.nix

@@ -17,7 +17,6 @@
     [
       universe-cli
 
-      agenix
       bat
       cloc
       cryptsetup

modules/global/security.nix

@@ -19,7 +19,7 @@ in
       defaults = {
         email = "infinidoge@inx.moe";
         dnsProvider = "cloudflare";
-        environmentFile = config.secrets.cloudflare;
+        environmentFile = config.secrets.dns-cloudflare;
       };
     };
     pki.certificateFiles = [

secrets/binary-cache-public-key

@@ -1 +0,0 @@
-infinidoge-1:uw2A6JHHdGJ9GPk0NEDnrdfVkPp0CUY3zIvwVgNlrSk=

secrets/borg-password.age

@@ -1,56 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 sQ/0YA 5/8hTMh6CloNFOxL7nqpRWx6EHXfJ22s5Qm+lkFStwU
+-> piv-p256 CT7K2Q Atat1p1wMEaZVi0DxSmUYN3H79RO1XK26pmJFnrMUW+N
-5Virolfv5xEn9d2We37ciIrIT6hLSZF78iAwkHl16KI
+4IUFdkcSJnVthch8NgWV/mRsPqs5/NbxRgTP1DTq6Js
--> ssh-ed25519 aYlTiQ JSJJ4EC6v8VcSS13n6h0+K+sApNulYBphu7Ny+dYZhU
+-> piv-p256 5utyxg AhOyUzfDfgFTgoSZ/Ram2/AKwXT0RoJ/g4cGvQoCHwMR
-PAIeYvIlsPbBSUs5t2KUxXu9sk1Yb/rSIKPlEZHj3Ls
+7W5e76JbGDvEiUwbJrOK2/9pSzEKUk+4LAtnJd6Au9A
--> ssh-ed25519 i9xGKA YhZ3NCliAzg62D4LrfCNpcSwoJ+wKe+avbdUCQXMj1M
+-> A(v,}OT8-grease iv$<6^
-pVOnIU43mqtFY0pRiSQBUigdoxq532p7wv0nS2MWPYs
+qJk7RvKMoJ/OCb1L15x8ur6Q5MxpDcXkwA
--> ssh-ed25519 ydxrGg OYE8RmU2XB3Vi5yxW2TExllNbUBzo6fFUWRUrfAl6Xc
+--- FrURRINPBWKnkfeCAsUecvz0nSlH8cUmpuxzgpUc9sA
-j1vTMqWvAu894eZzGA5wEk+3EvyQUBk/m3Xho5bDgAE
+w«m¤Ź ˛<>‹56#x&ŹgŁ@ ™<>n´ŞM2]-9¤<>`ł”†±Ň`
$8ţź6š‡EŁŁÖˇÜ<CB87>t»oł±¬Ű0 zĐEµD>»<T×/]ş<>'ż±2\sÎCöU0í—iˇWý<űÄŃ÷›Y6¶qĽjôľ1d~cŮĚÉĎŢüB
--> ssh-ed25519 oqB+OQ bWopOtx5LLDGCQ2/TgxM4tpKWYjH9QODfDpxx9in01E
-4NT1npZomt0mSQSpLtTvFxLvV5NPMphG8J8LKcL5Wjw
--> ssh-ed25519 gIJNbA QnW3sLf5LcofKLuAZz2f5y7qZMMVfmgNDXM6wBY57CQ
-l9Dl5+IJ7CswosXwijyOepxS5P6g+bA8wUfNQVF01fA
--> ssh-ed25519 hjL/yw IqwsP6XXOoVgTdGMcgm+Ev0pvAHgRIEwaWcTaB6hNVQ
-olJ4WbQW58vI0TjkHww+iCTUgio7kZmPlcvJEc4IQGE
--> ssh-ed25519 Ig0rsg 3ZiWNnm9DFiAKnwpyYQiSP5kZgNwLArraC32lqKtITQ
-1e74EWfTnOS7UdSJfMxTlzbr58fIn+rw/qeN6TxAKWk
--> ssh-ed25519 U4Pefg yXsLnpVhhud1LAp+rgMqa4UH7mHsEbgrEb7SZzvyGDA
-UjF3i1PLn/jqMeStZmRcV/hA8SGkQkAOJ4E04W0d2Mg
--> ssh-ed25519 SqmlZQ 44N/cMPg4R/6ntv/ZleB3tpjdyIi4F8HSJy03zyj1DA
-3SyM8OnvcbT2/PGiBj1EcTUr4q2T6H0+s+9UP4cpZps
--> ssh-ed25519 GT2Stg 9vBE4i87f287MpgTama/5g6wQseDfng/fj6fKLKP1QY
-d7JvhmUrIOxxKEr3trtv4NRJKdLlf+LBbECpxnIpTxk
--> ssh-ed25519 oAMyvg fjJmTln1QI4uw4TE4YMq0E8b0q/sZ2TLIgEP0zYlLyE
-7VHmeg6zpnzKWL5AC8qx6wAvYcdxulAMh/zPKt4eS1w
--> ssh-ed25519 VIHjXg XdmRVbvEvARws7bCPn529MTPT1p/cb0U62hOtAfW33A
-8c0OrrMRip7KjeE2+VtbU/QDWl7KiVTvbv+lSIs7UNg
--> ssh-ed25519 VEv3zg Umgx52XORKFXYdEsGzvKfvUy6SHJoJbvAKX3NHrVxko
-o3Phua7fSn5alLQDdU2PJBFvJBDqF+H+F3V/s4v4EgE
--> ssh-ed25519 m7J79g CkPOHoXFHcMMk/xlmCAMd2ikZWJCqPhW7UvtymJ9FiE
-p+agR0jOtshNZjF0Gox3Njr7qwMzsk2nsstSUaScOH4
--> ssh-ed25519 2S7Wcg XqhSc/NbSCGTMU8kZCk2Xu7fAFg+hQ4W4wSwzx9e9jA
-rNepa1tbXPRCfTSaAKgs+aLvCyRloAb340Ufw8DVi9w
--> ssh-ed25519 EMoPew bK7hR3fKibZb47MyOR5n3gfyh7HzpDqC3ZlcaSigNQM
-NsYE8aU/wic0N1tVFbWykRfghsGmws4Xg8kdrJLisps
--> ssh-ed25519 izZ3FQ 7UWEjg98xHo/9s9+onUSbrMh0uPLTDQVEbPgPAWVu3k
-GrBRLSIBdCHIHZNQIORZGFk93/l01CgOhfDx1eJqgvo
--> ssh-ed25519 zNb8DQ XuvULuWzBe3DRVrEHM6fShYGh5MexG6XNxNpznJr1Fk
-MBOeY+DZ4HQ69ifOKr+2gv5Bkpg5WQa7zKm+NeC8Wec
--> ssh-ed25519 GB2MZQ C6bFo1mneQHotAZLSn6sClt35+uUwPJLuHOYoE3aRkw
-DeDM1yv2FZo0dUXttP0d62fRgU/A8MJ99oHpGhr0Y/M
--> ssh-ed25519 FelIjw E7fL8omx+HGv75MUsC/IZAXQNw4G1vb7LLT6FdTdkU0
-I7ix1MlBnH+wT9PxL64b5EYex3yjk3+U1EO0WLhzPjU
--> ssh-ed25519 TRpHkw LHWFmWM6uKa7+MLlxKsdhBA5HmjsCnBz81MR2hIJCDQ
-IJOsuUtXmp91t226YrW+5lvAGiLygv598b0zCVBNHTc
--> ssh-ed25519 rKpRzQ Qk96yw6dOkE7zIcBo/6SXpO9o6OrPykkT4knw8fj/0k
-SCa84kZ/e/vs4caIklF2LqwkVHgxbLoyWQIdXYsKC8I
--> ssh-ed25519 8/Dzqw blUGZhhmVedopPKAbFNPfSxc58OoS5o5oW5plYltTiI
-WPFPl6bXvewmISOp8/S1ronk9jT8O57qNPZUCFvTxxE
--> ssh-ed25519 tJyugw UUi6VCLSfg3oyutzwg+xskDCtE1mFQTvHrGBkXuIT1Q
-+rk2mBJRrYrUfsv4o0keEAKsXahjEIintcoA+38RL/o
--> ssh-ed25519 lpPUYw TFf9vRCAv2005EC1giIkVfy/AwpU/t5WPX3bSLDDHgw
-vbLC5pesZRyuw/vMAv2X1ZYVNwrYUx+P/ZV8BLrpELo
---- EpxlXztYxi3N6dCswIYXZxAxmFv3XYSkU34LmUIM0fE
-3´%"xR·É«@(£qOŸE<0E>L<>^¾§íS„%#ç4„<34>€×8mEü—eš(­Jò
-üAÌN<>>D£E<13>+&þ@Ë
8b5~‚l«-ùÂì MÔ#Œ8	•õ±‘»2•=vñÒæ¹P•ï­
4¢ä|âÔñ[}Oyñ

secrets/default.nix

@@ -1,89 +1,29 @@
 {
   lib,
-  self,
   config,
   ...
 }:
 with lib;
 let
-  inherit (lib.our) mkOpt;
+  inherit (lib.our) mkOpt mkBoolOpt;
-  inherit (lib.types) bool attrsOf path;
+  inherit (lib.types) attrsOf path;
-
+  inherit (lib.our.secrets) withGroup;
-  mkSecret = name: nameValuePair (removeSuffix ".age" name) { file = "${./.}/${name}"; };
-  secrets = listToAttrs (map mkSecret (attrNames (import ./secrets.nix)));
-
-  withOwnerGroup =
-    name: secret:
-    secret
-    // {
-      owner = name;
-      group = name;
-      mode = "440";
-    };
-  withOwner = name: secret: secret // { owner = name; };
-  withGroup =
-    name: secret:
-    secret
-    // {
-      group = name;
-      mode = "440";
-    };
 in
 {
   options = {
-    modules.secrets.enable = mkOpt bool true;
+    modules.secrets.enable = mkBoolOpt true;
     secrets = mkOpt (attrsOf path) { };
   };
 
   config = mkIf config.modules.secrets.enable {
     _module.args.secrets = config.secrets;
     secrets = mapAttrs (n: v: v.path) config.age.secrets;
-    age.secrets = mkMerge [
+    age.secrets = {
-      {
+      borg-ssh-key.rekeyFile = ./borg-ssh-key.age;
-        inherit (secrets)
+      borg-password = withGroup "borg" ./borg-password.age;
-          "infinidoge-password"
+      binary-cache-private-key = withGroup "hydra" ./binary-cache-private-key.age;
-          "root-password"
+      smtp-noreply = withGroup "smtp" ./smtp-noreply.age;
-          "borg-ssh-key"
+      dns-cloudflare.rekeyFile = ./dns-cloudflare.age;
-          "ovpn"
-          ;
-
-        "borg-password" = secrets."borg-password" // {
-          group = "borg";
-          mode = "440";
     };
-        "binary-cache-private-key" =
-          secrets.binary-cache-private-key
-          // lib.optionalAttrs config.services.hydra.enable {
-            group = "hydra";
-            mode = "440";
-          };
-        "smtp-password" = withGroup "smtp" secrets."smtp-password";
-        "personal-smtp-password" = withOwner "infinidoge" secrets."personal-smtp-password";
-      }
-      (mkIf config.services.nginx.enable {
-        inherit (secrets) "cloudflare";
-      })
-      (mkIf config.services.vaultwarden.enable {
-        "vaultwarden" = withOwnerGroup "vaultwarden" secrets."vaultwarden";
-      })
-      (mkIf config.services.freshrss.enable {
-        "freshrss" = withOwnerGroup "freshrss" secrets."freshrss";
-      })
-      (mkIf config.services.hydra.enable {
-        inherit (secrets) hydra;
-      })
-      (mkIf config.services.hedgedoc.enable {
-        "hedgedoc" = withOwnerGroup "hedgedoc" secrets."hedgedoc";
-      })
-      (mkIf config.services.searx.enable {
-        inherit (secrets) searx;
-      })
-      (mkIf config.services.authentik.enable {
-        inherit (secrets) authentik authentik-ldap;
-      })
-      (mkIf config.services.radicale.enable {
-        radicale-ldap = withOwnerGroup "radicale" secrets.radicale-ldap;
-      })
-    ];
   };
 }

secrets/dns-cloudflare.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q A0qTlw/zQp903Xk08cjrAX7zoPL2xc6KCBD1ZQhpDP9H
+kCuhwrAe91AXCEcXw7xGfb4ypYpAhCm/MCFv7cQJcXY
+-> piv-p256 5utyxg A+dmEbRvkJuqaMp2ZaamaLTdRLWTlkBxwJDE0e4cP7jG
+ai+6s1mDIsxx5bHcnZQscjjTQnV8/C146n2YJy4gF+w
+-> kQ'0sT4p-grease kVUsHd] ^ 3z#4aLz zmwIUo\
+m88fb8byPiryipImWibRNuzZ/mXFVYe0bDeM
+--- uRfolk520znGni9GMw2SxyYUqYsK0Mxw6WnTd23T9zY
+€¿°“®/Ÿvj<76>Œœùh¸ê²³¬¼7e*ÑvkË ~¼þM®QKþ§ÐêKÂé„OÉJø‘0”Ï<E2809D>E分é³gÿ[%m–N¢\•	×®Ùi ‘ÑŒ­È»9™5Š¶—〈ÎhæŽôî°‘*.
+*j’5j³ƒZ?^O}ZbkBÀ†þã|åÛY惃ÃÞgîþ™@_óC	m¿J,z<u뺵<C2BA>®}(_

secrets/old/borg-password.age

@@ -0,0 +1,56 @@
+age-encryption.org/v1
+-> ssh-ed25519 sQ/0YA 5/8hTMh6CloNFOxL7nqpRWx6EHXfJ22s5Qm+lkFStwU
+5Virolfv5xEn9d2We37ciIrIT6hLSZF78iAwkHl16KI
+-> ssh-ed25519 aYlTiQ JSJJ4EC6v8VcSS13n6h0+K+sApNulYBphu7Ny+dYZhU
+PAIeYvIlsPbBSUs5t2KUxXu9sk1Yb/rSIKPlEZHj3Ls
+-> ssh-ed25519 i9xGKA YhZ3NCliAzg62D4LrfCNpcSwoJ+wKe+avbdUCQXMj1M
+pVOnIU43mqtFY0pRiSQBUigdoxq532p7wv0nS2MWPYs
+-> ssh-ed25519 ydxrGg OYE8RmU2XB3Vi5yxW2TExllNbUBzo6fFUWRUrfAl6Xc
+j1vTMqWvAu894eZzGA5wEk+3EvyQUBk/m3Xho5bDgAE
+-> ssh-ed25519 oqB+OQ bWopOtx5LLDGCQ2/TgxM4tpKWYjH9QODfDpxx9in01E
+4NT1npZomt0mSQSpLtTvFxLvV5NPMphG8J8LKcL5Wjw
+-> ssh-ed25519 gIJNbA QnW3sLf5LcofKLuAZz2f5y7qZMMVfmgNDXM6wBY57CQ
+l9Dl5+IJ7CswosXwijyOepxS5P6g+bA8wUfNQVF01fA
+-> ssh-ed25519 hjL/yw IqwsP6XXOoVgTdGMcgm+Ev0pvAHgRIEwaWcTaB6hNVQ
+olJ4WbQW58vI0TjkHww+iCTUgio7kZmPlcvJEc4IQGE
+-> ssh-ed25519 Ig0rsg 3ZiWNnm9DFiAKnwpyYQiSP5kZgNwLArraC32lqKtITQ
+1e74EWfTnOS7UdSJfMxTlzbr58fIn+rw/qeN6TxAKWk
+-> ssh-ed25519 U4Pefg yXsLnpVhhud1LAp+rgMqa4UH7mHsEbgrEb7SZzvyGDA
+UjF3i1PLn/jqMeStZmRcV/hA8SGkQkAOJ4E04W0d2Mg
+-> ssh-ed25519 SqmlZQ 44N/cMPg4R/6ntv/ZleB3tpjdyIi4F8HSJy03zyj1DA
+3SyM8OnvcbT2/PGiBj1EcTUr4q2T6H0+s+9UP4cpZps
+-> ssh-ed25519 GT2Stg 9vBE4i87f287MpgTama/5g6wQseDfng/fj6fKLKP1QY
+d7JvhmUrIOxxKEr3trtv4NRJKdLlf+LBbECpxnIpTxk
+-> ssh-ed25519 oAMyvg fjJmTln1QI4uw4TE4YMq0E8b0q/sZ2TLIgEP0zYlLyE
+7VHmeg6zpnzKWL5AC8qx6wAvYcdxulAMh/zPKt4eS1w
+-> ssh-ed25519 VIHjXg XdmRVbvEvARws7bCPn529MTPT1p/cb0U62hOtAfW33A
+8c0OrrMRip7KjeE2+VtbU/QDWl7KiVTvbv+lSIs7UNg
+-> ssh-ed25519 VEv3zg Umgx52XORKFXYdEsGzvKfvUy6SHJoJbvAKX3NHrVxko
+o3Phua7fSn5alLQDdU2PJBFvJBDqF+H+F3V/s4v4EgE
+-> ssh-ed25519 m7J79g CkPOHoXFHcMMk/xlmCAMd2ikZWJCqPhW7UvtymJ9FiE
+p+agR0jOtshNZjF0Gox3Njr7qwMzsk2nsstSUaScOH4
+-> ssh-ed25519 2S7Wcg XqhSc/NbSCGTMU8kZCk2Xu7fAFg+hQ4W4wSwzx9e9jA
+rNepa1tbXPRCfTSaAKgs+aLvCyRloAb340Ufw8DVi9w
+-> ssh-ed25519 EMoPew bK7hR3fKibZb47MyOR5n3gfyh7HzpDqC3ZlcaSigNQM
+NsYE8aU/wic0N1tVFbWykRfghsGmws4Xg8kdrJLisps
+-> ssh-ed25519 izZ3FQ 7UWEjg98xHo/9s9+onUSbrMh0uPLTDQVEbPgPAWVu3k
+GrBRLSIBdCHIHZNQIORZGFk93/l01CgOhfDx1eJqgvo
+-> ssh-ed25519 zNb8DQ XuvULuWzBe3DRVrEHM6fShYGh5MexG6XNxNpznJr1Fk
+MBOeY+DZ4HQ69ifOKr+2gv5Bkpg5WQa7zKm+NeC8Wec
+-> ssh-ed25519 GB2MZQ C6bFo1mneQHotAZLSn6sClt35+uUwPJLuHOYoE3aRkw
+DeDM1yv2FZo0dUXttP0d62fRgU/A8MJ99oHpGhr0Y/M
+-> ssh-ed25519 FelIjw E7fL8omx+HGv75MUsC/IZAXQNw4G1vb7LLT6FdTdkU0
+I7ix1MlBnH+wT9PxL64b5EYex3yjk3+U1EO0WLhzPjU
+-> ssh-ed25519 TRpHkw LHWFmWM6uKa7+MLlxKsdhBA5HmjsCnBz81MR2hIJCDQ
+IJOsuUtXmp91t226YrW+5lvAGiLygv598b0zCVBNHTc
+-> ssh-ed25519 rKpRzQ Qk96yw6dOkE7zIcBo/6SXpO9o6OrPykkT4knw8fj/0k
+SCa84kZ/e/vs4caIklF2LqwkVHgxbLoyWQIdXYsKC8I
+-> ssh-ed25519 8/Dzqw blUGZhhmVedopPKAbFNPfSxc58OoS5o5oW5plYltTiI
+WPFPl6bXvewmISOp8/S1ronk9jT8O57qNPZUCFvTxxE
+-> ssh-ed25519 tJyugw UUi6VCLSfg3oyutzwg+xskDCtE1mFQTvHrGBkXuIT1Q
++rk2mBJRrYrUfsv4o0keEAKsXahjEIintcoA+38RL/o
+-> ssh-ed25519 lpPUYw TFf9vRCAv2005EC1giIkVfy/AwpU/t5WPX3bSLDDHgw
+vbLC5pesZRyuw/vMAv2X1ZYVNwrYUx+P/ZV8BLrpELo
+--- EpxlXztYxi3N6dCswIYXZxAxmFv3XYSkU34LmUIM0fE
+3´%"xR·É«@(£qOŸE<0E>L<>^¾§íS„%#ç4„<34>€×8mEü—eš(­Jò
+üAÌN<>>D£E<13>+&þ@Ë
8b5~‚l«-ùÂì MÔ#Œ8	•õ±‘»2•=vñÒæ¹P•ï­
4¢ä|âÔñ[}Oyñ

secrets/secrets.nix

@@ -1,52 +0,0 @@
-with builtins;
-let
-  flatten = x: if isList x then concatMap (y: flatten y) x else [ x ];
-  hasPrefix = pref: str: (substring 0 (stringLength pref) str == pref);
-  isValidKey =
-    key:
-    all (keyPrefix: !(hasPrefix keyPrefix key)) [
-      "sk-ssh-ed25519"
-    ];
-
-  systems = {
-    Infini-DESKTOP = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7uX1myj9ghv7wMoL038oGDCdScdyLd7RvYdnoioSBh root@Infini-DESKTOP";
-    Infini-FRAMEWORK = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF7PmPq/7e+YIVAvIcs6EOJ3pZVJhinwus6ZauJ3aVp0 root@Infini-FRAMEWORK";
-    Infini-SERVER = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8ptHWTesaUzglq01O8OVqeAGxFhXutUZpkgPpBFqzY root@Infini-SERVER";
-    Infini-OPTIPLEX = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG8fY684SPKeOUsJqaV6LJwwztWxztaU9nAHPBxBtyU root@Infini-OPTIPLEX";
-    Infini-STICK = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0fWuozCHyPrkFKPcnqX1MyUAgnn2fJEpDSoD7bhDA4 root@Infini-STICK";
-    Infini-SD = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8oViHNz64NG51uyll/q/hrSGwoHRgvYI3luD/IWTUT root@Infini-SD";
-    Infini-DL360 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPjmvE76BcPwZSjeNGzlguDQC67Yxa3uyOf5ZmVDWNys root@Infini-DL360";
-    Infini-RASPBERRY = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwPqTFCztLbYFFUej42hRzzCBzG6BCZIb7zXi2cxeJp root@Infini-RASPBERRY";
-    hestia = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBanlhzmtBf5stg2yYdxqb9FzFZmum/rlWod/akWQI3c root@hestia";
-    iris = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsdARqD3MibvnpcUxOZVtstIu9djk+umwFR5tzqKATH root@iris";
-  };
-  users = {
-    infinidoge = import ../users/infinidoge/ssh-keys.nix;
-    root = import ../users/root/ssh-keys.nix;
-  };
-  allKeys = filter isValidKey (flatten [
-    (attrValues systems)
-    (attrValues users)
-  ]);
-
-  generate = secrets: foldl' (a: b: a // b) { } (map (n: { ${n}.publicKeys = allKeys; }) secrets);
-in
-generate [
-  "infinidoge-password.age"
-  "root-password.age"
-  "binary-cache-private-key.age"
-  "vaultwarden.age"
-  "freshrss.age"
-  "borg-password.age"
-  "borg-ssh-key.age"
-  "cloudflare.age"
-  "smtp-password.age"
-  "hydra.age"
-  "hedgedoc.age"
-  "searx.age"
-  "ovpn.age"
-  "authentik.age"
-  "authentik-ldap.age"
-  "radicale-ldap.age"
-  "personal-smtp-password.age"
-]

shell.nix

@@ -24,9 +24,12 @@
           devshell.name = "universe";
           devshell.motd = "";
 
-          devshell.packages = [
+          devshell.packages = with pkgs; [
             pythonEnv
             inputs'.disko.packages.disko
+            config.agenix-rekey.package
+            age-plugin-fido2-hmac
+            age-plugin-yubikey
           ];
 
           env = [

users/infinidoge/default.nix

@@ -43,7 +43,7 @@ in
         POP_SMTP_HOST = common.email.smtp.address;
         POP_SMTP_PORT = common.email.smtp.STARTTLS;
         POP_SMTP_USERNAME = common.email.withUser "infinidoge";
-        POP_SMTP_PASSWORD = "$(cat ${secrets.personal-smtp-password})";
+        POP_SMTP_PASSWORD = "$(cat ${secrets.smtp-personal})";
       };
 
       home.packages =
@@ -110,10 +110,22 @@ in
     adb.enable = config.info.graphical;
   };
 
+  age.rekey.masterIdentities = [
+    ./keys/primary_age.pub
+    ./keys/backup_age.pub
+  ];
+
+  age.secrets = {
+    password-infinidoge.rekeyFile = ./password.age;
+    smtp-personal.rekeyFile = ./smtp-personal.age;
+    smtp-personal.owner = "infinidoge";
+  };
+
+  user.hashedPasswordFile = mkIf config.modules.secrets.enable secrets.password-infinidoge;
+
   user = {
     name = "infinidoge";
     uid = 1000;
-    hashedPasswordFile = mkIf config.modules.secrets.enable config.secrets.infinidoge-password;
     description = "Infinidoge, primary user of the system";
     group = "users";
     isNormalUser = true;

users/infinidoge/keys/backup_age.pub

@@ -0,0 +1,7 @@
+#       Serial: 26969244, Slot: 1
+#         Name: BACKUP_AGE
+#      Created: Wed, 19 Feb 2025 01:58:28 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
+#    Recipient: age1yubikey1q2dxqlvpp0jpjumgmm3rk952dqexy6r2ff4ul62luman3uga6s0l5llfumw
+AGE-PLUGIN-YUBIKEY-1NJZFKQVZUM4H93SSLXN5A

users/infinidoge/keys/primary_age.pub

@@ -0,0 +1,7 @@
+#       Serial: 24623451, Slot: 1
+#         Name: PRIMARY_AGE
+#      Created: Wed, 19 Feb 2025 00:53:27 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
+#    Recipient: age1yubikey1q2mfklp6cectpmkefv6edr9elreeypdzwhpzsnwry9nzjq3epnswstkyq5w
+AGE-PLUGIN-YUBIKEY-1TWUHWQVZPYLV4KGFG23L9

users/root/default.nix

@@ -2,14 +2,15 @@
   config,
   lib,
   pkgs,
+  secrets,
   ...
 }:
 {
   users.users.root = {
     shell = pkgs.zsh;
-    hashedPasswordFile = lib.mkIf config.modules.secrets.enable config.secrets.root-password;
+    hashedPasswordFile = lib.mkIf config.modules.secrets.enable secrets.password-root;
     openssh.authorizedKeys.keys = import ./ssh-keys.nix;
   };
 
-  home-manager.users.root = { ... }: { };
+  age.secrets.password-root.rekeyFile = ./password.age;
 }

users/root/password.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> piv-p256 CT7K2Q AooiXHg+vA2jBkxQ00aC81gCRIuo9Xe4c4uOaWCMU4X6
+4Aaaywj9vKAj/cv+yb6gFeiV+ROTeTxnPDrgAO29ODM
+-> piv-p256 5utyxg Apti8vz8VE2kLk8pvWIYk0f+AnuHItXpH3x2MDs3iv+0
++OhtPhXmsLZXimQuAIdB54OD1Qde18ZDVBUsGNafRR8
+-> M_nrH-grease hj"xH( *8 dX]
+Ld3SIuXFJqz/gbDEnDxroU188XFJjoRkqHnYWpRLauCpcSbG2kHuKdYKDQ
+--- Wp70IAXPdmf99j5ccFzGM8FDfcTl05nz01d5cc0tVgI
+Ô4µ«ôã,DXU»»›ª‘Ú›
+Gx(Í¹ÝE'(þgìK&h¡µÍ½È$ÈEÿ…<>/g¼¦{öBJö“ÃQ«³a¤öèNö,j'3î(ÝÝ4¡î„j¸ØQÚ¾Ä)
+<EFBFBD>[C…ø¯AJf&êœÍ°Üaf¥<66>™͸~Õ<>*öÝ¥Žx9*äI