From 8feb5245ea6786e5f01fa10621a1629d9cae2acf Mon Sep 17 00:00:00 2001 From: reo101 Date: Mon, 25 Dec 2023 15:17:30 +0200 Subject: [PATCH] feat(agenix-rekey)!: first try Cannot `agenix rekey` / `deploy` `agenix rekey` rekeys separate keys successfully but canot build the derivation that contains them --- .gitignore | 3 +- flake.nix | 27 +++++++---- .../x86_64-linux/jeeves/configuration.nix | 48 ++++++++++++++----- machines/nixos/x86_64-linux/jeeves/disko.nix | 3 +- .../nixos/x86_64-linux/jeeves/network.nix | 11 +++-- .../nixos/x86_64-linux/jeeves/wireguard.nix | 19 +++++--- secrets/home/jeeves/user/password.age | 17 +++++++ secrets/home/jeeves/wireguard/private.age | 16 +++++++ secrets/home/jeeves_password.age | 17 ------- secrets/home/wifi.env.age | 18 ------- secrets/home/wifi/env.age | 18 +++++++ secrets/home/wireguard/server.private.age | 16 ------- secrets/home/wireguard/server.public.age | 17 ------- secrets/privkey.age | 5 ++ secrets/secrets.nix | 7 ++- shells/default/default.nix | 5 +- 16 files changed, 138 insertions(+), 109 deletions(-) create mode 100644 secrets/home/jeeves/user/password.age create mode 100644 secrets/home/jeeves/wireguard/private.age delete mode 100644 secrets/home/jeeves_password.age delete mode 100644 secrets/home/wifi.env.age create mode 100644 secrets/home/wifi/env.age delete mode 100644 secrets/home/wireguard/server.private.age delete mode 100644 secrets/home/wireguard/server.public.age create mode 100644 secrets/privkey.age diff --git a/.gitignore b/.gitignore index 4deb694..962a5b1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ /.direnv/ -/secrets/key +/secrets/*key* +!/secrets/*.age diff --git a/flake.nix b/flake.nix index 4d3044c..a7241db 100644 --- a/flake.nix +++ b/flake.nix @@ -55,19 +55,15 @@ }; }; + agenix-rekey = { + url = "github:oddlama/agenix-rekey"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + ragenix = { url = "github:yaxitech/ragenix"; }; - # sops-nix = { - # url = "github:Mic92/sops-nix"; - # inputs = { - # nixpkgs.follows = "nixpkgs"; - # darwin.follows = "nix-darwin"; - # home-manager.follows = "home-manager"; - # }; - # }; - # Nix User Repository nur = { url = "github:nix-community/NUR"; @@ -117,6 +113,7 @@ , disko , deploy-rs , agenix + , agenix-rekey , ragenix , nur , spicetify-nix @@ -132,7 +129,9 @@ inherit (self) outputs; util = import ./util { inherit inputs outputs; }; in - rec { + { + inherit self; + # Packages (`nix build`) packages = util.forEachPkgs (pkgs: import ./pkgs { inherit pkgs; } @@ -184,6 +183,14 @@ darwinConfigurations = util.autoDarwinConfigurations; homeConfigurations = util.autoHomeConfigurations; + # Secrets + agenix-rekey = agenix-rekey.configure { + userFlake = self; + nodes = { + inherit (self.nixosConfigurations) jeeves; + }; + }; + # Deploy.rs nodes deploy.nodes = util.deploy.autoNodes; checks = util.autoChecks; diff --git a/machines/nixos/x86_64-linux/jeeves/configuration.nix b/machines/nixos/x86_64-linux/jeeves/configuration.nix index 4e83fe7..b458a8d 100644 --- a/machines/nixos/x86_64-linux/jeeves/configuration.nix +++ b/machines/nixos/x86_64-linux/jeeves/configuration.nix @@ -3,14 +3,23 @@ imports = [ inputs.hardware.nixosModules.common-cpu-amd inputs.hardware.nixosModules.common-gpu-amd - (import ./disko.nix { inherit inputs outputs; }) + ./disko.nix inputs.agenix.nixosModules.default + # FIXME: agenix-rekey + inputs.agenix-rekey.nixosModules.default ./network.nix ./wireguard.nix ./jellyfin.nix ./mindustry.nix ]; + # FIXME: agenix-rekey + age.rekey = { + hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPopSTZ81UyKp9JSljCLp+Syk51zacjh9fLteqxQ6/aB"; + masterIdentities = [ "${inputs.self}/secrets/privkey.age" ]; + # forceRekeyOnSystem = "aarch64-darwin"; + }; + nixpkgs = { hostPlatform = "x86_64-linux"; config = { @@ -61,7 +70,15 @@ ]; # NOTE: made with `mkpasswd -m sha-516` - age.secrets."jeeves_password".file = ../../../../secrets/home/jeeves_password.age; + age.secrets."jeeves.user.password" = { + # file = ../../../../secrets/home/jeeves/user/password.age; + # file = "${inputs.self}/secrets/home/jeeves/user/password.age"; + # FIXME: agenix-rekey + rekeyFile = "${inputs.self}/secrets/home/jeeves/user/password.age"; + # generator = {pkgs, ...}: '' + # ${pkgs.mkpasswd}/bin/mkpasswd -m sha-516 + # ''; + }; users = { mutableUsers = true; @@ -69,7 +86,7 @@ jeeves = { isNormalUser = true; shell = pkgs.zsh; - hashedPasswordFile = config.age.secrets."jeeves_password".path; + hashedPasswordFile = config.age.secrets."jeeves.user.password".path; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBj8ZGcvI80WrJWV+dNy1a3L973ydSNqtwcVHzurDUaW (none)" ]; @@ -98,19 +115,26 @@ # ]; # }; - security.sudo.extraRules= [ - { - users = [ - "jeeves" - ]; - commands = [ + # security.sudo-rs = { + # enable = !config.security.sudo.enable; + # inherit (config.security.sudo) extraRules; + # }; + security.sudo = { + enable = true; + extraRules= [ + { + users = [ + "jeeves" + ]; + commands = [ { command = "ALL" ; options= [ "NOPASSWD" ]; # "SETENV" # Adding the following could be a good idea } - ]; - } - ]; + ]; + } + ]; + }; services.openssh = { enable = true; diff --git a/machines/nixos/x86_64-linux/jeeves/disko.nix b/machines/nixos/x86_64-linux/jeeves/disko.nix index 3aa471e..42e385b 100644 --- a/machines/nixos/x86_64-linux/jeeves/disko.nix +++ b/machines/nixos/x86_64-linux/jeeves/disko.nix @@ -1,5 +1,4 @@ -{ inputs, outputs, ... }: -{ lib, pkgs, config, ... }: +{ inputs, outputs, lib, pkgs, config, ... }: { imports = [ inputs.disko.nixosModules.disko diff --git a/machines/nixos/x86_64-linux/jeeves/network.nix b/machines/nixos/x86_64-linux/jeeves/network.nix index 3de0488..c5fde46 100644 --- a/machines/nixos/x86_64-linux/jeeves/network.nix +++ b/machines/nixos/x86_64-linux/jeeves/network.nix @@ -1,12 +1,17 @@ -{ lib, pkgs, config, ... }: +{ inputs, outputs, lib, pkgs, config, ... }: { environment.systemPackages = with pkgs; [ ]; - age.secrets."home/wifi.env".file = ../../../../secrets/home/wifi.env.age; + age.secrets."home.wifi.env" = { + # file = ../../../../secrets/home/wifi/env.age; + # file = "${inputs.self}/secrets/home/wifi/env.age"; + # FIXME: agenix-rekey + rekeyFile = "${inputs.self}/secrets/home/wifi/env.age"; + }; networking.wireless = { iwd.enable = true; - environmentFile = config.age.secrets."home/wifi.env".path; + environmentFile = config.age.secrets."home.wifi.env".path; networks = { home = { ssid = "@HOME_WIFI_SSID@"; diff --git a/machines/nixos/x86_64-linux/jeeves/wireguard.nix b/machines/nixos/x86_64-linux/jeeves/wireguard.nix index 61613fa..9af757e 100644 --- a/machines/nixos/x86_64-linux/jeeves/wireguard.nix +++ b/machines/nixos/x86_64-linux/jeeves/wireguard.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, ... }: +{ inputs, outputs, lib, pkgs, config, ... }: { environment.systemPackages = with pkgs; [ wireguard-tools @@ -10,12 +10,17 @@ # wg pubkey < private > public # Server - age.secrets."wireguard/server.private" = { - file = ../../../../secrets/home/wireguard/server.private.age; + age.secrets."wireguard.private" = { + # file = ../../../../secrets/home/jeeves/wireguard/private.age; + # file = "${inputs.self}/secrets/home/jeeves/wireguard/private.age"; mode = "077"; - }; - age.secrets."wireguard/server.public" = { - file = ../../../../secrets/home/wireguard/server.public.age; + # FIXME: agenix-rekey + rekeyFile = "${inputs.self}/secrets/home/jeeves/wireguard/private.age"; + # generator = {lib, pkgs, file, ...}: '' + # priv=$(${pkgs.wireguard-tools}/bin/wg genkey) + # ${pkgs.wireguard-tools}/bin/wg pubkey <<< "$priv" > ${lib.escapeShellArg (lib.removeSuffix ".age" file + ".pub")} + # echo "$priv" + # ''; }; networking.firewall.allowedUDPPorts = [51820]; @@ -28,7 +33,7 @@ MTUBytes = "1300"; }; wireguardConfig = { - PrivateKeyFile = config.age.secrets."wireguard/server.private".path; + PrivateKeyFile = config.age.secrets."wireguard.private".path; ListenPort = 51820; }; wireguardPeers = [ diff --git a/secrets/home/jeeves/user/password.age b/secrets/home/jeeves/user/password.age new file mode 100644 index 0000000..902e3b0 --- /dev/null +++ b/secrets/home/jeeves/user/password.age @@ -0,0 +1,17 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USB5eUlZ +S2dzQkNtM3pPY1I2aUcwdVpndk9WWThJWktDdTBQeVZPcytqWWpnClkxTjl6L3RH +S0ZyeDQzbkdFNzVvK2ErZFpENjlXcjk0RUk5SmtrN1I3U0kKLT4gc3NoLWVkMjU1 +MTkgV2Y4dmp3IHA4eGpVaUR3VE1ySU1TZ0tjcGx4SDJ5L3d6RDZvZmFjTmVTTTdx +ZUh5V2sKMjhRU0dwMmZ3NUhwTDZrMnI1bDFHYTJjckFlaVRUSUQ4bFd6bWlkQ1VD +MAotPiBYMjU1MTkgWTRabUNqVi9Tbjk4TGJZYUFHWWdEUjJYMUtES0JVdGxrbloz +a1pHN0VsRQpLc3BoRlRORHFySGFnRTBuWkpTaUJraEpzemg0L29leVFVQTZKMjBP +NUxFCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyBUM1M1bURRQXFWVUNhdkxuUC9naXhm +Wk55MlJCWXB3NnovV3ZrOXBVdG53CmVOYldGRG92UHNPcG9HVjFFcmwxVCtKT0tw +MkYrYWQzMzNua3NvQ0lHS0kKLT4gX2UhLWdyZWFzZSBNZmRAaVkwIHFoUi5VXGEK +ZUJ2dnJDeUNsc1gzdFNnZi9OTSthZ3Vnd0hTQytSM0xnNDhQUEJoL3RyMzg0aGd1 +Y0NTYQotLS0gK1ZpUUpKbE4yMW1nc2ZtaFRVa0QwS21kU2VYb1JtNDBzQWxWWHpP +YnM2ZwoTk7csNBcZB21Y46f15I1CatS5N4In3UhXIA1CdLNoHiJ6ocurMxVhzBQ4 +VCSfib+Eq7FiEuMCG3l0fcgBLN2PSg79+BCiI1O9KYt9Qhl6g5fjRGvCCDtjos33 +aEBE2F46v92wpFX24Pw2MfCfSnSeghq3Nh2DQJvFyXsTDu6DAd4a9ubU6K5BMJS+ +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/home/jeeves/wireguard/private.age b/secrets/home/jeeves/wireguard/private.age new file mode 100644 index 0000000..4022a22 --- /dev/null +++ b/secrets/home/jeeves/wireguard/private.age @@ -0,0 +1,16 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USBMb3Bt +NTRMcXpEeGxkdkFaQmdnMjdsd0hHVXlWR1RZckthVVFzNmRRZDFNCnRvZlErOGFn +NW9TQlJvblVuZ1RsNWJvVWhSWE1VeEVuTmpWMUxMZnM1SkkKLT4gc3NoLWVkMjU1 +MTkgV2Y4dmp3IHVPNThxVnRnNlRkNTU0WDAxRVFIZk16WUlySDJqRFovSTAzVTJP +Wk1HVlEKZnZJMUJrR01uY01YTzM3dXY3VVJ2ZFFXaENGa3g5ZHlNSitYRU9uMUZE +TQotPiBYMjU1MTkgQURJZE9ma091Zis4MDYyUUJHdjc0MTYyRC9IK1BDMmZpNGx4 +MXBaaGxEMAp5dnFsSzVncjRDWDBQV1R2ckt4MzRtYTRyZERoejBvbWFabXM4K2NZ +L3ZRCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyA2OGI2eS8yQk1yNjdXNlY2VmlZUTVF +QkJ6eVZhYW56NU5xcG5jMG5oc1g4Ci8zM3p5ZmR3ZTBtRGpYZERUa0dBSldqRnRj +Ulhzc3RNU2lBR3pyZnpjYkkKLT4gdGt7TF8tZ3JlYXNlIGFJfHpCfSBDZC1UIC9e +PgpVVU9XUmdTM0RmSWF0SGdZV1VXOThPOUZRdHFnU2RTUkV2bzZmY3VJQzZjMUhG +WXMyNmJ0ZWcxQVVPVQotLS0gWEY2akF3UVp1VTVoSGNNMGs2enR0bXI1bU1uTzBP +RjMzejZxN1JLWUhjYwon/0IkLsAhX2rUfpHDmWq++0t7vppgTdZfSjRlqrW7/t8t +dj0pU/R1NDuPuJ90STxHoKZinAbX/LC18ieNCwdWvkNw566lY3ERV1egyg== +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/home/jeeves_password.age b/secrets/home/jeeves_password.age deleted file mode 100644 index 80e0f0b..0000000 --- a/secrets/home/jeeves_password.age +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USB3bzVT -c3M0RC9vYThYQUpoN0FKU2hpSDdOUk10cUI2Si9vNVA5UjMrOEZZClF2RytISG40 -S2tqUVo5R2RwbVhweXg5dlNlSlJXdHVMQ1NyOGY5VHNKRlUKLT4gc3NoLWVkMjU1 -MTkgV2Y4dmp3IHpLQXBabTNzaWsrQWZHSEJxdDJjOXRYZ1JJNG90RFg1L1B1dUxG -SjFDakUKRkptYmQ4azV4VWdqSzZBTHloM203UXp5VDNKY0N1TDJTZ0FnYlBOWDlF -awotPiBYMjU1MTkgSy9pVStZRjJKbHVJZDIwOUM1MHFoVTd0eTNmSXlyRmxJTnBr -a2h2akJBOApic1VkdnZGUnVLZm9HbE5tZ1lzbGJSNGsxendyL0s2d3lVdnIreG42 -R1FBCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyBiR0dQVlFFV3grWXJQOEF4ajhtK2Yy -akExVEpwZ1lqcW1VN1JnODJFcFQwCnhRME5iWnZnc3NUL1ZwQ1ZyakJjZWVFb3VV -cmNpY0QyMitFNHZuakpxTmsKLT4gJHEsIixCbmwtZ3JlYXNlCmFrL1k5RTFsdndS -N1FwTytvQQotLS0gTTlJUlJMR09lSzY2RmpSWmk4MGtJamtRdnVZM1JobUMrRUJw -ZDgxRG9HVQo577U9ehKYysiNh7Z9o4X/xoP1eB7Igs5jQ/PFLFA0ST48NZ4GwJ1t -0Hbm4xdx5qaI5BIlxmyDspQCtBU2MmtYYT4v0rWZcmVQdm9GLDmCFuUeiAG+X7MT -wEqyX56oAr+ULxPO5EWoznIqv2wXantXsAGTvOKRqJuxWOleiXfAK50j4dM7jhzN -rw2k ------END AGE ENCRYPTED FILE----- diff --git a/secrets/home/wifi.env.age b/secrets/home/wifi.env.age deleted file mode 100644 index 0e207fe..0000000 --- a/secrets/home/wifi.env.age +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USBKNjdl -alVqNE5WY21yS2QxWndJOE9vSzRiWlhjSWNtR2dMdFA2ZE5kWUNvCjkrQVppSzdw -ZXo1cEVEUXZ6WVBVcTYwVWRhRFBxUUxqS0dnVlZGUWtmYjQKLT4gc3NoLWVkMjU1 -MTkgV2Y4dmp3IGQzeDZGTUFGeFhoYVpEeDZZT1hLUjhkak90cnhTeThkcnlQMFU1 -RUxEbVkKNy8zQmpUdE1NVnNCYTYyRmZ6bmhMRUttS0RNU3UxOU5RT0swRmpTeGpX -SQotPiBYMjU1MTkgcC9hMHpEMWl0WndmQzM2dm9MWG9reWpxVE5DeXRUcjRwQmp1 -RG5jeHBpMAptK3dXcStRcnBaMWRGZytQMDJQNFNiOU5ZVzZKczNwWEp5ZWVDbmdw -QS9RCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyBNMHN6Z0V5YWJzMnJ6RklpbFBpVUVw -OGdPRTl6Smo4RGxuZWtBelhrNW1rCnBFWjRlQWpjOW9TNHFSVFBSVStSalpTcUt4 -T3kxVmZxZkc0VzQ2ZlN2WHMKLT4gc3NoLWVkMjU1MTkgQjdiZXhBIG00eEhHSlhi -bWMxOG02aFVBZEZGQnJxSFdRNmduRWVnN0lKQzlJMUVBVXcKbC9RYW1qS0p2Nld5 -UnVUb0xYTTYrVmxXQ2lMUG5rK3owOXJxMkR1MkZORQotPiA7emJcOi8tZ3JlYXNl -CjJlQXdqdVpsc3NIZmxlcU1YOXZmM2xsSHE0Vm1qK3ovcThaTlBYREgKLS0tIENr -TFN1MGlRbVM4NWZ4YWFJc0tWR3prUVZaVGkveW5taFdGWjZqZkZJS0kKSaZHvA62 -8AclIn54Dic5oyFpzGBIm321rTRsVWPmdTPkWiFpTEYdIFBJXAkpl3zC/exGPrZe -ZRUAUT0rxIfx/9OlF3NkrcwAI4crdeDd9HQzMnQFAw8CXVs= ------END AGE ENCRYPTED FILE----- diff --git a/secrets/home/wifi/env.age b/secrets/home/wifi/env.age new file mode 100644 index 0000000..ade82a5 --- /dev/null +++ b/secrets/home/wifi/env.age @@ -0,0 +1,18 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USAxUzBy +a2JEcmZtQ01mcCsvWFdJVVdHNUtpcmtza05RY0dqcFl4VjFuY2dvCmZGRkxTK2ZK +ZFZpVEVvODB5d0dTTWx6aGtkTTBQMDJ6c3g0VkFSTzIyaEEKLT4gc3NoLWVkMjU1 +MTkgV2Y4dmp3IFZoY0tZY2hVK3RGQmpNNzA4aDk3dElUY3FoMUhtMXEyMUxsUWFG +Um1XR1UKMGVCdzZzM0Z1YitMeml5VVZlNGpGODNORFpuNEg5Vkk0WGppa1Zndkw4 +NAotPiBYMjU1MTkgQVFWT0I1QjRudzFJM2g3azg3YmQ4K0l2VEZ5aVNuRHlqS0Uy +OG9qL0pUUQpqcldkUUE0WWZvM1dxb1kzTU5LTlc1YmFISlJ3cm56N1RzSFhFdHlO +RnZVCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyBxMGpXTVJNNGFMMGYyS2tLa2Rob1c1 +NnkvMExEa0ZJMjN6NlhtVGF5TXhFCk8xUTIrS2tWSUxrMlQwZS9aQnMxQmdXWGZa +T08zekxsV0U4VERpN3lid00KLT4gc3NoLWVkMjU1MTkgQjdiZXhBIEExMW9yRzVH +aUp1bk1tc1NnOHZhVitLUTZ0Q2xUZEZLc3U2Q1ZjYVJSRjQKQlBzN2gweU9wMWJ1 +KzRKakxELzhtVGFNclNkM3dsYVhoc0NGOGtXWU02MAotPiB6Y3FwYH5gNi1ncmVh +c2UgPzdlfGYgTgpNQQotLS0gMlZwNnFtbHo5TktOS0VaQ1UreHE1UkdaVzZwU0Ix +ZzdaNWtIZXdQYTgrZwppSUDjMQFsi8Lr6oOWFCbh8+FXBy+APg1LdcbJdRFowx0Z +MvSRLkiZw91J+1qQLZOoeKAzp5JE42aGU9dJTfxCixsU2QY9oX3Y/QE3JUWAj1ms +0GOUg9U4hg== +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/home/wireguard/server.private.age b/secrets/home/wireguard/server.private.age deleted file mode 100644 index 590a658..0000000 --- a/secrets/home/wireguard/server.private.age +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USByZnZh -NFhQSEZqSFdsNnRHT2Y0VEtrWUkyVG54aUNwUEQxNk5VYmU1S21vCngxeUFLVTVx -QXR2U2paQmE3SERyWjViOENrNnRyaUxQS2dKSHg2NVdIRUkKLT4gc3NoLWVkMjU1 -MTkgV2Y4dmp3IEdKbWNLRnJ5aWZvamJNY2hnTENvUUExQnIxMzVrejNua3Mvc3Zp -c2plV2MKZVJuNW5UOVIxZUlUOUc1dmFKbHJSaWhRYTQwNXkzdkp5WWwwWVhxbjNR -SQotPiBYMjU1MTkgOXB3Wk83ZGtRNWpCUFZlQXBDb09ycXlnbjNmNXRjYWF6Q21V -dG5MOThDZwp0RTFZRk9uZnFqakQvSU94cGlPSHd4WTBkQS9GODJIRWV6OWdTclpP -UFpFCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyBkdG5qU2g5SUFrMUhtRW50blZ1eThx -eTRVNFUyTHVtMlpFQkR3YllkZkRRCmdhb3h6Q1hKdFJXR0duQ2xLbXZ1alZxOWZV -dzA0aXgwdnlZbzdqR0p2dmsKLT4gQFpANy8hLWdyZWFzZQpQc1p5SU1hZ0l1TzdC -TDlWSW5HbFZvNHRTNVh2U2xZcHVzMmxaWG5jZ200Vy94elZKVkd1cTYzeTgvRWp3 -N0w5ClRDSQotLS0gRUtqVXJ2d0VGT2srQUx2SmJxckRXbWZMZlhZbU9ZcVNhVFJE -SjZpYTNzSQqogzeEZyuK0GpIxT5ZRkfzuPaoXYL5ayljbXoPCtwZNdCLX6a0Yrna -2XX9IQF4oKf5Zb5hALG0KznFrtnF0+QmbOO1sp93TDSaiexQ1A== ------END AGE ENCRYPTED FILE----- diff --git a/secrets/home/wireguard/server.public.age b/secrets/home/wireguard/server.public.age deleted file mode 100644 index d225a7d..0000000 --- a/secrets/home/wireguard/server.public.age +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USBVNHMv -MncvRmNpUjVRT2k2d0ZPbWVPOTdjWlJkMDMwYjQrUWxVRGpyWTNjClBLMnk4MTZp -YXlVR1A0ajhIV3NDTEFRNkVPZmo1WWs0VWk2ZFRTS0QxWWcKLT4gc3NoLWVkMjU1 -MTkgV2Y4dmp3IHArZ1ZmNlFTRjBJV1JjWFlhMUg4UkdqcTBqTHJsYXV2dmJ5eWNZ -Z2hHSDQKOWdyZFdTSXozSndhK1pkaE81VVl2QncwdnlteUtla1RrUXlRNW90TDZl -dwotPiBYMjU1MTkgK2gzb2FseHNwQ010a2x0QzBEcWx5VUs3TWcyYWQ2MHB6WGs2 -Zzl2Nm1qVQo2TTdWMllsenM2MnRQZk5YWE9kSEY3YVFvd0FYbnlNdncxcDZhUkNY -OU1NCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyBNaFpKK1YzTzdZbUpmUTJ0V0NjeUo4 -eThYSzFZTFhCSEtYWGFUbmgvakI4CkdNMmp5WnZOMmpWQy9JQjBJU21DbTFHUTJ2 -b2NoTlRpR21BR3B1MlhiMmcKLT4gKS1ncmVhc2UgVgphcDJYdjZWNnArVEJGUExF -dnRob2UxTE1hTXQ5Y0lmSXBwQTNRYjF5WTkrWjZEZnhuVDFTWkNkOUpWZTUyVzRv -CktaNmp1elI2TEN4ZmdubEU1em5hRDUvdi9BcWRHVmhWZWdXWG5PaisKLS0tIGxZ -aVlXbmFLK3QyRHBsUVhVdEQvalpOeTFTcWJCNVd6QnhtdW9YWFA3c00KwrHWxx7T -O9MvLcn3YRXtyeoW+x8V3rOP2kHBXgMZql14lhrMqHy1x2znW6nuOw6KLcBI9ZM9 -KmbyPo8m8uL+b9/J7HirLjG0CgTfCdM= ------END AGE ENCRYPTED FILE----- diff --git a/secrets/privkey.age b/secrets/privkey.age new file mode 100644 index 0000000..576deab --- /dev/null +++ b/secrets/privkey.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> scrypt th81mkn70Q70CNNhfmD7xA 18 +NhPSSlSyViXXKmHCTuXhdMl9sJfSsdIxuLg4g6UNx8M +--- AEH6wKJ8ta2Ww/hGziO+nQY5Hjb+sm2Iaqub/JY4gGo + WTzdPQą6!7N6'E:LO)ӂ@f>/p28dQ^T)t_rATpK2taJ;y#2bG{W,|+phz] w\Ę}D哈XPy~K> it>y(wG+(Nj4<1ugDdL!0 \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 50bc700..0010f9b 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -21,8 +21,7 @@ let systems = [ jeeves_system limonka_system ]; in { - "home/wifi.env.age".publicKeys = users ++ systems; - "home/jeeves_password.age".publicKeys = users ++ [ jeeves_system ]; - "home/wireguard/server.private.age".publicKeys = users ++ [ jeeves_system ]; - "home/wireguard/server.public.age".publicKeys = users ++ [ jeeves_system ]; + "home/wifi/env.age".publicKeys = users ++ systems; + "home/jeeves/user/password.age".publicKeys = users ++ [ jeeves_system ]; + "home/jeeves/wireguard/private.age".publicKeys = users ++ [ jeeves_system ]; } diff --git a/shells/default/default.nix b/shells/default/default.nix index 291880d..c2bf579 100644 --- a/shells/default/default.nix +++ b/shells/default/default.nix @@ -11,10 +11,11 @@ nix home-manager git + wireguard-tools deploy-rs # inputs.agenix.packages.${pkgs.system}.agenix - inputs.ragenix.packages.${pkgs.system}.ragenix - wireguard-tools + # inputs.ragenix.packages.${pkgs.system}.ragenix rage + inputs.agenix-rekey.packages.${pkgs.system}.agenix-rekey ]; }