feat(secrets): declare agenix-rekey hostPubkey in meta

hosts/nixos/jeeves/configuration.nix

@@ -24,14 +24,6 @@
 
   # services.kanidm = { };
 
-  age.rekey = {
-    # TODO: store in `meta`
-    hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPopSTZ81UyKp9JSljCLp+Syk51zacjh9fLteqxQ6/aB";
-    # masterIdentities = [ "${inputs.self}/secrets/privkey.age" ];
-    # storageMode = "local";
-    # localStorageDir = "${inputs.self}/secrets/rekeyed/${config.networking.hostName}";
-  };
-
   networking.hostName = "jeeves";
 
   boot = {

hosts/nixos/jeeves/meta.nix

@@ -2,6 +2,9 @@
   # The `system` of the host
   system = "x86_64-linux";
 
+  # The host SSH key, used for encrypting agenix secrets
+  pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPopSTZ81UyKp9JSljCLp+Syk51zacjh9fLteqxQ6/aB";
+
   # `deploy-rs` configuration
   deploy = {
     # This is the hostname by which you'll refer to this machine using reploy-rs

modules/flake/configurations/default.nix

@@ -64,6 +64,9 @@ let
       # (r)agenix && agenix-rekey
       inputs.ragenix.nixosModules.default
       inputs.agenix-rekey.nixosModules.default
+      (lib.optionalAttrs (meta ? pubkey) {
+        age.rekey.hostPubkey = meta.pubkey;
+      })
       # nix-topology
       inputs.nix-topology.nixosModules.default
       # Sane default `networking.hostName`