From 9c709598d1ec35abe5750cfe3537537e9d21e7e8 Mon Sep 17 00:00:00 2001 From: reo101 Date: Mon, 2 Sep 2024 21:52:40 +0300 Subject: [PATCH] feat(secrets): declare `agenix-rekey` `hostPubkey` in `meta` --- hosts/nixos/jeeves/configuration.nix | 8 -------- hosts/nixos/jeeves/meta.nix | 3 +++ modules/flake/configurations/default.nix | 3 +++ 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/hosts/nixos/jeeves/configuration.nix b/hosts/nixos/jeeves/configuration.nix index d50ed62..df5e3c6 100644 --- a/hosts/nixos/jeeves/configuration.nix +++ b/hosts/nixos/jeeves/configuration.nix @@ -24,14 +24,6 @@ # services.kanidm = { }; - age.rekey = { - # TODO: store in `meta` - hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPopSTZ81UyKp9JSljCLp+Syk51zacjh9fLteqxQ6/aB"; - # masterIdentities = [ "${inputs.self}/secrets/privkey.age" ]; - # storageMode = "local"; - # localStorageDir = "${inputs.self}/secrets/rekeyed/${config.networking.hostName}"; - }; - networking.hostName = "jeeves"; boot = { diff --git a/hosts/nixos/jeeves/meta.nix b/hosts/nixos/jeeves/meta.nix index 1b501ce..baf91f2 100644 --- a/hosts/nixos/jeeves/meta.nix +++ b/hosts/nixos/jeeves/meta.nix @@ -2,6 +2,9 @@ # The `system` of the host system = "x86_64-linux"; + # The host SSH key, used for encrypting agenix secrets + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPopSTZ81UyKp9JSljCLp+Syk51zacjh9fLteqxQ6/aB"; + # `deploy-rs` configuration deploy = { # This is the hostname by which you'll refer to this machine using reploy-rs diff --git a/modules/flake/configurations/default.nix b/modules/flake/configurations/default.nix index 0564e74..c1e418d 100644 --- a/modules/flake/configurations/default.nix +++ b/modules/flake/configurations/default.nix @@ -64,6 +64,9 @@ let # (r)agenix && agenix-rekey inputs.ragenix.nixosModules.default inputs.agenix-rekey.nixosModules.default + (lib.optionalAttrs (meta ? pubkey) { + age.rekey.hostPubkey = meta.pubkey; + }) # nix-topology inputs.nix-topology.nixosModules.default # Sane default `networking.hostName`