diff --git a/nixos/common/global/age.nix b/nixos/common/global/age.nix index 30a6563..f5c6e77 100644 --- a/nixos/common/global/age.nix +++ b/nixos/common/global/age.nix @@ -16,21 +16,13 @@ in agenix-rekey ]; - age = { - # Master identity used for decryption - rekey.masterIdentities = [ ../users/sajenim/agenix-rekey.pub ]; + age.rekey = { # Pubkey for rekeying - rekey.hostPubkey = ../../${hostname}/ssh_host_ed25519_key.pub; + hostPubkey = ../../${hostname}/ssh_host_ed25519_key.pub; + # Master identity used for decryption + masterIdentities = [ ../users/sajenim/agenix-rekey.pub ]; # Where we store the rekeyed secrets - rekey.cacheDir = "/var/tmp/agenix-rekey/\"$UID\""; - # All rekeyed secrets for each host will be collected in a derivation which copies them to the nix store when it is built - rekey.storageMode = "derivation"; + storageMode = "local"; + localStorageDir = ./. + "/secrets/rekeyed/${config.networking.hostName}"; }; - # Required to persist `/var/tmp/agenix-rekey` - environment.persistence."/persist".directories = [ - { directory = "/var/tmp/agenix-rekey"; mode = "1777"; } - ]; - # As user not a trusted-users in our nix.conf - # we must add age.rekey.cacheDir as a global extra sandbox path - nix.settings.extra-sandbox-paths = [ "/var/tmp/agenix-rekey" ]; } diff --git a/nixos/common/global/secrets/rekeyed/fuchsia/146f3229661998a1ca74449720287a7d-smb-secrets.age b/nixos/common/global/secrets/rekeyed/fuchsia/146f3229661998a1ca74449720287a7d-smb-secrets.age new file mode 100644 index 0000000..0d75c86 --- /dev/null +++ b/nixos/common/global/secrets/rekeyed/fuchsia/146f3229661998a1ca74449720287a7d-smb-secrets.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 jVljVA ILfVChFf5s9U6CODItB/TqS1tUaAEeoLAGiNKPbDclU +MCyVqjOPexZm+is5JWG5zfbS26nJj/Z4mk6SJDufBPM +-> RƥՐII9s~a{'<5|o;_*T'|ysvt(X_J.`r`"|*[ \ No newline at end of file diff --git a/nixos/common/global/secrets/rekeyed/viridian/026c5a7ee6936afe4252144b692d20dd-enrollment-key.age b/nixos/common/global/secrets/rekeyed/viridian/026c5a7ee6936afe4252144b692d20dd-enrollment-key.age new file mode 100644 index 0000000..4a1914c --- /dev/null +++ b/nixos/common/global/secrets/rekeyed/viridian/026c5a7ee6936afe4252144b692d20dd-enrollment-key.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 KTkZog wTpircyIN9PphOvX8FtFMU6Qir790QIhdWGGhp+NSS4 +NxK4uP2YyJXdhuixQVslEAEecvTu2HUM0JNYxN4uT9M +-> Y"s_\v5`-grease [YNL^5 eKm) 9eS1} r +BWWX7A4Jar3ojDWzyxayQ0Vi95RG2tE +--- o0F6BEiHny57JBW9psAG7JgxoIO0jzbIJ9AG9cROdd4 +-s;'/G rȂ Iw 2P*EW~j#4ZwV \ No newline at end of file diff --git a/nixos/common/global/secrets/rekeyed/viridian/28bc204cd826947442f56c6ddc28829f-traefik.age b/nixos/common/global/secrets/rekeyed/viridian/28bc204cd826947442f56c6ddc28829f-traefik.age new file mode 100644 index 0000000..fa3afe6 --- /dev/null +++ b/nixos/common/global/secrets/rekeyed/viridian/28bc204cd826947442f56c6ddc28829f-traefik.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 KTkZog UtP8CzqqbmeIL6dRQ6UQFP4/ZZWQBPUxbzhqdMnPwSw +EMkbY1yoyamLXQ3e8cFK+NW7NSgoWS3/zB0O2odXanI +-> za72-grease +kRZubf60Uy2ne30UxkeIsgOuKPfx44pvVyMHGxlaHXhC8InnJu8JFAiYuFsc8ky7 +e7c5 +--- 15mIrLf9zjT7wEgTsFaUcH5ADhBAf4drxiueUSd/gus +˞4bE#.]a  ssh-ed25519 KTkZog eD/tQAdKjWDDg1sI5fYeLrVTsYA11Pqb+BvHKkbBIxk +VHZXnKoyb4QhC6+ir/B+yfAdJ76d6koegb9LGS60Ik4 +-> m(_p-grease 9:63B,o +GI8IPaOpdPBzOiUcj02Be+Ep54hnawoZ6ypt47k +--- 8CrSHUUOTWZ11AKVsXHCfSfpcllFwv2Q6xJMHpPQYe0 +7ă~M#eꚶ0@T +ƾt$ʏPHz6 +<ȼ->:] ʙ \ No newline at end of file diff --git a/nixos/common/global/secrets/rekeyed/viridian/4108bf86376b696948d4139797cfc8ba-microbin.age b/nixos/common/global/secrets/rekeyed/viridian/4108bf86376b696948d4139797cfc8ba-microbin.age new file mode 100644 index 0000000..e9b6d06 Binary files /dev/null and b/nixos/common/global/secrets/rekeyed/viridian/4108bf86376b696948d4139797cfc8ba-microbin.age differ