docs(age): improve readability with structured comments

Add section headers and explanatory comments to clarify the purpose of each configuration block, with emphasis on the critical persistent path requirement for early boot secret decryption.
2025-10-12 10:19:42 +08:00 · 2025-10-12 10:19:42 +08:00 · 9fb72e762b
commit 9fb72e762b
parent 4389500ccc
1 changed files with 14 additions and 3 deletions
--- a/nixos/common/global/age.nix
+++ b/nixos/common/global/age.nix
@ -1,3 +1,5 @@
+# Agenix secret management with YubiKey rekeying
+# Handles encrypted secrets for services requiring credentials
 {
  config,
  pkgs,
@ -6,25 +8,34 @@
 }: let
  hostname = config.networking.hostName;
 in {
+  # Module imports
  imports = [
    inputs.agenix.nixosModules.default
    inputs.agenix-rekey.nixosModules.default
  ];

+  # Overlay provides agenix-rekey package and extensions
  nixpkgs.overlays = [
    inputs.agenix-rekey.overlays.default
  ];

+  # CLI tool for manual secret rekeying operations
  environment.systemPackages = with pkgs; [
    agenix-rekey
  ];

+  # Secret decryption configuration
+  # Use persistent paths to ensure SSH keys are available during early boot
+  # activation, before impermanence bind mounts /etc/ssh/
+  age.identityPaths = [
+    "/persist/etc/ssh/ssh_host_rsa_key"
+    "/persist/etc/ssh/ssh_host_ed25519_key"
+  ];
+
+  # YubiKey-based secret rekeying
  age.rekey = {
-    # Pubkey for rekeying
    hostPubkey = ../../${hostname}/ssh_host_ed25519_key.pub;
-    # Master identity used for decryption
    masterIdentities = [../users/sajenim/agenix-rekey.pub];
-    # Where we store the rekeyed secrets
    storageMode = "local";
    localStorageDir = ./. + "/secrets/rekeyed/${config.networking.hostName}";
  };