jasmine/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: jasmine:9fb72e762b56b57bfc7a26d659aa3b7d03586901
Branches Tags
jasmine:master
..
compare: jasmine:a276fdf53a62dd95d5a0be284916d61a4f884928
Branches Tags
jasmine:master

No commits in common. "9fb72e762b56b57bfc7a26d659aa3b7d03586901" and "a276fdf53a62dd95d5a0be284916d61a4f884928" have entirely different histories.
9fb72e762b ... a276fdf53a

3 changed files with 3 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

17
nixos/common/global/age.nix
View file

@ -1,5 +1,3 @@
# Agenix secret management with YubiKey rekeying
# Handles encrypted secrets for services requiring credentials
{ {
config, config,
pkgs, pkgs,
@ -8,34 +6,25 @@
}: let }: let
hostname = config.networking.hostName; hostname = config.networking.hostName;
in { in {
# Module imports
imports = [ imports = [
inputs.agenix.nixosModules.default inputs.agenix.nixosModules.default
inputs.agenix-rekey.nixosModules.default inputs.agenix-rekey.nixosModules.default
]; ];
# Overlay provides agenix-rekey package and extensions
nixpkgs.overlays = [ nixpkgs.overlays = [
inputs.agenix-rekey.overlays.default inputs.agenix-rekey.overlays.default
]; ];
# CLI tool for manual secret rekeying operations
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
agenix-rekey agenix-rekey
]; ];
# Secret decryption configuration
# Use persistent paths to ensure SSH keys are available during early boot
# activation, before impermanence bind mounts /etc/ssh/
age.identityPaths = [
"/persist/etc/ssh/ssh_host_rsa_key"
"/persist/etc/ssh/ssh_host_ed25519_key"
];
# YubiKey-based secret rekeying
age.rekey = { age.rekey = {
# Pubkey for rekeying
hostPubkey = ../../${hostname}/ssh_host_ed25519_key.pub; hostPubkey = ../../${hostname}/ssh_host_ed25519_key.pub;
# Master identity used for decryption
masterIdentities = [../users/sajenim/agenix-rekey.pub]; masterIdentities = [../users/sajenim/agenix-rekey.pub];
# Where we store the rekeyed secrets
storageMode = "local"; storageMode = "local";
localStorageDir = ./. + "/secrets/rekeyed/${config.networking.hostName}"; localStorageDir = ./. + "/secrets/rekeyed/${config.networking.hostName}";
}; };

2
nixos/fuchsia/services/borgbackup/onsite.nix
View file

@ -13,8 +13,6 @@ in {
# Configure service to wait for completion before marking as active # Configure service to wait for completion before marking as active
systemd.services."borgbackup-job-onsite" = { systemd.services."borgbackup-job-onsite" = {
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
}; };

2
nixos/viridian/services/borgbackup/onsite.nix
View file

@ -22,8 +22,6 @@ in {
# Configure service to wait for completion before marking as active # Configure service to wait for completion before marking as active
systemd.services."borgbackup-job-onsite" = { systemd.services."borgbackup-job-onsite" = {
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
}; };