nixos/common/global/age.nix

@@ -1,5 +1,3 @@
-# Agenix secret management with YubiKey rekeying
-# Handles encrypted secrets for services requiring credentials
 {
   config,
   pkgs,
@@ -8,34 +6,25 @@
 }: let
   hostname = config.networking.hostName;
 in {
-  # Module imports
   imports = [
     inputs.agenix.nixosModules.default
     inputs.agenix-rekey.nixosModules.default
   ];
 
-  # Overlay provides agenix-rekey package and extensions
   nixpkgs.overlays = [
     inputs.agenix-rekey.overlays.default
   ];
 
-  # CLI tool for manual secret rekeying operations
   environment.systemPackages = with pkgs; [
     agenix-rekey
   ];
 
-  # Secret decryption configuration
-  # Use persistent paths to ensure SSH keys are available during early boot
-  # activation, before impermanence bind mounts /etc/ssh/
-  age.identityPaths = [
-    "/persist/etc/ssh/ssh_host_rsa_key"
-    "/persist/etc/ssh/ssh_host_ed25519_key"
-  ];
-
-  # YubiKey-based secret rekeying
   age.rekey = {
+    # Pubkey for rekeying
     hostPubkey = ../../${hostname}/ssh_host_ed25519_key.pub;
+    # Master identity used for decryption
     masterIdentities = [../users/sajenim/agenix-rekey.pub];
+    # Where we store the rekeyed secrets
     storageMode = "local";
     localStorageDir = ./. + "/secrets/rekeyed/${config.networking.hostName}";
   };

nixos/fuchsia/services/borgbackup/onsite.nix

@@ -13,8 +13,6 @@ in {
 
   # Configure service to wait for completion before marking as active
   systemd.services."borgbackup-job-onsite" = {
-    after = [ "network-online.target" ];
-    wants = [ "network-online.target" ];
     serviceConfig = {
       Type = "oneshot";
     };

nixos/viridian/services/borgbackup/onsite.nix

@@ -22,8 +22,6 @@ in {
 
   # Configure service to wait for completion before marking as active
   systemd.services."borgbackup-job-onsite" = {
-    after = [ "network-online.target" ];
-    wants = [ "network-online.target" ];
     serviceConfig = {
       Type = "oneshot";
     };