Skip to content

Commit cc8d3d1

Browse files
esseliusesselius
committed
redo secret mgmt
1 parent c6e974e commit cc8d3d1

15 files changed

+240
-89
lines changed

flake.lock

Lines changed: 173 additions & 57 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

flake.nix

Lines changed: 29 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,16 +5,20 @@
55
};
66

77
inputs = {
8-
dev.url = "github:esselius/dev";
9-
dev.inputs.nixpkgs.follows = "nixpkgs-unstable";
8+
dev = {
9+
url = "github:esselius/dev";
10+
inputs.agenix-rekey.url = "github:esselius/agenix-rekey/fixes";
11+
inputs.nixpkgs.follows = "nixpkgs-unstable";
12+
};
13+
agenix-rekey.follows = "dev/agenix-rekey";
1014

1115
nixpkgs.follows = "nixpkgs-unstable";
1216
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
1317
nixpkgs-darwin.follows = "nixpkgs-unstable";
1418
nixpkgs-nixos.url = "github:NixOS/nixpkgs/nixos-24.11";
1519

1620
raspberry-pi-nix.url = "github:tstat/raspberry-pi-nix/v0.4.1";
17-
raspberry-pi-nix.inputs.nixpkgs.follows = "nixpkgs";
21+
raspberry-pi-nix.inputs.nixpkgs.follows = "nixpkgs-nixos";
1822
authentik-nix = {
1923
url = "github:nix-community/authentik-nix/version/2025.2.1";
2024
inputs.nixpkgs.follows = "nixpkgs";
@@ -126,11 +130,22 @@
126130
./nixos-modules/default.nix
127131
inputs.raspberry-pi-nix.nixosModules.raspberry-pi
128132
inputs.agenix.nixosModules.default
133+
inputs.agenix-rekey.nixosModules.default
129134
inputs.authentik-nix.nixosModules.default
130135
{
131136
_module.args.mkAuthentikScope = inputs.authentik-nix.lib.mkAuthentikScope;
132137
nixpkgs-path = inputs.nixpkgs-nixos;
133138
nixpkgs-unstable-path = inputs.nixpkgs-unstable;
139+
140+
age.rekey = {
141+
hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDfILv+PA582KwZYcJRX2yCcQVBlh7T9uWUieLBFXHo/";
142+
masterIdentities = [{
143+
identity = "/Users/peteresselius/.age-plugin-se.key";
144+
pubkey = "age1se1qw3jfq82crjk5x36g7wr8pxscvlynwaxpqjt6wran7j23ped4gjsypanfet";
145+
}];
146+
storageMode = "local";
147+
localStorageDir = ./. + "/secrets/rekeyed/adama";
148+
};
134149
}
135150
inputs.home-manager-nixos.nixosModules.home-manager
136151
({ config, ... }: {
@@ -154,10 +169,21 @@
154169
./nixos-configurations/starbuck.nix
155170
./nixos-modules/default.nix
156171
inputs.raspberry-pi-nix.nixosModules.raspberry-pi
172+
inputs.agenix.nixosModules.default
173+
inputs.agenix-rekey.nixosModules.default
157174
inputs.authentik-nix.nixosModules.default
158175
{
159176
nixpkgs-path = inputs.nixpkgs-nixos;
160177
nixpkgs-unstable-path = inputs.nixpkgs-unstable;
178+
age.rekey = {
179+
hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFi1DoYv7wvIkYvTrjUVEqZI00H6d5437IgprVdFMI1+";
180+
masterIdentities = [{
181+
identity = "/Users/peteresselius/.age-plugin-se.key";
182+
pubkey = "age1se1qw3jfq82crjk5x36g7wr8pxscvlynwaxpqjt6wran7j23ped4gjsypanfet";
183+
}];
184+
storageMode = "local";
185+
localStorageDir = ./. + "/secrets/rekeyed/starbuck";
186+
};
161187
}
162188
inputs.home-manager-nixos.nixosModules.home-manager
163189
({ config, ... }: {

home-modules/git.nix

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,11 @@
1-
{ pkgs, ... }:
1+
{ pkgs, lib, ... }:
22

33
{
44
programs.git = {
55
enable = true;
66

77
userName = "Peter Esselius";
8+
userEmail = lib.mkDefault "[email protected]";
89

910
aliases = {
1011
l = "log --graph --decorate --pretty=format:\"%C(yellow)%h%C(reset)%C(auto)%d%C(reset) %s %C(yellow)(%C(cyan)%ar%C(yellow), %C(blue)%an%C(yellow))%C(reset)\"";

nixos-configurations/adama.nix

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -42,11 +42,11 @@
4242
];
4343

4444
age.secrets = {
45-
grafana-env.file = ../secrets/grafana-env.age;
46-
authentik-env.file = ../secrets/authentik-env.age;
45+
grafana-env.rekeyFile = ../secrets/grafana-env.age;
46+
authentik-env.rekeyFile = ../secrets/authentik-env.age;
4747
z2m = {
4848
name = "z2m.yaml";
49-
file = ../secrets/z2m.age;
49+
rekeyFile = ../secrets/z2m.age;
5050
owner = "zigbee2mqtt";
5151
group = "zigbee2mqtt";
5252
};

nixos-modules/ca.nix

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{ config, ... }:
22

33
{
4-
age.secrets.step-ca.file = ../secrets/step-ca.age;
4+
age.secrets.step-ca.rekeyFile = ../secrets/step-ca.age;
55

66
services.step-ca = {
77
enable = true;

secrets/authentik-env.age

-23 Bytes
Binary file not shown.

secrets/grafana-env.age

-9 Bytes
Binary file not shown.

secrets/home-email.age

Lines changed: 0 additions & 5 deletions
This file was deleted.

secrets/rekeyed/adama/4449c24a8d40bb7a23b23ab47171b27e-authentik-env.age

450 Bytes
Binary file not shown.

secrets/rekeyed/adama/9ae5062bba5b62cd31308278d376b6f5-step-ca.age

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
age-encryption.org/v1
2+
-> ssh-ed25519 cHttuw 4N7ofBvAsVMFCQy2ds+NI4i29kchQbEbcNab1aKmfjo
3+
AHDORl1WRPSipt5bwowUzTHtZ5efQC55W8m5jZimXV0
4+
-> EP!-grease
5+
pJOR
6+
--- lFUYLqlTEP1O36SdfZtjoZp6Yb4cVba2HrZWLdpn9fY
7+
G��#mrV]
8+
UZ�RM$�z�Jm�>���Sb� ��ЦZ]����ܡ��ɪ�V�X{�5� ���.

0 commit comments

Comments
 (0)