nixos/parts/modules/base/secrets.nix

{hostname, ...}: let
  hostSecrets = ../../../secrets/hosts + ("/" + hostname);
  publicKey = builtins.readFile (hostSecrets + "/id_ed25519.pub");
in {
  age.identityPaths = ["/etc/ssh/ssh_host_ed25519_key"];
  age.rekey = {
    storageMode = "local";
    hostPubkey = publicKey;
    masterIdentities = [
      {
        identity = ../../../secrets/yubikey-identity.pub;
      }
    ];
    extraEncryptionPubkeys = [
      "age1pzrfw28f8qvsk9g8p2stundf4ph466jut0g6q47sse76zljtqy9q2w32zr" # Backup key (bitwarden)
    ];
    localStorageDir = hostSecrets + /.rekey;
    generatedSecretsDir = hostSecrets;
  };
}
complete rework v3 2025-02-18 20:17:57 +01:00			`{hostname, ...}: let`
			`hostSecrets = ../../../secrets/hosts + ("/" + hostname);`
			`publicKey = builtins.readFile (hostSecrets + "/id_ed25519.pub");`
			`in {`
fix desktop public key 2025-02-19 20:32:36 +00:00			`age.identityPaths = ["/etc/ssh/ssh_host_ed25519_key"];`
complete rework v3 2025-02-18 20:17:57 +01:00			`age.rekey = {`
			`storageMode = "local";`
			`hostPubkey = publicKey;`
			`masterIdentities = [`
			`{`
			`identity = ../../../secrets/yubikey-identity.pub;`
			`}`
			`];`
			`extraEncryptionPubkeys = [`
			`"age1pzrfw28f8qvsk9g8p2stundf4ph466jut0g6q47sse76zljtqy9q2w32zr" # Backup key (bitwarden)`
			`];`
			`localStorageDir = hostSecrets + /.rekey;`
			`generatedSecretsDir = hostSecrets;`
			`};`
			`}`