modules/features/agenix.nix

{
  inputs,
  ...
}:
{
  imports = [
    inputs.agenix-rekey.flakeModule
  ];

  perSystem =
    { config, pkgs, ... }:
    {
      devShells.default = pkgs.mkShell {
        packages = [ config.agenix-rekey.package ];
      };

      agenix-rekey.nixosConfigurations = inputs.self.nixosConfigurations;
    };

  flake.modules.nixos.agenix =
    {
      config,
      lib,
      ...
    }:
    {
      imports = [
        inputs.agenix.nixosModules.default
        inputs.agenix-rekey.nixosModules.default
      ];

      services.openssh.generateHostKeys = true;

      age = {
        # Need to explicitly set identity paths because OpenSSH daemon is disabled
        # but the host keys are still generated via services.openssh.generateHostKeys = true
        identityPaths = map (key: key.path) config.services.openssh.hostKeys;
        rekey = {
          masterIdentities = [ (inputs.secrets + "/age-yubikey-identity-d9ed335b.pub") ];
          storageMode = "local";
          localStorageDir = inputs.secrets + "/rekeyed/${config.networking.hostName}";
        }
        # We only set the hostPubkey if one is supplied. For new hosts the pub key will not
        # exist until it is generated after the first rebuild. Runtime decryption will fail
        # but then the ssh host key will be generated in /etc/ssh and can be supplied
        // lib.optionalAttrs (config.hostPubkey != null) {
          hostPubkey = config.hostPubkey;
        };
      };
    };
}
Initial dendritic rewrite 2026-04-04 16:46:30 -04:00			`{`
			`inputs,`
			`...`
			`}:`
			`{`
			`imports = [`
			`inputs.agenix-rekey.flakeModule`
			`];`

			`perSystem =`
			`{ config, pkgs, ... }:`
			`{`
Removed stylix and a few small fixes 2026-04-04 17:56:31 -04:00			`devShells.default = pkgs.mkShell {`
			`packages = [ config.agenix-rekey.package ];`
Initial dendritic rewrite 2026-04-04 16:46:30 -04:00			`};`

			`agenix-rekey.nixosConfigurations = inputs.self.nixosConfigurations;`
			`};`

			`flake.modules.nixos.agenix =`
			`{`
			`config,`
			`lib,`
			`...`
			`}:`
			`{`
			`imports = [`
			`inputs.agenix.nixosModules.default`
			`inputs.agenix-rekey.nixosModules.default`
			`];`

			`services.openssh.generateHostKeys = true;`

			`age = {`
			`# Need to explicitly set identity paths because OpenSSH daemon is disabled`
			`# but the host keys are still generated via services.openssh.generateHostKeys = true`
			`identityPaths = map (key: key.path) config.services.openssh.hostKeys;`
			`rekey = {`
			`masterIdentities = [ (inputs.secrets + "/age-yubikey-identity-d9ed335b.pub") ];`
			`storageMode = "local";`
			`localStorageDir = inputs.secrets + "/rekeyed/${config.networking.hostName}";`
			`}`
			`# We only set the hostPubkey if one is supplied. For new hosts the pub key will not`
			`# exist until it is generated after the first rebuild. Runtime decryption will fail`
			`# but then the ssh host key will be generated in /etc/ssh and can be supplied`
			`// lib.optionalAttrs (config.hostPubkey != null) {`
			`hostPubkey = config.hostPubkey;`
			`};`
			`};`
			`};`
			`}`