2025-09-13 02:38:36 -04:00
|
|
|
{
|
|
|
|
|
inputs,
|
2025-12-21 00:36:01 -05:00
|
|
|
config,
|
2025-09-13 02:38:36 -04:00
|
|
|
pkgs,
|
2025-12-21 00:36:01 -05:00
|
|
|
lib,
|
|
|
|
|
host,
|
|
|
|
|
hostPubkey ? null,
|
2025-09-13 02:38:36 -04:00
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
{
|
|
|
|
|
imports = [
|
|
|
|
|
inputs.agenix.nixosModules.default
|
2025-12-21 00:36:01 -05:00
|
|
|
inputs.agenix-rekey.nixosModules.default
|
2025-09-13 02:38:36 -04:00
|
|
|
];
|
|
|
|
|
|
|
|
|
|
environment.systemPackages = [
|
2025-12-21 00:36:01 -05:00
|
|
|
# agenix-rekey's CLI tool replaces standard agenix's
|
|
|
|
|
inputs.agenix-rekey.packages.${pkgs.stdenv.hostPlatform.system}.default
|
2025-09-13 02:38:36 -04:00
|
|
|
];
|
|
|
|
|
|
2025-12-21 00:36:01 -05:00
|
|
|
age = {
|
|
|
|
|
# Need to explicitly set identity paths because OpenSSH daemon is disabled
|
|
|
|
|
# but the host keys are still generated via services.openssh.generateHostKeys = true
|
|
|
|
|
identityPaths = map (key: key.path) config.services.openssh.hostKeys;
|
|
|
|
|
rekey = {
|
|
|
|
|
masterIdentities = [ "${inputs.self}/secrets/age-yubikey-identity-d9ed335b.pub" ];
|
|
|
|
|
storageMode = "local";
|
|
|
|
|
localStorageDir = ../../. + "/secrets/rekeyed/${host}";
|
|
|
|
|
}
|
|
|
|
|
# We only set the hostPubkey if one is supplied. For new hosts the pub key will not
|
|
|
|
|
# exist until it is generated after the first rebuild. Runtime decryption will fail
|
|
|
|
|
# but then the ssh host key will be generated in /etc/ssh and can be supplied
|
|
|
|
|
// lib.optionalAttrs (hostPubkey != null) {
|
|
|
|
|
inherit hostPubkey;
|
|
|
|
|
};
|
|
|
|
|
secrets = {
|
|
|
|
|
tailscale-auth.rekeyFile = ../../secrets/tailscale-auth.age;
|
|
|
|
|
eclypsecloud-eclypse.rekeyFile = ../../secrets/eclypsecloud-eclypse.age;
|
|
|
|
|
eclypse-password.rekeyFile = ../../secrets/eclypse-password.age;
|
|
|
|
|
};
|
2025-09-13 02:38:36 -04:00
|
|
|
};
|
|
|
|
|
}
|
