Added agenix-rekey

modules/system/agenix.nix

@@ -1,20 +1,42 @@
 {
   inputs,
+  config,
   pkgs,
+  lib,
+  host,
+  hostPubkey ? null,
   ...
 }:
 {
   imports = [
     inputs.agenix.nixosModules.default
+    inputs.agenix-rekey.nixosModules.default
   ];
 
   environment.systemPackages = [
-    inputs.agenix.packages.${pkgs.stdenv.hostPlatform.system}.default # CLI Tool
+    # agenix-rekey's CLI tool replaces standard agenix's
+    inputs.agenix-rekey.packages.${pkgs.stdenv.hostPlatform.system}.default
   ];
 
-  age.secrets = {
-    tailscale-auth.file = ../../secrets/tailscale-auth.age;
-    eclypsecloud-eclypse.file = ../../secrets/eclypsecloud-eclypse.age;
-    eclypse-password.file = ../../secrets/eclypse-password.age;
+  age = {
+    # Need to explicitly set identity paths because OpenSSH daemon is disabled
+    # but the host keys are still generated via services.openssh.generateHostKeys = true
+    identityPaths = map (key: key.path) config.services.openssh.hostKeys;
+    rekey = {
+      masterIdentities = [ "${inputs.self}/secrets/age-yubikey-identity-d9ed335b.pub" ];
+      storageMode = "local";
+      localStorageDir = ../../. + "/secrets/rekeyed/${host}";
+    }
+    # We only set the hostPubkey if one is supplied. For new hosts the pub key will not
+    # exist until it is generated after the first rebuild. Runtime decryption will fail
+    # but then the ssh host key will be generated in /etc/ssh and can be supplied
+    // lib.optionalAttrs (hostPubkey != null) {
+      inherit hostPubkey;
+    };
+    secrets = {
+      tailscale-auth.rekeyFile = ../../secrets/tailscale-auth.age;
+      eclypsecloud-eclypse.rekeyFile = ../../secrets/eclypsecloud-eclypse.age;
+      eclypse-password.rekeyFile = ../../secrets/eclypse-password.age;
+    };
   };
 }

modules/system/security.nix

@@ -1,4 +1,5 @@
 {
+  pkgs,
   ...
 }:
 {
@@ -7,6 +8,10 @@
     yubikey-touch-detector.enable = true;
   };
 
+  environment.systemPackages = with pkgs; [
+    age-plugin-yubikey
+  ];
+
   services = {
     yubikey-agent.enable = true;
   };

modules/system/services.nix

@@ -52,14 +52,10 @@
 
     upower.enable = true;
 
-    # Enable the OpenSSH daemon. (Look into Fail2Ban in the future)
+    # Disable SSH daemon but generate host keys anyway for secret rekeying
     openssh = {
-      enable = true;
-      settings = {
-        PasswordAuthentication = false;
-        PermitRootLogin = "prohibit-password";
-        AllowUsers = [ "eclypse" ];
-      };
+      enable = false;
+      generateHostKeys = true;
     };
 
     system76-scheduler.settings.cfsProfiles.enable = true;