Added agenix-rekey

2025-12-21 00:36:01 -05:00
parent f4b3ac54ef
commit 388af355bb
13 changed files with 241 additions and 47 deletions
--- a/secrets/age-yubikey-identity-d9ed335b.pub
+++ b/secrets/age-yubikey-identity-d9ed335b.pub
@@ -0,0 +1,7 @@
+#       Serial: 27501992, Slot: 1
+#         Name: agenix-rekey-alpha
+#      Created: Sat, 20 Dec 2025 06:01:41 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Always (A physical touch is required for every decryption)
+#    Recipient: age1yubikey1qvq48l020xg9xtt5epdpnzp3kvkm2vvc57357p58pyfq557a8q8hv84c82e
+AGE-PLUGIN-YUBIKEY-14ZJ6XQVZM8KNXKCT2PKLW
--- a/secrets/eclypse-password.age
+++ b/secrets/eclypse-password.age
--- a/secrets/eclypsecloud-eclypse.age
+++ b/secrets/eclypsecloud-eclypse.age
--- a/secrets/rekeyed/vanta/40b96312f0efd258467853db2ff842cb-tailscale-auth.age
+++ b/secrets/rekeyed/vanta/40b96312f0efd258467853db2ff842cb-tailscale-auth.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 7p4RPw HgBYYM/VqZ4KN4V4TrGmk86wPRhDgM+VaXfa3VlODRM
+OdM//HvJTzB7/jw+c+6euiYz9ptUf/z22tzJSgxTD+w
+-> B%P@9-grease
+Zgr76aiZDhCWBdnbxoOptAfEuM1RWw1bN4rsUCec4VP0cDN856bCtaQjnWWbSTvv
+YPHtmw
+--- obv+bg63dTlnoke3tQdkAizcAqsYG2sUjYBZrhGZG68
+(2Ÿã$ÃY@ö<>i°7òjþ<02>ÕarÄ7¼X$UêÝ~åô|œå'¯óéoo`¢†¯¹úDÆ†{¸#º%š<<mÊO)Vƒõ2C<17><!¨e©Ýº(24·¹Œ~™¦
--- a/secrets/rekeyed/vanta/853ffda11ae0836ce38bb5da13840b31-eclypse-password.age
+++ b/secrets/rekeyed/vanta/853ffda11ae0836ce38bb5da13840b31-eclypse-password.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 7p4RPw FdmJ1odfweTU4HWPTeWuEcoIUq1V4ke28BWmlNNdNHg
+9qi5QQHociRgSzZ97HifRDf+/Hh0cCZJzFsobpP1cpU
+-> 4pq5-grease
+yKZUs4lQM6BQgsyzMn3T1pvUt393/NvcRe7KwuTCDCU
+--- N7NO5Ps2SG3SFNNnNNvYUSGgA0b5Dk7H6+x0rt6JtXA
+DlŽ]epÛ(F0i3<Æû¿‰„Sm×E½EhÊ£ïS¯eXèËÁçŸÒô›V$0žÅœ©é c`²ˆ%ÕøöüàQ©£¯â7&øX,ëéLoš÷?QQ+ª~|%{‡»ð-Vï%H±):Ö<>]Kx¼½KªÎNXÁª6éÂÛ¦ejOÉë#XÊÇ
--- a/secrets/rekeyed/vanta/881aa01f75dfd34827ffdc11d7c11533-eclypsecloud-eclypse.age
+++ b/secrets/rekeyed/vanta/881aa01f75dfd34827ffdc11d7c11533-eclypsecloud-eclypse.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,19 +0,0 @@
-# This file is NOT imported into the nix configuration, it is just for the agenix CLI
-let
-  # System public ssh keys (/etc/ssh/)
-  vanta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAaDVBJdMDFL8r9NQCbaLe+DPHGhGzRv2N7+7m1/U8DP";
-in
-{
-  # Tailscale auth key need to be up to date with a valid auth key in the tailscale
-  # dashboard. Single-use keys expire after a single machine connects, and even
-  # reusable keys expire after 90 days.
-  # Update tailscale-auth.age with `agenix -e tailscale-auth.age -i /path/to/private-ssh-key`
-  # Note: Only devices with the below public keys are allowed to edit tailscale-auth.age
-  "tailscale-auth.age".publicKeys = [ vanta ]; # Devices allowed to join the tailnet;
-
-  # Devices that can connect to EclypseCloud with the eclypse user.
-  "eclypsecloud-eclypse.age".publicKeys = [ vanta ];
-
-  # Devices that have the eclypse user
-  "eclypse-password.age".publicKeys = [ vanta ];
-}
--- a/secrets/tailscale-auth.age
+++ b/secrets/tailscale-auth.age
@@ -1,6 +1,8 @@
 age-encryption.org/v1
-> ssh-ed25519 7p4RPw 7GuZj43+NoyPXf//ZLM99vossbJXOpDQSkBi3w51Wl8
-FTMjlyml+T87LQffffY2AJL5IhTAJF2QlfFvhvZpvOs
--- iONf8B3bUxXtCiv0EAv5QO0ZyhE5A6YfRbcxUr/awFg
-•‚±âTwï¬J`°~B
-”Ù;ùlOhä·{2Ô?¦ýP˜µF>@m¯o·éc‰õ~Xª3š@.gÉÚ¾æeKÌÀV7zphS‰øØ¯6ù™.WÉûO@F	
+-> piv-p256 2e0zWw ApoXPsP2VGfJnOt+dDk7DfssOkbM/3vkn4jwSfxD4UAj
+jtn4DCA/EyrTl9DW1hs84yd3RgVuDU77ggM218HiUdc
+-> *E(-grease Ull1npy_ >F7 *?
+IM+85AtRNlMrFgqk/uAG
+--- nxCTKF6R3E/qaTTgr7jZdz4ZLRE15NsJpyKHizEJnPw
+ø>¡"l°ðé´ßrésNŒ®V*FËIÝ|•†0XÓ8öÂ
+ò<EFBFBD>|PžäÏÙF »ÊD“\xðZ¯šP±ó]¶Ê§€t-"n¦m<C2A6>©ˆÐø&‘Í|À	%”þ‡æÝ.Ó†