nixos-config/modules/global/secrets.nix

{ inputs, host, lib, ... }:
let
  keys = {
    phoenix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsrEEXQwcu4i7hOqCbpwd4EdC/+v9fAWm30MUXhVpp5";
    cepheus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGm1PymMJ2JnE973UCaezWQFKyZi7lsAzHshUUwafa8F";
    naos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcR9C753wDWjg/oJxn6p9kLMaiaOPJFNT0xYPICXK52";
  };
in {
  environment.systemPackages = [ inputs.agenix-rekey.packages.x86_64-linux.default ];
  imports = [
    inputs.agenix.nixosModules.default
    inputs.agenix-rekey.nixosModules.default
  ];
  
  age.identityPaths = [ "/nix/keys/identity" ]; # default key path
  age.rekey = {
    masterIdentities = [
      { identity = "/home/user/.ssh/id_ed25519";
        pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDEDqpSiQpbSsClh6UGb7Z2DA1Hy+EyePzTy+5hEVD/A"; }
    ];
    storageMode = "local";
    generatedSecretsDir = ../../secrets/generated/${host};
    localStorageDir = ../../secrets/rekeyed/${host};
  };

  # services.openssh.enable = true;
  services.openssh.hostKeys = [{
    path = "/nix/keys/identity";
    type = "ed25519";
  }];

# TODO: define key via hosts/<name>/default.nix

  nodes.phoenix.age.rekey.hostPubkey = keys.phoenix;
  nodes.cepheus.age.rekey.hostPubkey = keys.cepheus;
  # nodes.tureis.age.rekey.hostPubkey = ""; # TODO
  nodes.naos.age.rekey.hostPubkey = keys.naos;
}
Initial commit 2025-08-20 18:24:02 +03:00			`{ inputs, host, lib, ... }:`
			`let`
			`keys = {`
			`phoenix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsrEEXQwcu4i7hOqCbpwd4EdC/+v9fAWm30MUXhVpp5";`
			`cepheus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGm1PymMJ2JnE973UCaezWQFKyZi7lsAzHshUUwafa8F";`
			`naos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcR9C753wDWjg/oJxn6p9kLMaiaOPJFNT0xYPICXK52";`
			`};`
			`in {`
			`environment.systemPackages = [ inputs.agenix-rekey.packages.x86_64-linux.default ];`
			`imports = [`
			`inputs.agenix.nixosModules.default`
			`inputs.agenix-rekey.nixosModules.default`
			`];`

			`age.identityPaths = [ "/nix/keys/identity" ]; # default key path`
			`age.rekey = {`
			`masterIdentities = [`
			`{ identity = "/home/user/.ssh/id_ed25519";`
			`pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDEDqpSiQpbSsClh6UGb7Z2DA1Hy+EyePzTy+5hEVD/A"; }`
			`];`
			`storageMode = "local";`
			`generatedSecretsDir = ../../secrets/generated/${host};`
			`localStorageDir = ../../secrets/rekeyed/${host};`
			`};`

			`# services.openssh.enable = true;`
			`services.openssh.hostKeys = [{`
			`path = "/nix/keys/identity";`
			`type = "ed25519";`
			`}];`

			`# TODO: define key via hosts/<name>/default.nix`

			`nodes.phoenix.age.rekey.hostPubkey = keys.phoenix;`
			`nodes.cepheus.age.rekey.hostPubkey = keys.cepheus;`
			`# nodes.tureis.age.rekey.hostPubkey = ""; # TODO`
			`nodes.naos.age.rekey.hostPubkey = keys.naos;`
			`}`