Initial commit

2025-08-20 18:24:02 +03:00
commit 2dec42d487
116 changed files with 6591 additions and 0 deletions
--- a/modules/global/secrets.nix
+++ b/modules/global/secrets.nix
@@ -0,0 +1,38 @@
+{ inputs, host, lib, ... }:
+let
+  keys = {
+    phoenix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsrEEXQwcu4i7hOqCbpwd4EdC/+v9fAWm30MUXhVpp5";
+    cepheus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGm1PymMJ2JnE973UCaezWQFKyZi7lsAzHshUUwafa8F";
+    naos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcR9C753wDWjg/oJxn6p9kLMaiaOPJFNT0xYPICXK52";
+  };
+in {
+  environment.systemPackages = [ inputs.agenix-rekey.packages.x86_64-linux.default ];
+  imports = [
+    inputs.agenix.nixosModules.default
+    inputs.agenix-rekey.nixosModules.default
+  ];
+  
+  age.identityPaths = [ "/nix/keys/identity" ]; # default key path
+  age.rekey = {
+    masterIdentities = [
+      { identity = "/home/user/.ssh/id_ed25519";
+        pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDEDqpSiQpbSsClh6UGb7Z2DA1Hy+EyePzTy+5hEVD/A"; }
+    ];
+    storageMode = "local";
+    generatedSecretsDir = ../../secrets/generated/${host};
+    localStorageDir = ../../secrets/rekeyed/${host};
+  };
+
+  # services.openssh.enable = true;
+  services.openssh.hostKeys = [{
+    path = "/nix/keys/identity";
+    type = "ed25519";
+  }];
+
+# TODO: define key via hosts/<name>/default.nix
+
+  nodes.phoenix.age.rekey.hostPubkey = keys.phoenix;
+  nodes.cepheus.age.rekey.hostPubkey = keys.cepheus;
+  # nodes.tureis.age.rekey.hostPubkey = ""; # TODO
+  nodes.naos.age.rekey.hostPubkey = keys.naos;
+}