rekey secrets to include recovery key

2024-02-29 22:28:14 +01:00 · 2024-02-29 22:28:14 +01:00 · 464e24d011
parent dbf2b648c9
commit 464e24d011
7 changed files with 15 additions and 14 deletions
--- a/secrets/netdev-51-wg-sigma-p2p-address.age
+++ b/secrets/netdev-51-wg-sigma-p2p-address.age
--- a/secrets/network-wg-sigma-p2p-address.age
+++ b/secrets/network-wg-sigma-p2p-address.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -19,18 +19,18 @@ let

  all = [ alpha omega tor recovery ];
 in
-{
-  "users-hashed-password-file.age".publicKeys = all;
+builtins.mapAttrs (name: value: { publicKeys = value ++ [ recovery ]; }) {
+  "users-hashed-password-file.age" = all;

  # Secret network addresses
-  "netdev-51-wg-sigma-p2p-address.age".publicKeys = [ alpha ];
-  "network-wg-sigma-p2p-address.age".publicKeys = [ omega ];
+  "netdev-51-wg-sigma-p2p-address.age" = [ alpha ];
+  "network-wg-sigma-p2p-address.age" = [ omega ];

  ## Wireguard
  # The preshared key adds an additional layer of symmetric-key crypto to be
  # mixed into the already existing public-key crypto, for post-quantum
  # resistance. Public-keys are generated using `wireguard-vanity-address`.
-  "wireguard-preshared-key-file.age".publicKeys = [ alpha omega ];
-  "wireguard-private-key-file-alpha.age".publicKeys = [ alpha ];
-  "wireguard-private-key-file-omega.age".publicKeys = [ omega ];
+  "wireguard-preshared-key-file.age" = [ alpha omega ];
+  "wireguard-private-key-file-alpha.age" = [ alpha ];
+  "wireguard-private-key-file-omega.age" = [ omega ];
 }
--- a/secrets/users-hashed-password-file.age
+++ b/secrets/users-hashed-password-file.age
--- a/secrets/wireguard-preshared-key-file.age
+++ b/secrets/wireguard-preshared-key-file.age
@ -1,8 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 KjvmEQ u+aOAxwH7BgSou88oBlAFTsLZ+Wmbr5ld99nEeBfoic
-TiJ7uXPXDcZ6GZCErXk+VbTSlX0ECDtYg0175DX4+LI
-> ssh-ed25519 fY+XUg KKDaoOcbkTSgsYQ7KEkP507tjoAin2jgoQ7bJDD7lh8
-QTkdXdVK5PN36YglJ2nJKTh5S1Fwy3Myd8kURBPZIcY
--- vcBtZKjPxYnScGb2tizt/USndbXTQcOLorikniOUVbA
-£ýàº@ÇÒû=–)ÄÁð"xj°P
-ªëß+7)YÑÉ|¾
<>Þú‹ ý~×Íi³½g"ªãilEþ¤‡¼U²ÀÃyî{•ÀBa)
+-> ssh-ed25519 KjvmEQ QVI3KB2XSIhimn+3nTkS0Hr/DPKtCOcfHFSp7/QLAXk
+tD1fdY3ii08ZqTDEPvYzydFqiok5y4zrnp+GQekz5wg
+-> ssh-ed25519 fY+XUg hJmzN3gINK23Rw1qCd3KJjwPvVvfRZx9VEfDTPRWn2o
+H3rEhjp11wPEQFgg1hXFZwl2ZfecIIx4yxQ/w90YpdA
+-> X25519 hjuZ3YjV9Gf7LHwjzKXRyXC1YGJVZMw3ochzecB9Smw
+oDpsj16YtEoXa+63jVYc3ZyhGFvSebZ/a/YbGLAig80
+--- uZOOPTTyS3p61t7R89nzO/hy4mrHTOoEaM/A0Nmz030
+ÞýtºK»¾óÌ4w¡˜Á7´Q'×Užûß’òä‹4N^cñÌToÃï³\xIyíxt)œÆO}$L<1D>*h$¦Uê„ÁªþÞÂq…£õP
--- a/secrets/wireguard-private-key-file-alpha.age
+++ b/secrets/wireguard-private-key-file-alpha.age
--- a/secrets/wireguard-private-key-file-omega.age
+++ b/secrets/wireguard-private-key-file-omega.age