secrets: add mu and rekey

2024-03-04 22:18:26 +01:00 · 2024-03-04 22:18:26 +01:00 · e8026d94a0
parent a917c790d6
commit e8026d94a0
7 changed files with 32 additions and 30 deletions
--- a/secrets/borg-passphrase-file-omega.age
+++ b/secrets/borg-passphrase-file-omega.age
--- a/secrets/borg-passphrase-file-zeta.age
+++ b/secrets/borg-passphrase-file-zeta.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -8,8 +8,9 @@ let
  # > cat /etc/ssh/ssh_host_ed25519_key.pub
  # If you change or add a key, all secrets need to be `agenix --rekey`'ed.
  alpha = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGOpQNEmmEe6jr7Mv37ozokvtTSd1I3SmUU1tpCSNTkc root@alpha";
-  mu = "todo";
+  mu = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5kEuDiVGeiicxwNUjjrHurWW5EXXxHl8YFRiKzLeX root@mu";
  omega = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvFN4vnqPX31+4/ZJxOJ7/bSUEu2xB6ovezPQjLm13H root@omega";
+  sigma = "todo";
  tor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVPxvqwS2NMqqCGBkMmExzdBY5hGLegiOuqPJAOfdKk root@zeta";
  zeta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWiyK636Ys+jRX4ZFByfJMyPIvW4ZsYAITW2fo3VQZx root@zeta";
  # Recovery and management key from Keepass. Used like so:
@ -17,16 +18,17 @@ let
  # > agenix -i $AGE_KEY_FILE -e foo.age
  recovery = "age1rd6hhd724s3r9xe4gfuy38rl0xfu8c7pkuefsrdwqfcknujzecyqz7ldyj";

-  all = [ alpha omega tor zeta recovery ];
+  all = [ alpha mu omega tor zeta ];
 in
 builtins.mapAttrs (name: value: { publicKeys = value ++ [ recovery ]; }) {
-  "users-hashed-password-file.age" = all;
-
-  ## Borg backup
+  # Borg backup
  "borg-passphrase-file-omega.age" = [ omega ];
  "borg-passphrase-file-zeta.age" = [ zeta ];

-  ## Wireguard
+  # User passwords
+  "users-hashed-password-file.age" = all;
+
+  # Wireguard
  # The preshared key adds an additional layer of symmetric-key crypto to be
  # mixed into the already existing public-key crypto, for post-quantum
  # resistance. Public-keys are generated using `wireguard-vanity-address`.
--- a/secrets/users-hashed-password-file.age
+++ b/secrets/users-hashed-password-file.age
@ -1,17 +1,16 @@
 age-encryption.org/v1
-> ssh-ed25519 KjvmEQ 2fV7gosRLaV7OeriMMTJj6YwPdDeMsaB36pR76+4vEI
-THDhkT7O/WFfUutSUtqtczMWj8kdTnWYqF1e1BfSfYQ
-> ssh-ed25519 fY+XUg njB/XL/PRoYlTVYhtps8Q8LzFbL5OMzQrAxFHHWgbWE
-HTrmUfHj1VA5RJF0B0EckJCnk1NrZaw1cLCdcaI718s
-> ssh-ed25519 npms3w IJMNoUMdUJweP2SoUGdk3umIeXO7QL5mIk7aI+EMOkY
-ex8qU/23DSmKQutPhdojiH8O2onrDSzfJwmscFbOl0Y
-> ssh-ed25519 8zRjQA Ebqx9mnF1Uvi9lGPGk2IWg3mqa8m2M4uz+nW9LEkKS0
-Hap4hvmL6hlwUfqIwFIjH1iljJvC1KTPt8z+Cq9qsjk
-> X25519 n3vP66XLs3MSAW/dlZDcW9bNJwbZbtq+XKMLV1sqJWc
-IFvInxs6EGOow22dG4dcVsRXzbzNQSqlQiqIKuuM+r4
-> X25519 tYKOlzdcn8PM1CuQdS73W3DtqTDLDCUudnUvE7zTYTo
-m5Wc1ELWiL2YmMuRh/Zcf1fQK+79ST91+TJtWVV/caQ
--- lu/KRbrX+169CmkNzSWKRo/BELBW+jwCYp/Jv1L0XkU
-úQè
vøœ–~Ü†ÁòM‹˜¦ùÚ¶§(*evu‰NVUX>
-Ì–e£6@Åö‘_W<0B>Â&LAï%O 
-a“ý‡Ô™ZX¬þ<EFBFBD>éÍÂ°_MËW!…/úÝ¿õm%ÔbY°ïÞç<>üMl¨Â
+-> ssh-ed25519 KjvmEQ /TcefKl0Y8JK6zyl4vqZljVcfJOzD4eCNGvbYsEKmw0
+qqZYJaxrgtv14koUt0vYvabVxcNlbDhFz801r7P6a9Q
+-> ssh-ed25519 z/cefw gvyjcgGTgz6v9SlF2pyCZNR+kXmIWuVHPIBaSfZJxxk
+2l79Mf1A/VpdQBOX3qJXriuMuUdAsrA4DoJYTxzTa6w
+-> ssh-ed25519 fY+XUg x2WaSa2nrnrSm1k84G503gIdUhedMGOJEqmPINBOolc
+DYWNBBNHEikzv1TEX6r5yF/wfR7n75wQRsc157KKNDY
+-> ssh-ed25519 npms3w SLKlrhJurD/QGHN+C1zN8XMckDdbXWYkBlzGo+1Kxiw
+qQM04A3S2CwPff2epteQPDbkJSpZJ7MJ93gGMBRNIc4
+-> ssh-ed25519 8zRjQA THrfv8cKI/GkWbBS1VVa289IJMlJduadXxubuOYXRVc
+oFqQGRkCn+HBlTuY5c1FFkKHCmkrsBdFR1QpzX6oksE
+-> X25519 x0+Tx+vNwUdSUpGOc1QRAUF2TDtcNxSj8h8A1HNjC2Y
+YwKgXIl51ioyvzeFvSBIUM4mqgBFrZg3sE6hKIQQabQ
+--- gJhJBAoc7OD0YHdcdAeUItimY6k0E4CuLcORrXtIR8A
+ì`êÆ{
•úÌ…<C38C>Ç@1Årèƒ
+h–Ô³mÖ‚‹cüK÷’Sæž ›£A÷¶‘X¸{rë1~)<29>RmHF-ñæ5ÑN¯/Î¶å!æÿîhL<>èÆœˆå£ÇD8üµ°;¡9M¢;‚<>
--- a/secrets/wireguard-preshared-key-file.age
+++ b/secrets/wireguard-preshared-key-file.age
@ -1,9 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 KjvmEQ 4edeUM2PejWZA97Y5b/vwV9ZtAup5kG++qc9t9Yxt3o
-R2+4oUVVbaL3moHE1CkL/Xas7FeIJXYnMuZxzuy8FPA
-> ssh-ed25519 fY+XUg 06BdfOWCqx0Xp88VKJ8ek3N97mcChcTeyV8PzMLv3Ss
-eiGnQluRLAxo7bhgW2ZmMfveAtCQTwZw+lVwwq0gWUM
-> X25519 eXRB1Xe9BODx0SayXc7nsDddDwVWpjXyxSM2un7xEjM
-xxkUaFJbjtk4XHaXdZsjmvh5KaftLJM4Pys3b6xgQHc
--- pCTrst4Skeg7GwqXqsO3R3iF4CiO/gmKHBoiQKqESuw
-PåuxÕÿGÀuWÒNîÊe"
†«ÿŸ‚-nwJ‡«ÏÚR{¨R‹â×YN„æ¢Öz&Û*çw&Æ|8§+/Š§—¶¸DÜµ
+-> ssh-ed25519 KjvmEQ iWd1svyPPVu7KIAh2nOpTfWg3z5k7OvOomdy0pc7q0c
+If5DhrB20tF5MCEeE1r75u4ttj3wBxKc6rOTffQei4Q
+-> ssh-ed25519 fY+XUg rZ6pcgzocZyxz1zsBPKZGnB0kbLqIJtEqDATIn/mvno
+f4MI725uZf6PyZJ9cf3hwypWe04hYhhi2ljRdirX83E
+-> X25519 2ojQ4Y3fJfBs+QoN1PUw8+UJqI0AtMIs7kaS+stj7Fc
+xKN26qdKksxncH+844/pkjK3IAjCXwgzPGLBxdEOi0g
+--- tKzJAj37+Ke/a4fNE7HVzGvVLFza8+SQID2VxRqDWEs
+~R•ÔÞ}ÖCFÚ>À²ÄMðÅl€çïÎt»„	ûóÀ—U~¶îiÁMÀ<4D>‰µm‹ «Q
+çRJ…G•@:lšÈ“ïjŽ§G¸Tl%
--- a/secrets/wireguard-private-key-file-alpha.age
+++ b/secrets/wireguard-private-key-file-alpha.age
--- a/secrets/wireguard-private-key-file-omega.age
+++ b/secrets/wireguard-private-key-file-omega.age