diff --git a/secrets/borg-passphrase-file-omega.age b/secrets/borg-passphrase-file-omega.age index cad2815..2a95e15 100644 Binary files a/secrets/borg-passphrase-file-omega.age and b/secrets/borg-passphrase-file-omega.age differ diff --git a/secrets/borg-passphrase-file-zeta.age b/secrets/borg-passphrase-file-zeta.age index 879cb51..573296d 100644 Binary files a/secrets/borg-passphrase-file-zeta.age and b/secrets/borg-passphrase-file-zeta.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index a09ef11..358b69c 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -8,8 +8,9 @@ let # > cat /etc/ssh/ssh_host_ed25519_key.pub # If you change or add a key, all secrets need to be `agenix --rekey`'ed. alpha = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGOpQNEmmEe6jr7Mv37ozokvtTSd1I3SmUU1tpCSNTkc root@alpha"; - mu = "todo"; + mu = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5kEuDiVGeiicxwNUjjrHurWW5EXXxHl8YFRiKzLeX root@mu"; omega = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvFN4vnqPX31+4/ZJxOJ7/bSUEu2xB6ovezPQjLm13H root@omega"; + sigma = "todo"; tor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVPxvqwS2NMqqCGBkMmExzdBY5hGLegiOuqPJAOfdKk root@zeta"; zeta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWiyK636Ys+jRX4ZFByfJMyPIvW4ZsYAITW2fo3VQZx root@zeta"; # Recovery and management key from Keepass. Used like so: @@ -17,16 +18,17 @@ let # > agenix -i $AGE_KEY_FILE -e foo.age recovery = "age1rd6hhd724s3r9xe4gfuy38rl0xfu8c7pkuefsrdwqfcknujzecyqz7ldyj"; - all = [ alpha omega tor zeta recovery ]; + all = [ alpha mu omega tor zeta ]; in builtins.mapAttrs (name: value: { publicKeys = value ++ [ recovery ]; }) { - "users-hashed-password-file.age" = all; - - ## Borg backup + # Borg backup "borg-passphrase-file-omega.age" = [ omega ]; "borg-passphrase-file-zeta.age" = [ zeta ]; - ## Wireguard + # User passwords + "users-hashed-password-file.age" = all; + + # Wireguard # The preshared key adds an additional layer of symmetric-key crypto to be # mixed into the already existing public-key crypto, for post-quantum # resistance. Public-keys are generated using `wireguard-vanity-address`. diff --git a/secrets/users-hashed-password-file.age b/secrets/users-hashed-password-file.age index 1689e12..501d8b7 100644 --- a/secrets/users-hashed-password-file.age +++ b/secrets/users-hashed-password-file.age @@ -1,17 +1,16 @@ age-encryption.org/v1 --> ssh-ed25519 KjvmEQ 2fV7gosRLaV7OeriMMTJj6YwPdDeMsaB36pR76+4vEI -THDhkT7O/WFfUutSUtqtczMWj8kdTnWYqF1e1BfSfYQ --> ssh-ed25519 fY+XUg njB/XL/PRoYlTVYhtps8Q8LzFbL5OMzQrAxFHHWgbWE -HTrmUfHj1VA5RJF0B0EckJCnk1NrZaw1cLCdcaI718s --> ssh-ed25519 npms3w IJMNoUMdUJweP2SoUGdk3umIeXO7QL5mIk7aI+EMOkY -ex8qU/23DSmKQutPhdojiH8O2onrDSzfJwmscFbOl0Y --> ssh-ed25519 8zRjQA Ebqx9mnF1Uvi9lGPGk2IWg3mqa8m2M4uz+nW9LEkKS0 -Hap4hvmL6hlwUfqIwFIjH1iljJvC1KTPt8z+Cq9qsjk --> X25519 n3vP66XLs3MSAW/dlZDcW9bNJwbZbtq+XKMLV1sqJWc -IFvInxs6EGOow22dG4dcVsRXzbzNQSqlQiqIKuuM+r4 --> X25519 tYKOlzdcn8PM1CuQdS73W3DtqTDLDCUudnUvE7zTYTo -m5Wc1ELWiL2YmMuRh/Zcf1fQK+79ST91+TJtWVV/caQ ---- lu/KRbrX+169CmkNzSWKRo/BELBW+jwCYp/Jv1L0XkU -Q v~܆Mڶ(*evuNVUX> -̖e6@_W &LA%O -aԙZX_MW!/ݿm%bYMl \ No newline at end of file +-> ssh-ed25519 KjvmEQ /TcefKl0Y8JK6zyl4vqZljVcfJOzD4eCNGvbYsEKmw0 +qqZYJaxrgtv14koUt0vYvabVxcNlbDhFz801r7P6a9Q +-> ssh-ed25519 z/cefw gvyjcgGTgz6v9SlF2pyCZNR+kXmIWuVHPIBaSfZJxxk +2l79Mf1A/VpdQBOX3qJXriuMuUdAsrA4DoJYTxzTa6w +-> ssh-ed25519 fY+XUg x2WaSa2nrnrSm1k84G503gIdUhedMGOJEqmPINBOolc +DYWNBBNHEikzv1TEX6r5yF/wfR7n75wQRsc157KKNDY +-> ssh-ed25519 npms3w SLKlrhJurD/QGHN+C1zN8XMckDdbXWYkBlzGo+1Kxiw +qQM04A3S2CwPff2epteQPDbkJSpZJ7MJ93gGMBRNIc4 +-> ssh-ed25519 8zRjQA THrfv8cKI/GkWbBS1VVa289IJMlJduadXxubuOYXRVc +oFqQGRkCn+HBlTuY5c1FFkKHCmkrsBdFR1QpzX6oksE +-> X25519 x0+Tx+vNwUdSUpGOc1QRAUF2TDtcNxSj8h8A1HNjC2Y +YwKgXIl51ioyvzeFvSBIUM4mqgBFrZg3sE6hKIQQabQ +--- gJhJBAoc7OD0YHdcdAeUItimY6k0E4CuLcORrXtIR8A +`{ ̅@1r +hԳm cKS AX{r1~)RmHF-5N/!hLƜD8 ;9M; \ No newline at end of file diff --git a/secrets/wireguard-preshared-key-file.age b/secrets/wireguard-preshared-key-file.age index 8a60673..c374812 100644 --- a/secrets/wireguard-preshared-key-file.age +++ b/secrets/wireguard-preshared-key-file.age @@ -1,9 +1,10 @@ age-encryption.org/v1 --> ssh-ed25519 KjvmEQ 4edeUM2PejWZA97Y5b/vwV9ZtAup5kG++qc9t9Yxt3o -R2+4oUVVbaL3moHE1CkL/Xas7FeIJXYnMuZxzuy8FPA --> ssh-ed25519 fY+XUg 06BdfOWCqx0Xp88VKJ8ek3N97mcChcTeyV8PzMLv3Ss -eiGnQluRLAxo7bhgW2ZmMfveAtCQTwZw+lVwwq0gWUM --> X25519 eXRB1Xe9BODx0SayXc7nsDddDwVWpjXyxSM2un7xEjM -xxkUaFJbjtk4XHaXdZsjmvh5KaftLJM4Pys3b6xgQHc ---- pCTrst4Skeg7GwqXqsO3R3iF4CiO/gmKHBoiQKqESuw -PuxGuWNe" -nwJR{RYNz&*w&|8+/Dܵ \ No newline at end of file +-> ssh-ed25519 KjvmEQ iWd1svyPPVu7KIAh2nOpTfWg3z5k7OvOomdy0pc7q0c +If5DhrB20tF5MCEeE1r75u4ttj3wBxKc6rOTffQei4Q +-> ssh-ed25519 fY+XUg rZ6pcgzocZyxz1zsBPKZGnB0kbLqIJtEqDATIn/mvno +f4MI725uZf6PyZJ9cf3hwypWe04hYhhi2ljRdirX83E +-> X25519 2ojQ4Y3fJfBs+QoN1PUw8+UJqI0AtMIs7kaS+stj7Fc +xKN26qdKksxncH+844/pkjK3IAjCXwgzPGLBxdEOi0g +--- tKzJAj37+Ke/a4fNE7HVzGvVLFza8+SQID2VxRqDWEs +~R}CF>Mlt U~iMmQ +RJG@:lȓjGTl% \ No newline at end of file diff --git a/secrets/wireguard-private-key-file-alpha.age b/secrets/wireguard-private-key-file-alpha.age index 3e66280..3b2c859 100644 Binary files a/secrets/wireguard-private-key-file-alpha.age and b/secrets/wireguard-private-key-file-alpha.age differ diff --git a/secrets/wireguard-private-key-file-omega.age b/secrets/wireguard-private-key-file-omega.age index fe05e79..62876c6 100644 Binary files a/secrets/wireguard-private-key-file-omega.age and b/secrets/wireguard-private-key-file-omega.age differ