From e8026d94a015ff346f7152978f68d4318526bda9 Mon Sep 17 00:00:00 2001
From: "Casper V. Kristensen" <casper@vkristensen.dk>
Date: Mon, 4 Mar 2024 22:18:26 +0100
Subject: [PATCH] secrets: add mu and rekey

---
 secrets/borg-passphrase-file-omega.age       | Bin 375 -> 375 bytes
 secrets/borg-passphrase-file-zeta.age        | Bin 375 -> 375 bytes
 secrets/secrets.nix                          |  14 +++++----
 secrets/users-hashed-password-file.age       |  31 +++++++++----------
 secrets/wireguard-preshared-key-file.age     |  17 +++++-----
 secrets/wireguard-private-key-file-alpha.age | Bin 355 -> 355 bytes
 secrets/wireguard-private-key-file-omega.age | Bin 355 -> 355 bytes
 7 files changed, 32 insertions(+), 30 deletions(-)

diff --git a/secrets/borg-passphrase-file-omega.age b/secrets/borg-passphrase-file-omega.age
index cad281534a8880860515137a4f04a2449567bd2c..2a95e15559c314485d26544b322a288df4f9e35a 100644
GIT binary patch
delta 340
zcmV-a0jvJ^0`~%tEPqCHW@s^DYFceYbXYTaLrHjVaZ538ICW@MGh$6|Sz2{WYjbgO
zQ)D(VMG9*-aArwtM{rPSZe@2hH#tjMbu&&$V^?)jSY<+DO=4?jMOis<cSkrySqd#a
zAXqXrH8D9LF=}E;RAFaVGf6{GD`zWOLOCmVO?p)`cXoDJQh#c7cvNF>Vsvq0MoCp;
z3PWydHdIS#VOdvjI89GxGebplX*fYvLv1i(b$V`CL@-E5Lv?y+Rb@{}3N0-yAW?F3
zK{PODXhlkNZ+J0PIXOyMG)iPqa%oU^R5em?R7hcBL{m^xb~sHz3WX-{$}uRPHtUg%
z#<lGJ;WTu{x=jGj+e;_j^Cv2*2OxdZu<6T(PNpxcogqXaVCtG3x@!VYF)u(v{Cyh2
m?9AZao$v0>otg&m4v380!(bpcYmdj8`%zKJpTj72P=B3l4ugyU

delta 340
zcmV-a0jvJ^0`~%tEPr)kL{B$HGf+23YGzP3S7$a@HfuF)X)r=CQgm=eK~-x*Q8Y7D
zNH<PLYYH_>QE5(9QC31vYfDEkM{`JObuUI?Q(9(tL}5&JNpC_mZDMmTR!(PCMG7rG
zAXqXrH8D9LT5ma1NMu7dPc>0UH&9knSyN+jSaL#iZedYxIe$SjaBONfPC-#fczRZ6
z3RyRBSaWhjGjUgHOi4v&Rd-28WJNJJb4OugFkyLTa&$vgO=Ut@LS=bx3N0-yAWvsZ
zb~Z6-Hcde=T3B!~Qf_2$HBL2Sb9Q1eRcBd2LTGqqVNz3gV^(i43dWymrjG~TL1&v}
z3IentHm<Y5nN8rn5=V5$JrTXQFyG?9>`5he0~^BE5<24yT!R8#+Qtti=+Pq_j+Me{
mlYB@%#75_<NT{@wQeZ!@U`Ylhci?~y%1xC<_`Az<j)g5%I(y;(

diff --git a/secrets/borg-passphrase-file-zeta.age b/secrets/borg-passphrase-file-zeta.age
index 879cb519b641c2a8a5b14d24e229bd0bc3b2e955..573296dc62dbdcf778bc6eab5de1ee0d580ac052 100644
GIT binary patch
delta 340
zcmV-a0jvJ^0`~%tEPrq|bV4;)H&IztZc%1oXKZP0aawL>Xn0ClG<SJRH&Ag;V^B|0
zNJ>RPNeXI2MP@Toc}_xba&&PxRzWj(NKbQYLSlDqZEG=SX-{NtGHG&BF?cd{K?*HC
zAXqXrH8D9LcQScID^zY%a$;+5M>%OuSujU$R!2v3R#-AQaeqr$PikXNb82IAI7u)~
z3N?05H#0$LLvCqWZ%tHZMsZ4VL|0lhH8pu>c2sm(ZZ|}6MPyn+RV!3Y3N0-yAa+P<
zVrfh`FG*KLG)ixAWLQ;dcy=*OOgAqwdU0ZEK{rh`GJ0)ELSauq3IsszBM|c`ZFd1~
zhO1FSy)a(j-A%PmXQKLDTVA6VL>{^30r@6%0B-dAYs$tb=AqPp-~s(Bbm?MxUd2SY
mv|Rz{Bq5Ox&C`8G*b!5k_uyv=py=8%H`yDhHXTNo<~lJ1q<(t<

delta 340
zcmV-a0jvJ^0`~%tEProIcr#3MX;wHdPF6T)RAo~_a6vdPbyHMOF;GrRZg_b~O*Ah`
zHg#A>Zwh!<ZB#{VF-A;SG%!(5L2Ed1b9ZHUPIys7NJMseYgJiwRY^5yG-Y;LSqd#a
zAXqXrH8D9LNm)g2GgVS%GC@vrRC!`TPeo64D>Hg|W@uGeY=3rgGf8POG-ohvM|O8-
z3UO~`cyC!qRcc~qXJ>A2XK^@TNmqDTS~5&8VrF(SNJ&9!YcXzOYF2Ss3N0-yAWLa^
zFIiT1aWrKxY-(09cUM_SSbA_(H8y%vcR@{2Npd$eM{7e)OH)=^3Ue2>$|I<07}(7f
z&;N6dxCa1={!Naem<l^bA}HGyB%V2lP(Rlak8HqB`P9H&&8(n?rWyuysLcJMA>bw6
m=r~~%(O0<Ew=q^-#7Ta;!Bf4>DIdmIcnd1-#<H%m8TbM5r+{bx

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index a09ef11..358b69c 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -8,8 +8,9 @@ let
   # > cat /etc/ssh/ssh_host_ed25519_key.pub
   # If you change or add a key, all secrets need to be `agenix --rekey`'ed.
   alpha = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGOpQNEmmEe6jr7Mv37ozokvtTSd1I3SmUU1tpCSNTkc root@alpha";
-  mu = "todo";
+  mu = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5kEuDiVGeiicxwNUjjrHurWW5EXXxHl8YFRiKzLeX root@mu";
   omega = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvFN4vnqPX31+4/ZJxOJ7/bSUEu2xB6ovezPQjLm13H root@omega";
+  sigma = "todo";
   tor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVPxvqwS2NMqqCGBkMmExzdBY5hGLegiOuqPJAOfdKk root@zeta";
   zeta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWiyK636Ys+jRX4ZFByfJMyPIvW4ZsYAITW2fo3VQZx root@zeta";
   # Recovery and management key from Keepass. Used like so:
@@ -17,16 +18,17 @@ let
   # > agenix -i $AGE_KEY_FILE -e foo.age
   recovery = "age1rd6hhd724s3r9xe4gfuy38rl0xfu8c7pkuefsrdwqfcknujzecyqz7ldyj";
 
-  all = [ alpha omega tor zeta recovery ];
+  all = [ alpha mu omega tor zeta ];
 in
 builtins.mapAttrs (name: value: { publicKeys = value ++ [ recovery ]; }) {
-  "users-hashed-password-file.age" = all;
-
-  ## Borg backup
+  # Borg backup
   "borg-passphrase-file-omega.age" = [ omega ];
   "borg-passphrase-file-zeta.age" = [ zeta ];
 
-  ## Wireguard
+  # User passwords
+  "users-hashed-password-file.age" = all;
+
+  # Wireguard
   # The preshared key adds an additional layer of symmetric-key crypto to be
   # mixed into the already existing public-key crypto, for post-quantum
   # resistance. Public-keys are generated using `wireguard-vanity-address`.
diff --git a/secrets/users-hashed-password-file.age b/secrets/users-hashed-password-file.age
index 1689e12..501d8b7 100644
--- a/secrets/users-hashed-password-file.age
+++ b/secrets/users-hashed-password-file.age
@@ -1,17 +1,16 @@
 age-encryption.org/v1
--> ssh-ed25519 KjvmEQ 2fV7gosRLaV7OeriMMTJj6YwPdDeMsaB36pR76+4vEI
-THDhkT7O/WFfUutSUtqtczMWj8kdTnWYqF1e1BfSfYQ
--> ssh-ed25519 fY+XUg njB/XL/PRoYlTVYhtps8Q8LzFbL5OMzQrAxFHHWgbWE
-HTrmUfHj1VA5RJF0B0EckJCnk1NrZaw1cLCdcaI718s
--> ssh-ed25519 npms3w IJMNoUMdUJweP2SoUGdk3umIeXO7QL5mIk7aI+EMOkY
-ex8qU/23DSmKQutPhdojiH8O2onrDSzfJwmscFbOl0Y
--> ssh-ed25519 8zRjQA Ebqx9mnF1Uvi9lGPGk2IWg3mqa8m2M4uz+nW9LEkKS0
-Hap4hvmL6hlwUfqIwFIjH1iljJvC1KTPt8z+Cq9qsjk
--> X25519 n3vP66XLs3MSAW/dlZDcW9bNJwbZbtq+XKMLV1sqJWc
-IFvInxs6EGOow22dG4dcVsRXzbzNQSqlQiqIKuuM+r4
--> X25519 tYKOlzdcn8PM1CuQdS73W3DtqTDLDCUudnUvE7zTYTo
-m5Wc1ELWiL2YmMuRh/Zcf1fQK+79ST91+TJtWVV/caQ
---- lu/KRbrX+169CmkNzSWKRo/BELBW+jwCYp/Jv1L0XkU
-úQèvøœ–~Ü†ÁòM‹˜¦ùÚ¶§(*evu‰NVUX>
-Ì–e£6@Åö‘_WÂ&LAï%O 
-a“ý‡Ô™ZX¬þéÍÂ°_MËW!…/úÝ¿õm%ÔbY°ïÞçüMl¨Â
\ No newline at end of file
+-> ssh-ed25519 KjvmEQ /TcefKl0Y8JK6zyl4vqZljVcfJOzD4eCNGvbYsEKmw0
+qqZYJaxrgtv14koUt0vYvabVxcNlbDhFz801r7P6a9Q
+-> ssh-ed25519 z/cefw gvyjcgGTgz6v9SlF2pyCZNR+kXmIWuVHPIBaSfZJxxk
+2l79Mf1A/VpdQBOX3qJXriuMuUdAsrA4DoJYTxzTa6w
+-> ssh-ed25519 fY+XUg x2WaSa2nrnrSm1k84G503gIdUhedMGOJEqmPINBOolc
+DYWNBBNHEikzv1TEX6r5yF/wfR7n75wQRsc157KKNDY
+-> ssh-ed25519 npms3w SLKlrhJurD/QGHN+C1zN8XMckDdbXWYkBlzGo+1Kxiw
+qQM04A3S2CwPff2epteQPDbkJSpZJ7MJ93gGMBRNIc4
+-> ssh-ed25519 8zRjQA THrfv8cKI/GkWbBS1VVa289IJMlJduadXxubuOYXRVc
+oFqQGRkCn+HBlTuY5c1FFkKHCmkrsBdFR1QpzX6oksE
+-> X25519 x0+Tx+vNwUdSUpGOc1QRAUF2TDtcNxSj8h8A1HNjC2Y
+YwKgXIl51ioyvzeFvSBIUM4mqgBFrZg3sE6hKIQQabQ
+--- gJhJBAoc7OD0YHdcdAeUItimY6k0E4CuLcORrXtIR8A
+ì`êÆ{•úÌ…Ç@1Årèƒ
+h–Ô³mÖ‚‹cüK÷’Sæž ›£A÷¶‘X¸{rë1~)RmHF-ñæ5ÑN¯/Î¶å!æÿîhLèÆœˆå£ÇD8üµ°;¡9M¢;‚
\ No newline at end of file
diff --git a/secrets/wireguard-preshared-key-file.age b/secrets/wireguard-preshared-key-file.age
index 8a60673..c374812 100644
--- a/secrets/wireguard-preshared-key-file.age
+++ b/secrets/wireguard-preshared-key-file.age
@@ -1,9 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 KjvmEQ 4edeUM2PejWZA97Y5b/vwV9ZtAup5kG++qc9t9Yxt3o
-R2+4oUVVbaL3moHE1CkL/Xas7FeIJXYnMuZxzuy8FPA
--> ssh-ed25519 fY+XUg 06BdfOWCqx0Xp88VKJ8ek3N97mcChcTeyV8PzMLv3Ss
-eiGnQluRLAxo7bhgW2ZmMfveAtCQTwZw+lVwwq0gWUM
--> X25519 eXRB1Xe9BODx0SayXc7nsDddDwVWpjXyxSM2un7xEjM
-xxkUaFJbjtk4XHaXdZsjmvh5KaftLJM4Pys3b6xgQHc
---- pCTrst4Skeg7GwqXqsO3R3iF4CiO/gmKHBoiQKqESuw
-PåuxÕÿGÀuWÒNîÊe"†«ÿŸ‚-nwJ‡«ÏÚR{¨R‹â×YN„æ¢Öz&Û*çw&Æ|8§+/Š§—¶¸DÜµ
\ No newline at end of file
+-> ssh-ed25519 KjvmEQ iWd1svyPPVu7KIAh2nOpTfWg3z5k7OvOomdy0pc7q0c
+If5DhrB20tF5MCEeE1r75u4ttj3wBxKc6rOTffQei4Q
+-> ssh-ed25519 fY+XUg rZ6pcgzocZyxz1zsBPKZGnB0kbLqIJtEqDATIn/mvno
+f4MI725uZf6PyZJ9cf3hwypWe04hYhhi2ljRdirX83E
+-> X25519 2ojQ4Y3fJfBs+QoN1PUw8+UJqI0AtMIs7kaS+stj7Fc
+xKN26qdKksxncH+844/pkjK3IAjCXwgzPGLBxdEOi0g
+--- tKzJAj37+Ke/a4fNE7HVzGvVLFza8+SQID2VxRqDWEs
+~R•ÔÞ}ÖCFÚ>À²ÄMðÅl€çïÎt»„	ûóÀ—U~¶îiÁMÀ‰µm‹ «Q
+çRJ…G•@:lšÈ“ïjŽ§G¸Tl%
\ No newline at end of file
diff --git a/secrets/wireguard-private-key-file-alpha.age b/secrets/wireguard-private-key-file-alpha.age
index 3e662801c11e03fa40985d1aef84b16db5eaa352..3b2c859a950b1f1f4fe1abcad304b141a06126b4 100644
GIT binary patch
delta 320
zcmV-G0l)s^0^<UZEPpm`c~5IGH*HKSHfl~|WHT>hZ)iehX)si2PdH96OmA9NQdezA
zFKusYcM5D}GInKlM{83rcWFjULs>LcS43l1K`}>aV`fiPY)5NOYGZLnV>5F@YYHts
zAXqXrH8D9Lc41j>Hex|YNo`j!cy@13FmgFCc0qJ=L{>3Oa(_)WPeEo!Xl!qFc6w(t
z3Nv|bZ)RyyT3A?8SXfG0YGPJeVnJd^NqIC`QENp)b!<~eNH}a(T1;$f3N0-yAVoHC
zcvnVdP*y}QSZz{tX>dt3Qdwb8Rxf8^Gj1_%Za79OWN>g+PeoKg3Y6A%5nXXM4=$$$
z@QY{8^8w=ZcR6h4;YPE4B&aA+E5c|vk-hb(PgeKAM*Mxyd4*;thouv?1;r2zN30!;
SPwKH)%H1~t_G3D}?o|>XOLbZR

delta 320
zcmV-G0l)s^0^<UZEPr=7Q)pR7LNQTJd0Ittb5BuKbT4aRb~tG-NNZ_SL`*eESUEFl
zH#9hUV+vt!a#~GJHFQ}tFGX`VMQcJaM|e$BFjRL!crrysc2_k)WoAlbM@n~BQ3@?S
zAXqXrH8D9LPBU3HFiK}oI7U}5ZZmH%cv5gVNOxmtYEv{gbbn`2Gh!=RY)?r?NLWQl
z3U)6-H%xYMIBPIgRd#SsI5k;oRct|bLRU{zM{!X_Xme&WZZUK+ZCPwI3N0-yAXZ{C
zX?J=!Mrv+oW=t_Jb76IQPcdt3Vr4l|R%uOgD=|qlI7385Mo&*k3S9OLl5SK?^LmM}
zdz0lbh_xgE6FIF|<WE!GsSn)i=^U1xJ?eIk!(-4;%##0Yk<o~yuPVL#ZJ^wq&qX&A
S)->0j{s2BVHHdKvZJj6?9CSed

diff --git a/secrets/wireguard-private-key-file-omega.age b/secrets/wireguard-private-key-file-omega.age
index fe05e796ae10d5cadf4b9ba0fc0d7314febb539f..62876c6ca112f2a734e43309c96952e8127529ae 100644
GIT binary patch
delta 320
zcmV-G0l)s^0^<UZEProsc}{ClGHFOTX>T!bZZ%G6Z%KMIYBFtdO=Mv-L1<BIQ*1|R
zWL86KMG8<-a7tQ7HDhdVSTK5dWot(@T5V}saZYP_Zc$ZjSul2SYiC(EPgX%zcM2^&
zAXqXrH8D9LNik4aQY%+Od2elEQ+9T7Loq>EcxW?HX>~L;Nq=oeSZzphLt<4-NGoVG
z3U+UHK{RPHW<*LWFm_inRY-VuPI6O3X)rfsV@ftkF*spVbwO`cWkpFa3N0-yAXQUq
zOJ*`hLo{JUP;fbLH&!=NMl)J<L{BzXF*Hd;G;481Fl<3}X<AKH3e;i){pp7FIDM_y
zAJFbn2O>=DJ2^ljR~CX;_9aDtmbP?g&~-YZc*o8t_fM;A3n0ertj*OnI?(HtJ4u3k
S0L*s`#b(+#RMUVKXti%nFLZAJ

delta 320
zcmV-G0l)s^0^<UZEPr@%GkG#vVpK#hb5&<Xby7H5Z)ZqZIaF~*Lu^BDMlo`AdQoj-
zb#yaPMG9$7Pg5{!OD}LvH%du3Ra8lLSXV<<XJ&U)IcPLCHBL%bbx}`bHEu|EcM2^&
zAXqXrH8D9LL0CmrS8h&bZ$vdtO<86`bvQ6NQ*KpDOgA%6Q-4TCLu6-0cxNv$QB_!D
z3U^mbMow0DL`yVAG)goyVs>~$Hc4<oP;PTaSvW&OIc!pSR!ui_NO)Oq3N0-yATLx}
zX)8x<PEm71G*MVlM`B}dV=+;BSXy^^c5p*fX-h&dVq`H!Fl$YB3MovrAk^my2kfF_
z(aBF0cKJQCcR6;mSES(byVy?@-3hv9ZNiR;--sAu8iew7nACf3=0eEn>(T6?ASKoA
Suf6XoG3C3fAsQ&y_IVmHfOnz*