secrets: add mu and rekey
This commit is contained in:
parent
a917c790d6
commit
e8026d94a0
Binary file not shown.
Binary file not shown.
|
@ -8,8 +8,9 @@ let
|
||||||
# > cat /etc/ssh/ssh_host_ed25519_key.pub
|
# > cat /etc/ssh/ssh_host_ed25519_key.pub
|
||||||
# If you change or add a key, all secrets need to be `agenix --rekey`'ed.
|
# If you change or add a key, all secrets need to be `agenix --rekey`'ed.
|
||||||
alpha = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGOpQNEmmEe6jr7Mv37ozokvtTSd1I3SmUU1tpCSNTkc root@alpha";
|
alpha = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGOpQNEmmEe6jr7Mv37ozokvtTSd1I3SmUU1tpCSNTkc root@alpha";
|
||||||
mu = "todo";
|
mu = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5kEuDiVGeiicxwNUjjrHurWW5EXXxHl8YFRiKzLeX root@mu";
|
||||||
omega = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvFN4vnqPX31+4/ZJxOJ7/bSUEu2xB6ovezPQjLm13H root@omega";
|
omega = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvFN4vnqPX31+4/ZJxOJ7/bSUEu2xB6ovezPQjLm13H root@omega";
|
||||||
|
sigma = "todo";
|
||||||
tor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVPxvqwS2NMqqCGBkMmExzdBY5hGLegiOuqPJAOfdKk root@zeta";
|
tor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVPxvqwS2NMqqCGBkMmExzdBY5hGLegiOuqPJAOfdKk root@zeta";
|
||||||
zeta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWiyK636Ys+jRX4ZFByfJMyPIvW4ZsYAITW2fo3VQZx root@zeta";
|
zeta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWiyK636Ys+jRX4ZFByfJMyPIvW4ZsYAITW2fo3VQZx root@zeta";
|
||||||
# Recovery and management key from Keepass. Used like so:
|
# Recovery and management key from Keepass. Used like so:
|
||||||
|
@ -17,16 +18,17 @@ let
|
||||||
# > agenix -i $AGE_KEY_FILE -e foo.age
|
# > agenix -i $AGE_KEY_FILE -e foo.age
|
||||||
recovery = "age1rd6hhd724s3r9xe4gfuy38rl0xfu8c7pkuefsrdwqfcknujzecyqz7ldyj";
|
recovery = "age1rd6hhd724s3r9xe4gfuy38rl0xfu8c7pkuefsrdwqfcknujzecyqz7ldyj";
|
||||||
|
|
||||||
all = [ alpha omega tor zeta recovery ];
|
all = [ alpha mu omega tor zeta ];
|
||||||
in
|
in
|
||||||
builtins.mapAttrs (name: value: { publicKeys = value ++ [ recovery ]; }) {
|
builtins.mapAttrs (name: value: { publicKeys = value ++ [ recovery ]; }) {
|
||||||
"users-hashed-password-file.age" = all;
|
# Borg backup
|
||||||
|
|
||||||
## Borg backup
|
|
||||||
"borg-passphrase-file-omega.age" = [ omega ];
|
"borg-passphrase-file-omega.age" = [ omega ];
|
||||||
"borg-passphrase-file-zeta.age" = [ zeta ];
|
"borg-passphrase-file-zeta.age" = [ zeta ];
|
||||||
|
|
||||||
## Wireguard
|
# User passwords
|
||||||
|
"users-hashed-password-file.age" = all;
|
||||||
|
|
||||||
|
# Wireguard
|
||||||
# The preshared key adds an additional layer of symmetric-key crypto to be
|
# The preshared key adds an additional layer of symmetric-key crypto to be
|
||||||
# mixed into the already existing public-key crypto, for post-quantum
|
# mixed into the already existing public-key crypto, for post-quantum
|
||||||
# resistance. Public-keys are generated using `wireguard-vanity-address`.
|
# resistance. Public-keys are generated using `wireguard-vanity-address`.
|
||||||
|
|
|
@ -1,17 +1,16 @@
|
||||||
age-encryption.org/v1
|
age-encryption.org/v1
|
||||||
-> ssh-ed25519 KjvmEQ 2fV7gosRLaV7OeriMMTJj6YwPdDeMsaB36pR76+4vEI
|
-> ssh-ed25519 KjvmEQ /TcefKl0Y8JK6zyl4vqZljVcfJOzD4eCNGvbYsEKmw0
|
||||||
THDhkT7O/WFfUutSUtqtczMWj8kdTnWYqF1e1BfSfYQ
|
qqZYJaxrgtv14koUt0vYvabVxcNlbDhFz801r7P6a9Q
|
||||||
-> ssh-ed25519 fY+XUg njB/XL/PRoYlTVYhtps8Q8LzFbL5OMzQrAxFHHWgbWE
|
-> ssh-ed25519 z/cefw gvyjcgGTgz6v9SlF2pyCZNR+kXmIWuVHPIBaSfZJxxk
|
||||||
HTrmUfHj1VA5RJF0B0EckJCnk1NrZaw1cLCdcaI718s
|
2l79Mf1A/VpdQBOX3qJXriuMuUdAsrA4DoJYTxzTa6w
|
||||||
-> ssh-ed25519 npms3w IJMNoUMdUJweP2SoUGdk3umIeXO7QL5mIk7aI+EMOkY
|
-> ssh-ed25519 fY+XUg x2WaSa2nrnrSm1k84G503gIdUhedMGOJEqmPINBOolc
|
||||||
ex8qU/23DSmKQutPhdojiH8O2onrDSzfJwmscFbOl0Y
|
DYWNBBNHEikzv1TEX6r5yF/wfR7n75wQRsc157KKNDY
|
||||||
-> ssh-ed25519 8zRjQA Ebqx9mnF1Uvi9lGPGk2IWg3mqa8m2M4uz+nW9LEkKS0
|
-> ssh-ed25519 npms3w SLKlrhJurD/QGHN+C1zN8XMckDdbXWYkBlzGo+1Kxiw
|
||||||
Hap4hvmL6hlwUfqIwFIjH1iljJvC1KTPt8z+Cq9qsjk
|
qQM04A3S2CwPff2epteQPDbkJSpZJ7MJ93gGMBRNIc4
|
||||||
-> X25519 n3vP66XLs3MSAW/dlZDcW9bNJwbZbtq+XKMLV1sqJWc
|
-> ssh-ed25519 8zRjQA THrfv8cKI/GkWbBS1VVa289IJMlJduadXxubuOYXRVc
|
||||||
IFvInxs6EGOow22dG4dcVsRXzbzNQSqlQiqIKuuM+r4
|
oFqQGRkCn+HBlTuY5c1FFkKHCmkrsBdFR1QpzX6oksE
|
||||||
-> X25519 tYKOlzdcn8PM1CuQdS73W3DtqTDLDCUudnUvE7zTYTo
|
-> X25519 x0+Tx+vNwUdSUpGOc1QRAUF2TDtcNxSj8h8A1HNjC2Y
|
||||||
m5Wc1ELWiL2YmMuRh/Zcf1fQK+79ST91+TJtWVV/caQ
|
YwKgXIl51ioyvzeFvSBIUM4mqgBFrZg3sE6hKIQQabQ
|
||||||
--- lu/KRbrX+169CmkNzSWKRo/BELBW+jwCYp/Jv1L0XkU
|
--- gJhJBAoc7OD0YHdcdAeUItimY6k0E4CuLcORrXtIR8A
|
||||||
úQè
vøœ–~܆ÁòM‹˜¦ùÚ¶§(*evu‰NVUX>
|
ì`êÆ{
•úÌ…<C38C>Ç@1Årèƒ
|
||||||
Ì–e£6@Åö‘_W<0B>Â&LAï%O
|
h–Ô³mÖ‚‹cüK÷’Sæž ›£A÷¶‘X¸{rë1~)<29>RmHF-ñæ5ÑN¯/ζå!æÿîhL<>èÆœˆå£ÇD8üµ°;¡9M¢;‚<>
|
||||||
a“ý‡Ô™ZX¬þ<EFBFBD>éÍ°_MËW!…/úÝ¿õm%ÔbY°ïÞç<>üMl¨Â
|
|
|
@ -1,9 +1,10 @@
|
||||||
age-encryption.org/v1
|
age-encryption.org/v1
|
||||||
-> ssh-ed25519 KjvmEQ 4edeUM2PejWZA97Y5b/vwV9ZtAup5kG++qc9t9Yxt3o
|
-> ssh-ed25519 KjvmEQ iWd1svyPPVu7KIAh2nOpTfWg3z5k7OvOomdy0pc7q0c
|
||||||
R2+4oUVVbaL3moHE1CkL/Xas7FeIJXYnMuZxzuy8FPA
|
If5DhrB20tF5MCEeE1r75u4ttj3wBxKc6rOTffQei4Q
|
||||||
-> ssh-ed25519 fY+XUg 06BdfOWCqx0Xp88VKJ8ek3N97mcChcTeyV8PzMLv3Ss
|
-> ssh-ed25519 fY+XUg rZ6pcgzocZyxz1zsBPKZGnB0kbLqIJtEqDATIn/mvno
|
||||||
eiGnQluRLAxo7bhgW2ZmMfveAtCQTwZw+lVwwq0gWUM
|
f4MI725uZf6PyZJ9cf3hwypWe04hYhhi2ljRdirX83E
|
||||||
-> X25519 eXRB1Xe9BODx0SayXc7nsDddDwVWpjXyxSM2un7xEjM
|
-> X25519 2ojQ4Y3fJfBs+QoN1PUw8+UJqI0AtMIs7kaS+stj7Fc
|
||||||
xxkUaFJbjtk4XHaXdZsjmvh5KaftLJM4Pys3b6xgQHc
|
xKN26qdKksxncH+844/pkjK3IAjCXwgzPGLBxdEOi0g
|
||||||
--- pCTrst4Skeg7GwqXqsO3R3iF4CiO/gmKHBoiQKqESuw
|
--- tKzJAj37+Ke/a4fNE7HVzGvVLFza8+SQID2VxRqDWEs
|
||||||
PåuxÕÿGÀuWÒNîÊe"
†«ÿŸ‚-nwJ‡«ÏÚR{¨R‹â×YN„æ¢Öz&Û*çw&Æ|8§+/Š§—¶¸Dܵ
|
~R•ÔÞ}ÖCFÚ>À²ÄMðÅl€çïÎt»„ ûóÀ—U~¶îiÁMÀ<4D>‰µm‹ «Q
|
||||||
|
çRJ…G•@:lšÈ“ïjŽ§G¸Tl%
|
Binary file not shown.
Binary file not shown.
Loading…
Reference in a new issue