secrets: add mu and rekey

This commit is contained in:
Casper V. Kristensen 2024-03-04 22:18:26 +01:00
parent a917c790d6
commit e8026d94a0
7 changed files with 32 additions and 30 deletions

View file

@ -8,8 +8,9 @@ let
# > cat /etc/ssh/ssh_host_ed25519_key.pub # > cat /etc/ssh/ssh_host_ed25519_key.pub
# If you change or add a key, all secrets need to be `agenix --rekey`'ed. # If you change or add a key, all secrets need to be `agenix --rekey`'ed.
alpha = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGOpQNEmmEe6jr7Mv37ozokvtTSd1I3SmUU1tpCSNTkc root@alpha"; alpha = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGOpQNEmmEe6jr7Mv37ozokvtTSd1I3SmUU1tpCSNTkc root@alpha";
mu = "todo"; mu = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5kEuDiVGeiicxwNUjjrHurWW5EXXxHl8YFRiKzLeX root@mu";
omega = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvFN4vnqPX31+4/ZJxOJ7/bSUEu2xB6ovezPQjLm13H root@omega"; omega = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvFN4vnqPX31+4/ZJxOJ7/bSUEu2xB6ovezPQjLm13H root@omega";
sigma = "todo";
tor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVPxvqwS2NMqqCGBkMmExzdBY5hGLegiOuqPJAOfdKk root@zeta"; tor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVPxvqwS2NMqqCGBkMmExzdBY5hGLegiOuqPJAOfdKk root@zeta";
zeta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWiyK636Ys+jRX4ZFByfJMyPIvW4ZsYAITW2fo3VQZx root@zeta"; zeta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWiyK636Ys+jRX4ZFByfJMyPIvW4ZsYAITW2fo3VQZx root@zeta";
# Recovery and management key from Keepass. Used like so: # Recovery and management key from Keepass. Used like so:
@ -17,16 +18,17 @@ let
# > agenix -i $AGE_KEY_FILE -e foo.age # > agenix -i $AGE_KEY_FILE -e foo.age
recovery = "age1rd6hhd724s3r9xe4gfuy38rl0xfu8c7pkuefsrdwqfcknujzecyqz7ldyj"; recovery = "age1rd6hhd724s3r9xe4gfuy38rl0xfu8c7pkuefsrdwqfcknujzecyqz7ldyj";
all = [ alpha omega tor zeta recovery ]; all = [ alpha mu omega tor zeta ];
in in
builtins.mapAttrs (name: value: { publicKeys = value ++ [ recovery ]; }) { builtins.mapAttrs (name: value: { publicKeys = value ++ [ recovery ]; }) {
"users-hashed-password-file.age" = all; # Borg backup
## Borg backup
"borg-passphrase-file-omega.age" = [ omega ]; "borg-passphrase-file-omega.age" = [ omega ];
"borg-passphrase-file-zeta.age" = [ zeta ]; "borg-passphrase-file-zeta.age" = [ zeta ];
## Wireguard # User passwords
"users-hashed-password-file.age" = all;
# Wireguard
# The preshared key adds an additional layer of symmetric-key crypto to be # The preshared key adds an additional layer of symmetric-key crypto to be
# mixed into the already existing public-key crypto, for post-quantum # mixed into the already existing public-key crypto, for post-quantum
# resistance. Public-keys are generated using `wireguard-vanity-address`. # resistance. Public-keys are generated using `wireguard-vanity-address`.

View file

@ -1,17 +1,16 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 KjvmEQ 2fV7gosRLaV7OeriMMTJj6YwPdDeMsaB36pR76+4vEI -> ssh-ed25519 KjvmEQ /TcefKl0Y8JK6zyl4vqZljVcfJOzD4eCNGvbYsEKmw0
THDhkT7O/WFfUutSUtqtczMWj8kdTnWYqF1e1BfSfYQ qqZYJaxrgtv14koUt0vYvabVxcNlbDhFz801r7P6a9Q
-> ssh-ed25519 fY+XUg njB/XL/PRoYlTVYhtps8Q8LzFbL5OMzQrAxFHHWgbWE -> ssh-ed25519 z/cefw gvyjcgGTgz6v9SlF2pyCZNR+kXmIWuVHPIBaSfZJxxk
HTrmUfHj1VA5RJF0B0EckJCnk1NrZaw1cLCdcaI718s 2l79Mf1A/VpdQBOX3qJXriuMuUdAsrA4DoJYTxzTa6w
-> ssh-ed25519 npms3w IJMNoUMdUJweP2SoUGdk3umIeXO7QL5mIk7aI+EMOkY -> ssh-ed25519 fY+XUg x2WaSa2nrnrSm1k84G503gIdUhedMGOJEqmPINBOolc
ex8qU/23DSmKQutPhdojiH8O2onrDSzfJwmscFbOl0Y DYWNBBNHEikzv1TEX6r5yF/wfR7n75wQRsc157KKNDY
-> ssh-ed25519 8zRjQA Ebqx9mnF1Uvi9lGPGk2IWg3mqa8m2M4uz+nW9LEkKS0 -> ssh-ed25519 npms3w SLKlrhJurD/QGHN+C1zN8XMckDdbXWYkBlzGo+1Kxiw
Hap4hvmL6hlwUfqIwFIjH1iljJvC1KTPt8z+Cq9qsjk qQM04A3S2CwPff2epteQPDbkJSpZJ7MJ93gGMBRNIc4
-> X25519 n3vP66XLs3MSAW/dlZDcW9bNJwbZbtq+XKMLV1sqJWc -> ssh-ed25519 8zRjQA THrfv8cKI/GkWbBS1VVa289IJMlJduadXxubuOYXRVc
IFvInxs6EGOow22dG4dcVsRXzbzNQSqlQiqIKuuM+r4 oFqQGRkCn+HBlTuY5c1FFkKHCmkrsBdFR1QpzX6oksE
-> X25519 tYKOlzdcn8PM1CuQdS73W3DtqTDLDCUudnUvE7zTYTo -> X25519 x0+Tx+vNwUdSUpGOc1QRAUF2TDtcNxSj8h8A1HNjC2Y
m5Wc1ELWiL2YmMuRh/Zcf1fQK+79ST91+TJtWVV/caQ YwKgXIl51ioyvzeFvSBIUM4mqgBFrZg3sE6hKIQQabQ
--- lu/KRbrX+169CmkNzSWKRo/BELBW+jwCYp/Jv1L0XkU --- gJhJBAoc7OD0YHdcdAeUItimY6k0E4CuLcORrXtIR8A
úQè vøœ~܆ÁòM˜¦ùÚ¶§(*evu‰NVUX> ì`êÆ{ •úÌ…<C38C>Ç@1Årèƒ
Ìe£6@Åö‘_W <0B>Â&LAï%O  hÔ³mÖ cüK÷Sæž £A÷¶X¸{rë1~)<29>RmHF-ñæ5ÑN¯/Îå!æÿîhL<>èÆœˆå£ÇD8üµ° ;¡9M¢;<>
a“ý‡Ô™ZX¬þ<EFBFBD>éÍ°_MËW!…/úÝ¿õm%ÔbY°ïÞç<>üMl¨Â

View file

@ -1,9 +1,10 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 KjvmEQ 4edeUM2PejWZA97Y5b/vwV9ZtAup5kG++qc9t9Yxt3o -> ssh-ed25519 KjvmEQ iWd1svyPPVu7KIAh2nOpTfWg3z5k7OvOomdy0pc7q0c
R2+4oUVVbaL3moHE1CkL/Xas7FeIJXYnMuZxzuy8FPA If5DhrB20tF5MCEeE1r75u4ttj3wBxKc6rOTffQei4Q
-> ssh-ed25519 fY+XUg 06BdfOWCqx0Xp88VKJ8ek3N97mcChcTeyV8PzMLv3Ss -> ssh-ed25519 fY+XUg rZ6pcgzocZyxz1zsBPKZGnB0kbLqIJtEqDATIn/mvno
eiGnQluRLAxo7bhgW2ZmMfveAtCQTwZw+lVwwq0gWUM f4MI725uZf6PyZJ9cf3hwypWe04hYhhi2ljRdirX83E
-> X25519 eXRB1Xe9BODx0SayXc7nsDddDwVWpjXyxSM2un7xEjM -> X25519 2ojQ4Y3fJfBs+QoN1PUw8+UJqI0AtMIs7kaS+stj7Fc
xxkUaFJbjtk4XHaXdZsjmvh5KaftLJM4Pys3b6xgQHc xKN26qdKksxncH+844/pkjK3IAjCXwgzPGLBxdEOi0g
--- pCTrst4Skeg7GwqXqsO3R3iF4CiO/gmKHBoiQKqESuw --- tKzJAj37+Ke/a4fNE7HVzGvVLFza8+SQID2VxRqDWEs
PåuxÕÿGÀuWÒNîÊe" †«ÿŸ-nwJ‡«ÏÚR{¨Râ×YN„æ¢Öz&Û*çw&Æ|8§+/Š§—¶¸Dܵ ~R•ÔÞ}ÖCFÚ>À²ÄMðÅl€çïÎt»„ ûóÀ—U~¶îiÁMÀ<4D>µm «Q
çRJ…G•@:lšÈ“ïjŽ§G¸Tl%