wip a different secret

2023-04-05 16:50:43 +03:00 · 2023-04-05 16:50:43 +03:00 · a0c620725b
commit a0c620725b
parent c4acd525c7
5 changed files with 37 additions and 1 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -102,6 +102,7 @@ in {
    };
  };

+
  time.timeZone = "UTC";

  users = {
--- a/flake.nix
+++ b/flake.nix
@ -39,6 +39,11 @@
          ./zfs.nix

          agenix.nixosModules.default
+
+          {
+            #age.secrets.zfs-passphrase.file = ./secrets/hel1-a/zfs-passphrase.age;
+            age.secrets.x.file = ./secrets/hel1-a/zfs-passphrase.age;
+          }
        ];
      };

@ -62,7 +67,8 @@
      devShells.default = with pkgs;
        mkShell {
          packages = [
-              pkgs.age
+              pkgs.rage
+              pkgs.age-plugin-yubikey
              agenix.packages.${system}.agenix
              deploy-rs.packages.${system}.deploy-rs
          ];
--- a/secrets.nix
+++ b/secrets.nix
@ -0,0 +1,10 @@
+let
+  motiejus = "age1yubikey1qtwmhf7h7ljs3dyx06wyzme4st6w4calkdpmsxgpxc9t2cldezvasd6n8wg";
+  users = [ motiejus ];
+
+  hel1-a = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6Wd2lKrpP2Gqul10obMo2dc1xKaaLv0I4FAnfIaFKu";
+  systems = [ hel1-a ];
+in
+{
+  "secrets/hel1-a/zfs-passphrase.age".publicKeys = [ motiejus hel1-a ];
+}
--- a/secrets/hel1-a/zfs-passphrase.age
+++ b/secrets/hel1-a/zfs-passphrase.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 vDjOfg KnpCkORn/iztI4mW7KJSPWz7w5+suCy0DbpSal9/NUY
+1brrf3mbnQuswCz96J/vy0cnKw5gFH1SZ0pQFKZK4Do
+-> piv-p256 +y2G/w Ayr131SxWAZEaUgyXLS8TcyccefAkG5MG/Zx6xHj0kOH
+eyy7OTR7xQb94FI6vWRULLC0kpps5S7jDMmZh6PNyBQ
+-> Bgmf{-grease
+J0eB9JaT3C/6anoo+SSMly9Pr7PIOckxVwi8WXx47tCfbzHUVq5xW07QNoT8QJPS
+EghExahZE0OEgMwVB1gS0IHnaygSpkklCUTJ235cQTadBXyDRYdTJ5BHFtb0
+--- xYpDb8+FYgwnhvK5U+VS9uhj7z6WwoYuZieFtuQYtKs
+Ø¹ +sDàŠ$Ç²00îWºÞÐƒ³ðX9¹ÔRQoòÏkú<6B>^UqtL‚	©N._6sl5¬—íN4âä¼3;
--- a/secrets/identity.txt
+++ b/secrets/identity.txt
@ -0,0 +1,9 @@
+#       Serial: 9089636, Slot: 1
+#         Name: motiejus/config-secrets
+#      Created: Wed, 05 Apr 2023 12:14:28 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
+#    Recipient: age1yubikey1qtwmhf7h7ljs3dyx06wyzme4st6w4calkdpmsxgpxc9t2cldezvasd6n8wg
+AGE-PLUGIN-YUBIKEY-1VJEG5QYZLVKCDLCCDUEEX
+
+