feat: return to barebones agenix

flake.nix

@@ -15,11 +15,6 @@
 
     agenix.url = "github:ryantm/agenix";
 
-    agenix-rekey = {
-      url = "github:oddlama/agenix-rekey";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
     flake-utils.url = "github:numtide/flake-utils";
 
     spicetify-nix = {
@@ -42,7 +37,6 @@
       nixpkgs,
       nixos-hardware,
       agenix,
-      agenix-rekey,
       spicetify-nix,
       nix-index-database,
       private-config,
@@ -54,7 +48,6 @@
           inherit inputs;
           inherit spicetify-nix;
           inherit agenix;
-          inherit agenix-rekey;
           inherit private-config;
         };
 
@@ -63,22 +56,15 @@
         # List all Modules to load
         modules = [
           agenix.nixosModules.default
-          agenix-rekey.nixosModules.default
           nixos-hardware.nixosModules.framework-13-7040-amd
           nix-index-database.nixosModules.nix-index
           ./modules/utils/agenix/agenix.nix
           ./modules
           ./home
+          private-config.nixosModules.default
         ];
       };
 
-      agenix-rekey = agenix-rekey.configure {
-        userFlake = self;
-        nixosConfigurations = self.nixosConfigurations;
-        # Example for colmena:
-        # nixosConfigurations = ((colmena.lib.makeHive self.colmena).introspect (x: x)).nodes;
-      };
-
       formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style;
     };
 }

home/default.nix

@@ -36,12 +36,11 @@
         accent = "mauve";
       };
 
-      imports =
+      imports = [
-        [
         inputs.catppuccin.homeModules.catppuccin
         inputs.spicetify-nix.homeManagerModules.default
         inputs.nix-index-database.homeModules.nix-index
-          # inputs.agenix.homeManagerModules.age
+        inputs.agenix.homeManagerModules.age
         inputs.private-config.homeManagerModules.default
       ]
       ++ [

home/misc_pkgs/packages.nix

@@ -1,6 +1,5 @@
 {
   pkgs,
-  agenix-rekey,
   ...
 }:
 {
@@ -73,8 +72,7 @@
     nix-output-monitor
     nil
     nh
-    # agenix.packages.${system}.default
+    agenix.packages.${system}.default
-    agenix-rekey.packages.${system}.default
     nixfmt-rfc-style
     nixpkgs-review
 

modules/utils/agenix/agenix.nix

@@ -1,109 +0,0 @@
-{
-  config,
-  pkgs,
-  inputs,
-  ...
-}:
-{
-  # TODO: Get a token2 and set up https://github.com/oddlama/agenix-rekey
-  age = {
-    identityPaths = [ "/var/lib/persistent/host_id_ed25519" ];
-
-    rekey = {
-      agePlugins = [ pkgs.age-plugin-fido2-hmac ];
-
-      # Obtain this using `ssh-keyscan` or by looking it up in your ~/.ssh/known_hosts
-      hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJynM8SLRXRrfGRJd43T4wabsOHFcWeeuTym9h7vl7Io";
-      # The path to the master identity used for decryption. See the option's description for more information.
-      masterIdentities = [ ./token2_hmac.pub ];
-      #masterIdentities = [ "/home/myuser/master-key" ]; # External master key
-      #masterIdentities = [
-      #  # It is possible to specify an identity using the following alternate syntax,
-      #  # this can be used to avoid unecessary prompts during encryption.
-      #  {
-      #    identity = "/home/myuser/master-key.age"; # Password protected external master key
-      #    pubkey = "age1qyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqszqgpqyqs3290gq"; # Specify the public key explicitly
-      #  }
-      #];
-      storageMode = "local";
-      # Choose a directory to store the rekeyed secrets for this host.
-      # This cannot be shared with other hosts. Please refer to this path
-      # from your flake's root directory and not by a direct path literal like ./secrets
-      localStorageDir = ./. + "/rekeyed/${config.networking.hostName}";
-    };
-
-    secrets = {
-      access-tokens-github.rekeyFile = ./secrets/gh_argstr.age;
-
-      fbda-wg-privkey.rekeyFile = ./secrets/fbda_wg_priv_key.age;
-      fbda-wg-psk.rekeyFile = ./secrets/fbda_wg_psk.age;
-
-      obvps-id = {
-        rekeyFile = ./secrets/1bvps.age;
-        path = "/home/rhea/.ssh/id_1bvps";
-        owner = "rhea";
-        symlink = false;
-      };
-
-      dn42git_token = {
-        rekeyFile = ./secrets/dn42git_token.age;
-        path = "/home/rhea/.ssh/id_dn42_etwas";
-        owner = "rhea";
-        symlink = false;
-      };
-
-      ncvps-id = {
-        rekeyFile = ./secrets/ncvps.age;
-        path = "/home/rhea/.ssh/id_ncvps";
-        owner = "rhea";
-        symlink = false;
-      };
-
-      gh_etwas = {
-        rekeyFile = ./secrets/gh_token.age;
-        path = "/home/rhea/.ssh/id_gh_etwas";
-        owner = "rhea";
-        symlink = false;
-      };
-
-      gcd_etwas = {
-        rekeyFile = ./secrets/gcd_etwas.age;
-        path = "/home/rhea/.ssh/id_gcd_etwas";
-        owner = "rhea";
-        symlink = false;
-      };
-
-      ebd_rhea = {
-        rekeyFile = ./secrets/ebd_token.age;
-        path = "/home/rhea/.ssh/id_ebd_rhea";
-        owner = "rhea";
-        symlink = false;
-      };
-
-      glrwth_tuda = {
-        rekeyFile = ./secrets/glrwth_token.age;
-        path = "/home/rhea/.ssh/id_glrwth_tuda";
-        owner = "rhea";
-        symlink = false;
-      };
-
-      etwas_sign_key = {
-        rekeyFile = ./secrets/sign_etwas.age;
-        path = "/home/rhea/.ssh/etwas_sign_key";
-        owner = "rhea";
-        symlink = false;
-      };
-
-      ffda_outoor_key = {
-        rekeyFile = ./secrets/ffda_token.age;
-        path = "/home/rhea/.ssh/id_ffda_outdoor";
-        owner = "rhea";
-        symlink = false;
-      };
-    };
-  };
-
-  nix.extraOptions = ''
-    !include ${config.age.secrets.access-tokens-github.path}
-  '';
-}

modules/utils/agenix/default.nix

@@ -1,5 +0,0 @@
-{
-  imports = [
-    ./agenix.nix
-  ];
-}

modules/utils/agenix/rekeyed/rhea-laptop/75b8bbd64b17a040f92a8c09aa0a18b1-fbda-wg-psk.age

@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 7JS6dg krvfE+Q3MyPk9atXqvWIZ34jdnLIuJ0SoocHwHiC9l0
-8DuWAGg+sp/22GVFxx5NIBp2NF3mk/9hs2uOBWx0Q9g
--> @-grease ]0mX_ M2]l G
-q/uLLUTyYlZpDQ
---- akYJCo6Fx7+mjZBYtwXI+4ji9+VHq+qtNHLjp051m/0
-žBÊéhèÏsGqƒŽnwßë<C39F>ˆÑž¯‚,'¸vM«ñš_×.ïx@´~<7E>7
-„›ñAÌÚïn­«?Ï‘ø$
ñ]ì²~3°¦U}Ý9

modules/utils/agenix/rekeyed/rhea-laptop/fe3b797d7fc54e6a24d4e9dcb049e626-access-tokens-github.age

@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 7JS6dg X4tDO/iunyQPRSCQElOeZ2Wggl1iVgXtsi1U4AiLIzs
-YhWzsL787a4tidiOfGm4wBEnextzg7q2T/NvSOYgHhs
--> )lD,-grease L s=]tTt0 %fL1
-Z8++T2G4ef9Rogaf1khv2rVNQC2ksRR+BV80ZCc4vRPfbocTbeYzLkKhlDNcBI7x
-uM6TGxU
---- BVxz5t84EgdJoqGCbd7r8y38wOPmQzW18DI+8M8Z9/U
-±
-6ùÝ9k"¢MZ%ȪÎY¢@‰ã)•;“ž ‰ß½ª5I›¡dÜŠ*—‚Wvóï×㿧åWdÞ‡·"TZV7xp|E+	U}BÍrÖPô¯œ<…o©«—¼G,Zý<5A>¤=Râ95„º¸&ûvÕ(ŒhíÒŽl4‡¡¬¨Õ£ÕI“Ça,Æî#0ŒydzG¼ Úâ|¹¦ãˆ<C3A3>Á+_

modules/utils/agenix/secrets/fbda_wg_psk.age

@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> X25519 9gg+So36zrxzTKZ+NKEE0Mi0+1PJhg25+h5TJCDCWCM
-oD9VMqfQQ8enVjUoHugRbaICHRcUILhhaMMfk4VkYLA
--> v_-grease )
-Ig
---- XuF9ikNgXeY3V4FBAfrSftQXmA1Jxm7DIU77EFyPt8A
-ÞÏ€Áæa;ï…<C3AF>ÂI}eäàô·ãªc×I­†m¯ã$®zìŠëmATèÞï”Ù	!ZQ³`×9œeK`Ág¿ú ¶7ùñ¦‡›kË{‘ã

modules/utils/agenix/secrets/gh_argstr.age

@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> X25519 GKUURHej+ErV3IMimOmdGwFVPZ/h+QaqdjZPLxseNBY
-C1Pig/pPSJMk34PrH3mXbMwX9tMDKuelJ5ttUB5e3+k
--> $g:]dvYJ-grease
-1z69372dSEFbYg7Ny+Xn/6RAozi43aaSybJG/HScdMSzFvttJ7gYbZEStEo32MMm
-TjLKHwBX205vizvoeskIMdhp0Vr7vz894//0MEEJAeIbsVKV/eEUbw
---- FhK586dKqyoWab5v9kI7SW+Cg+ID+fYtlsrpidOA2PA
-¬2R©ĄŃ K@lE0AoŹş~éWmŁîe\ )ZaJ÷§)pĺ ńţ"đš1i”öŢürQy2Ý›.ËçfnżéMÎźć~Śś¦=Ńů9׼X	*Ě\†>Mů	BTš÷Óf  
-dţ€DÉć´ţńÜ	W‡:bíMú®Ó]ó—TčSů×P椦JÄ
2‚íç» ŢaEŐ Í5)ßżc÷Đ
äÍ

modules/utils/agenix/secrets/glrwth_token.age

@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> X25519 cRGm7gXPptdANVdI68CkmKmguojNn/8fI9KS3m/6wng
-p//dLMAqSr/UNYsmWCHy28hiMAFI2u4xyrZ0jb+yTQ4
--> wD%m*X*]-grease " qB0 9npD"
-vT2TiwtPdyYwvUxHusUhE8Ef4iqAzwkBzA+xmlW0UA7bgMe/7yMx9UsyRv4Qo3TL
-nQKDl4Z16SVXWXPUWXa4JiWhIXCrIQ
---- g9xrDSSxbAzvkNpHNMRAaBAPqHxRAE9Bw0fvTUV4UQ0
-ôÖYv·£à?ôãˉEÆ
/:Y%~E6-{:êıMœP‘ŒmNeeoõìê}F/ílŠ’<aî‰.µ¾ö§¢ùRÁÒ<Á‹Eg=:ÔÔ¿ JÀ.?ØÃPŽªó^NzGíÐnú(YþZ‹Øëûq›g8«Í}Æßy%w_µÑ¢Ž³ÔÞN=Eô<45>¢Æ¥>1ÓöïðM.”ù/ˆF0êÜ„r›Ï‚­¢#<23>˜  ¬D,ñÿzŸXÐmOqŽ×7’ÒOf<4F>mþ'YÃR˜•MV$DŽL•´ÞPõÍŽ#X2~þÙp£~œz„ÿékhzžSÓA¿+ZÕ‰µõ½J¢áâßn{AT¡D¦W&w+J²N·Wæ<03>ùô{˘ʚqWѲ’šXFþ¾~Ä{¬‹éÓcló¥+þÖ$]<5D>^‚ LÔ¦>w¢ra*ÿä J;.’Èd=sÇ…Ó–±(l“û™¬À•MJX?g…>T®Ûf¡;Õ·8ÚKÙäfhô芓Ôc$
)˜Fyó!Ó<>ć7$´8ˆú7<C3BA>®+Bþû%h¨imòïÎí²r„’£JÑK¨ÑØæU¦Ÿ{ó

modules/utils/agenix/token2_hmac.pub

@@ -1,2 +0,0 @@
-# public key: age13df3ep0jm5f5nd63rm9lqscclcq6ckkpah4s8jnr986c2qajuq8saw67ju
-AGE-PLUGIN-FIDO2-HMAC-1QQPQRFE05VSA89230US6NVEN6J07306NRQATZ7D5D3GUDERJXPHA22L3RMQM34HFCM5QVRSJTGJHD6PLG4LEWNZ0URE07450UKV5S3ZKMU8AHK7QE7JZD0T7SDW8TNLKDWWN929Q7LCRZ84HCX23TUCQ67377LLCKHU336CLSHS6UWGGJGQPEF44EN0V43P9EQJKJJWECJER5P0D7Y76MLG9

modules/utils/default.nix

@@ -1,6 +1,5 @@
 {
   imports = [
-    ./agenix
     ./auth.nix
     ./docker.nix
     ./gnome.nix