don't use agenix from home manager

Install the key with the host's configuration and rekey the secrets.

5 files changed, 61 insertions, 42 deletions

diff --git a/machines/argonath.nix b/machines/argonath.nix
index 3d1b1eb..d1f1f7e 100644
--- a/machines/argonath.nix
+++ b/machines/argonath.nix
@@ -1,5 +1,13 @@
 { adminUser, ... }:
 {
+  wgPublicKey = "vTItDh9YPnA+8hL1kIK+7EHv0ol3qvhfAfz790miw1w=";
+  publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHi9jHqRjpMzXlznTXi4nEtlRlFfyIzB6Ur9A+HDfFoq";
+
+  age.secrets = {
+    wireguard.file = ../secrets/argonath/wireguard.age;
+    acme-cloudflare-env.file = ../secrets/acme-cloudflare-env.age;
+  };
+
   imports = [
     ../profiles/core-metrics.nix
     ../profiles/defaults.nix
@@ -15,14 +23,6 @@
 
   networking.hostName = "argonath";
 
-  wgPublicKey = "vTItDh9YPnA+8hL1kIK+7EHv0ol3qvhfAfz790miw1w=";
-  publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHi9jHqRjpMzXlznTXi4nEtlRlFfyIzB6Ur9A+HDfFoq";
-
-  age.secrets = {
-    wireguard.file = ../secrets/argonath/wireguard.age;
-    acme-cloudflare-env.file = ../secrets/acme-cloudflare-env.age;
-  };
-
   system.stateVersion = "25.05"; # Did you read the comment?
 
   home-manager.users.${adminUser.name} = {
diff --git a/machines/bree.nix b/machines/bree.nix
index 24089a0..1560ce6 100644
--- a/machines/bree.nix
+++ b/machines/bree.nix
@@ -5,6 +5,15 @@
   ...
 }:
 {
+  wgPublicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904=";
+  publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFM4wZaYwz8kuu6lNrdrN6QOyouGQ0v1ye+Iwh1jawNi";
+
+  age.secrets = {
+    wireguard.file = ../secrets/bree/wireguard.age;
+    disk-unlock-key.file = ../secrets/bree/disk-unlock-key.age;
+    disk-passphrase.file = ../secrets/bree/disk-passphrase.age;
+  };
+
   imports = [
     ../profiles/core-metrics.nix
     ../profiles/defaults.nix
@@ -21,15 +30,6 @@
   networking.useDHCP = lib.mkDefault true;
   systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;
 
-  wgPublicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904=";
-  publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFM4wZaYwz8kuu6lNrdrN6QOyouGQ0v1ye+Iwh1jawNi";
-
-  age.secrets = {
-    wireguard.file = ../secrets/bree/wireguard.age;
-    disk-unlock-key.file = ../secrets/bree/disk-unlock-key.age;
-    disk-passphrase.file = ../secrets/bree/disk-passphrase.age;
-  };
-
   services.remoteDiskUnlock = {
     enable = true;
     hosts = [
diff --git a/machines/mba-personal.nix b/machines/mba-personal.nix
index 2d82567..0ce4279 100644
--- a/machines/mba-personal.nix
+++ b/machines/mba-personal.nix
@@ -1,6 +1,18 @@
 { adminUser, pkgs, ... }:
 {
-  age.secrets.ssh-remote-builder.file = ../secrets/ssh-remote-builder.age;
+  publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLQTIPZraE+jpMqGkh8yUhNFzRJbMarX5Mky3nETw6c";
+
+  age.secrets = {
+    ssh-remote-builder.file = ../secrets/ssh-remote-builder.age;
+    anthropic-api-key = {
+      file = ../secrets/anthropic-api-key.age;
+      owner = "${toString adminUser.uid}";
+    };
+    restic-password = {
+      file = ../secrets/restic-pw.age;
+      owner = "${toString adminUser.uid}";
+    };
+  };
 
   imports = [
     ../profiles/darwin.nix
diff --git a/machines/mbp-work.nix b/machines/mbp-work.nix
index 16d9c59..851444a 100644
--- a/machines/mbp-work.nix
+++ b/machines/mbp-work.nix
@@ -1,5 +1,12 @@
 { adminUser, pkgs, ... }:
 {
+  age.secrets = {
+    anthropic-api-key = {
+      file = ../secrets/users/fcuny/anthropic-api-key.age;
+      owner = "${toString adminUser.uid}";
+    };
+  };
+
   imports = [
     ../profiles/darwin.nix
     ../profiles/home-manager.nix
diff --git a/machines/rivendell.nix b/machines/rivendell.nix
index 6b16d67..0c4ac28 100644
--- a/machines/rivendell.nix
+++ b/machines/rivendell.nix
@@ -5,27 +5,8 @@
   ...
 }:
 {
-  imports = [
-    ../profiles/authelia.nix
-    ../profiles/core-metrics.nix
-    ../profiles/defaults.nix
-    ../profiles/disk/btrfs-on-luks.nix
-    ../profiles/git-server.nix
-    ../profiles/hardware/framework-desktop.nix
-    ../profiles/home-manager.nix
-    ../profiles/miniflux.nix
-    ../profiles/monitoring.nix
-    ../profiles/remote-unlock.nix
-    ../profiles/restic-backup.nix
-    ../profiles/server.nix
-    ../profiles/storage-media.nix
-    ../profiles/users/admin-user.nix
-    ../profiles/users/builder.nix
-    ../profiles/users/home-manager.nix
-    ../profiles/wireguard.nix
-  ];
-
-  boot.kernelModules = [ "sg" ];
+  wgPublicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
+  publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID76U5kt8DfBbuP16rMzfBTVTpjjPFKWnnheMALaCQEd";
 
   age.secrets = {
     wireguard.file = ../secrets/rivendell/wireguard.age;
@@ -52,13 +33,32 @@
     };
   };
 
+  imports = [
+    ../profiles/authelia.nix
+    ../profiles/core-metrics.nix
+    ../profiles/defaults.nix
+    ../profiles/disk/btrfs-on-luks.nix
+    ../profiles/git-server.nix
+    ../profiles/hardware/framework-desktop.nix
+    ../profiles/home-manager.nix
+    ../profiles/miniflux.nix
+    ../profiles/monitoring.nix
+    ../profiles/remote-unlock.nix
+    ../profiles/restic-backup.nix
+    ../profiles/server.nix
+    ../profiles/storage-media.nix
+    ../profiles/users/admin-user.nix
+    ../profiles/users/builder.nix
+    ../profiles/users/home-manager.nix
+    ../profiles/wireguard.nix
+  ];
+
+  boot.kernelModules = [ "sg" ];
+
   networking.hostName = "rivendell";
   networking.useDHCP = lib.mkDefault true;
   systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;
 
-  wgPublicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
-  publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID76U5kt8DfBbuP16rMzfBTVTpjjPFKWnnheMALaCQEd";
-
   services = {
     website = {
       enable = true;