rekey all secrets with my age keys on the yubikeys

author: Franck Cuny <franck@fcuny.net> 2026-01-16 18:45:15 -0800
committer: Franck Cuny <franck@fcuny.net> 2026-01-16 18:45:15 -0800
commit: 28496512361b2241972a925aa22f7c1c35c5cd68 (patch)
tree: 4c3e6ce0651165f268df35e1779fa64d9d4b3d7f /secrets/secrets.nix
parent: fix uid on mbp and ensure it can read anthropic's key (diff)
download: infra-28496512361b2241972a925aa22f7c1c35c5cd68.tar.gz
1 files changed, 40 insertions, 17 deletions
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index a677a03..3e0c38a 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -9,99 +9,122 @@ let
   users = {
     fcuny = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdyJepi/NyO6d9eP8m48Ga/gdjB5ENHRXYM1ZqFZR8t";
   };
+  age = [
+    "age1yubikey1qv92lk8ckjm2qs900h89pz9myl3nfjnz7fc0eluppexyfgc0pfnjusaje3w"
+    "age1yubikey1qd30fnnxd2uh9lgw0dr7nwvmn003rmzkrg87xfw67gdsf7u0lhm3kd4w8ul"
+    "age1yubikey1qwrxced5j32ks5cc5aqffwz68yva9ukkz6tx5xm2sjn8swl2evtlsjlmsy9"
+
+  ];
 in
 {
   "acme-cloudflare-env.age".publicKeys = [
     users.fcuny
     hosts.argonath
-  ];
+  ]
+  ++ age;
 
   "restic-pw.age".publicKeys = [
     users.fcuny
     hosts.rivendell
-  ];
+  ]
+  ++ age;
 
   "restic-nas-smb-config.age".publicKeys = [
     users.fcuny
     hosts.rivendell
-  ];
+  ]
+  ++ age;
 
   # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINE3mdcVS7+DPr7MZzIh3JsuI5t4z83j7ZAdAYxFLW4S rsync-nas
   "rsync-ssh-nas.age".publicKeys = [
     users.fcuny
     hosts.rivendell
-  ];
+  ]
+  ++ age;
 
   # this is the SSH key we use to access the remote builder.
   "ssh-remote-builder.age".publicKeys = [
     users.fcuny
     hosts.mba
-  ];
+  ]
+  ++ age;
 
   "miniflux-oidc.age".publicKeys = [
     users.fcuny
     hosts.rivendell
-  ];
+  ]
+  ++ age;
 
   "grafana-oidc.age".publicKeys = [
     users.fcuny
     hosts.rivendell
-  ];
+  ]
+  ++ age;
 
   # generated with:
   # openssl rand 64 | openssl base64 -A | tr '+/' '-_' | tr -d '='
   "authelia-storage-key.age".publicKeys = [
     users.fcuny
     hosts.rivendell
-  ];
+  ]
+  ++ age;
 
   # generated with:
   # openssl rand 64 | openssl base64 -A | tr '+/' '-_' | tr -d '='
   "authelia-jwt-key.age".publicKeys = [
     users.fcuny
     hosts.rivendell
-  ];
+  ]
+  ++ age;
 
   # generated with:
   # authelia crypto pair rsa generate
   "authelia-jwks.age".publicKeys = [
     users.fcuny
     hosts.rivendell
-  ];
+  ]
+  ++ age;
 
   "authelia-users.yaml.age".publicKeys = [
     users.fcuny
     hosts.rivendell
-  ];
+  ]
+  ++ age;
 
   "bree/wireguard.age".publicKeys = [
     users.fcuny
     hosts.bree
-  ];
+  ]
+  ++ age;
 
   "bree/disk-passphrase.age".publicKeys = [
     users.fcuny
     hosts.bree
-  ];
+  ]
+  ++ age;
 
   "bree/disk-unlock-key.age".publicKeys = [
     users.fcuny
     hosts.bree
-  ];
+  ]
+  ++ age;
 
   "rivendell/wireguard.age".publicKeys = [
     users.fcuny
     hosts.rivendell
-  ];
+  ]
+  ++ age;
 
   "argonath/wireguard.age".publicKeys = [
     users.fcuny
     hosts.argonath
-  ];
+  ]
+  ++ age;
 
   "anthropic-api-key.age".publicKeys = [
     users.fcuny
     hosts.mba
     hosts.mbp
-  ];
+  ]
+  ++ age;
 }
author	Franck Cuny <franck@fcuny.net>	2026-01-16 18:45:15 -0800
committer	Franck Cuny <franck@fcuny.net>	2026-01-16 18:45:15 -0800
commit	28496512361b2241972a925aa22f7c1c35c5cd68 (patch)
tree	4c3e6ce0651165f268df35e1779fa64d9d4b3d7f /secrets/secrets.nix
parent	fix uid on mbp and ensure it can read anthropic's key (diff)
download	infra-28496512361b2241972a925aa22f7c1c35c5cd68.tar.gz