12 files changed, 42 insertions, 20 deletions

diff --git a/docs/install.org b/docs/install.org
index e4e279c..d552513 100644
--- a/docs/install.org
+++ b/docs/install.org
@@ -2,6 +2,13 @@
 #+AUTHOR: Franck Cuny
 #+EMAIL: franck@fcuny.net
 
+* Darwin
+** =agenix=
+Create SSH host keys with =sudo ssh-keygen -A=.
+
+You then need to add the public key (=/etc/ssh/ssh_host_ed25519_key.pub=) to [[file+emacs:../secrets/secrets.nix][secrets.nix]] and re-key the secrets, running =agenix -i ~/.ssh/agenix -r=.
+
+You can then validate that they key is encrypted properly with =sudo agenix -i /etc/ssh/ssh_host_ed25519_key -d ssh-remote-builder.age=.
 * Virtual machine running on the Synology NAS
 ** Creating the VM
 - chose VGA for the display (otherwise ~systemd-udevd~ gets stuck)
diff --git a/machines/darwin/aarch64-darwin/mba-m2.nix b/machines/darwin/aarch64-darwin/mba-m2.nix
index 1cd9aa8..9970e62 100644
--- a/machines/darwin/aarch64-darwin/mba-m2.nix
+++ b/machines/darwin/aarch64-darwin/mba-m2.nix
@@ -5,6 +5,15 @@
   ...
 }:
 {
+
+  age = {
+    secrets = {
+      ssh-remote-builder = {
+        file = "${self}/secrets/ssh-remote-builder.age";
+      };
+    };
+  };
+
   imports = [
     "${self}/profiles/home-manager.nix"
     "${self}/profiles/darwin.nix"
diff --git a/machines/nixos/x86_64-linux/vm-synology.nix b/machines/nixos/x86_64-linux/vm-synology.nix
index 1f7307c..309c3a6 100644
--- a/machines/nixos/x86_64-linux/vm-synology.nix
+++ b/machines/nixos/x86_64-linux/vm-synology.nix
@@ -82,7 +82,10 @@
 
   users.users.builder = {
     openssh.authorizedKeys.keys = [
+      # my personal key
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
+      # remote builder ssh key
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFGxdplt9WwGjdhoYkmPe2opZMJShtpqnGCI+swrgvw"
     ];
     isNormalUser = true;
     group = "nogroup";
diff --git a/profiles/remote-builder.nix b/profiles/remote-builder.nix
index cc7751f..50d3e84 100644
--- a/profiles/remote-builder.nix
+++ b/profiles/remote-builder.nix
@@ -1,21 +1,18 @@
-{ ... }:
+{ config, ... }:
 {
   nix.buildMachines = [
     {
-      hostName = "vm-synology";
+      hostName = "builder";
       sshUser = "builder";
 
-      # 'ssh-ng' is faster if both machines are NixOS but falls flat if the
-      # machine Nix will attempt a connection to is not NixOS. In such a case
-      # you must use 'ssh' instead.
-      protocol = "ssh-ng";
+      protocol = "ssh";
+
+      sshKey = config.age.secrets.ssh-remote-builder.path;
 
-      # Systems for which builds will be offloaded.
       systems = [
         "x86_64-linux"
       ];
 
-      # Default is 1 but may keep the builder idle in between builds
       maxJobs = 1;
 
       supportedFeatures = [
@@ -30,5 +27,6 @@
     Host builder
       User builder
       HostName vm-synology
+      IdentityFile ${config.age.secrets.ssh-remote-builder.path}
   '';
 }
diff --git a/secrets/cloudflared_cert.age b/secrets/cloudflared_cert.age
index 3eee66a..cd411fe 100644
--- a/secrets/cloudflared_cert.age
+++ b/secrets/cloudflared_cert.age
diff --git a/secrets/cloudflared_cragmont.age b/secrets/cloudflared_cragmont.age
index 986d699..94b82ab 100644
--- a/secrets/cloudflared_cragmont.age
+++ b/secrets/cloudflared_cragmont.age
diff --git a/secrets/restic_gcs_credentials.age b/secrets/restic_gcs_credentials.age
index 8ee6981..88bc631 100644
--- a/secrets/restic_gcs_credentials.age
+++ b/secrets/restic_gcs_credentials.age
diff --git a/secrets/restic_password.age b/secrets/restic_password.age
index b5c94e2..b3f8f05 100644
--- a/secrets/restic_password.age
+++ b/secrets/restic_password.age
@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 pFjJaA iHTs45YXsTQXK+OINYkkQa69zzWQ3vbvRq4BEUTcQCw
-EBhd2JKma+aZInyLyzLJXG0ceBlSxF3iXa23NtUPQ30
--> ssh-ed25519 qRUWSw eROWQVI+Wb4tDmRMeX0ietX+cpWy248UO1sbghnXz2E
-H1+zbwjLrytYe3XAcmS34q1A+unmctOf6koVTUyc6bM
---- lLozC4In1nPiUoXtXWH2hqfotyFnUxX+sW1k4mCkYyE
-$η2�(�!{�m�g9+�L4�]�t�4i�t9j�9	��PaZq
��o�u�
\ No newline at end of file
+-> ssh-ed25519 pFjJaA 6rJ2C6ghcgTKl67mr/2lp4wbA0DwpqX43iljzuWCAAU
+YzZ+2sYsnrDUMFtECf9sS4yZzdB2GklC5Dz48NVIqW8
+-> ssh-ed25519 qRUWSw mLUa0kPAduhnzYaW9yz/4/1d6RWQUSV0jxofDqxE7nU
+JYfdDVyFpaGCD390lFotPUNe5QSL6Y1d8MmKg1+3Sco
+--- uUJzCo1/YTCCHZeoBV/WS1pzKdT0s2ObtvAIEsB+ULU
+ip�1���M����z>,uڃ�KK��X����B:?�^����麯Ș��5(����
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index b437995..52f2311 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,6 +1,7 @@
 let
   hosts = {
     vm-synology = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHKZAKlqOU6bSuMaaZAsYJdZnmNASWuIbbrrOjB6yGb8 root@vm-synology";
+    mba = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLQTIPZraE+jpMqGkh8yUhNFzRJbMarX5Mky3nETw6c root@mba-m2";
   };
   users = {
     fcuny = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdyJepi/NyO6d9eP8m48Ga/gdjB5ENHRXYM1ZqFZR8t";
@@ -34,4 +35,10 @@ in
     users.fcuny
     hosts.vm-synology
   ];
+  # this is the SSH key we use to access the remote builder.
+  "ssh-remote-builder.age".publicKeys = [
+    users.fcuny
+    hosts.vm-synology
+    hosts.mba
+  ];
 }
diff --git a/secrets/ssh-remote-builder.age b/secrets/ssh-remote-builder.age
new file mode 100644
index 0000000..e7e6214
--- /dev/null
+++ b/secrets/ssh-remote-builder.age
diff --git a/secrets/users/fcuny/anthropic-api-key.age b/secrets/users/fcuny/anthropic-api-key.age
index e655eaf..010b242 100644
--- a/secrets/users/fcuny/anthropic-api-key.age
+++ b/secrets/users/fcuny/anthropic-api-key.age
@@ -1,7 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 9Ia8+w Uuyac8BHIeels3jbOew49uzdZHAKiy4OfzZNVvqHigI
-SVrFSS1UIAhds24sVNtcUmSj4pF4ann2sS1Z7uLwlRA
--> ssh-ed25519 pFjJaA Z9ToZUj5+pEF81kDEodCgxeM6Uc2euzMELgfLheX6WY
-S0Qa3gowL0TlQwLIUjhJDuSQwUQhVGKgKgYzer4ekxI
---- rBr7v8PZV8+s1BXxgpn84FjnNiKU50GeF/uwJuNwsKc
-V�w
���6�K�5kU`�KVpC?�M�ZDH��KfGr
Yi��Vpf�����Ð����YIH�Z=��ݥ"yb}XK��]�s�w	`��2��4��[��'�wX�g��M=���X\��&��3�f&�����Щ'�5����~
\ No newline at end of file
+-> ssh-ed25519 pFjJaA qXtTUntXWMEP45HrvU+T1qE7FD53q2ijxd28Y+eLtRw
+gV1pMHr/tYWnU6tE1OXbKyu71mxNI4d4z7so8QiR02I
+--- wTJ4/PEMTlcHRy+gl5FNsVy19x7IkCPRB83JYAzYcZo
+/z�<Sm@��A���HD��f�V@�a�[>qR/�w.;;��kN)�!�d���!l�Ά0��0����iA����}�� �W�I�����MHuԺ����p
�*�nn_��ӊep3��wC�JZY��u�n�hb1[w��ޒ濐6
\ No newline at end of file
diff --git a/secrets/users/fcuny/llm.age b/secrets/users/fcuny/llm.age
index 79223f8..4d623d8 100644
--- a/secrets/users/fcuny/llm.age
+++ b/secrets/users/fcuny/llm.age