feat: overhaul key management for agenix

2025-01-17 20:52:09 -08:00 · 2024-12-27 20:12:15 -08:00 · 2024-12-27 20:12:15 -08:00 · 4f510f7418
commit 4f510f7418
parent 39cbcd9c76
12 changed files with 48 additions and 96 deletions
--- a/reference/secrets/authorized_keys.nix
+++ b/reference/secrets/authorized_keys.nix
@ -0,0 +1,13 @@
+rec {
+  users = builtins.attrValues {
+    youwen = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwqDFdb/cs5K9gsgP0ogyuq5pv9hSxsyPnDcWc5wRKs";
+    runner = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEEBFBqlbHn3gMuV0i8U48xctZUWXkmHsCK1O6LRpXpj";
+  };
+
+  systems = builtins.attrValues {
+    demeter = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4BRdoxPnmlhMD1kI7qXwVE//6h1XWUnkwpzDuJaAyC";
+    gallium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJzDKscmZIz7GF0nfKpnKHq63/fwzx2PXir0mUtRDOgu";
+  };
+
+  all = users ++ systems;
+}
--- a/reference/secrets/nixos/github_ssh_priv_key.age
+++ b/reference/secrets/nixos/github_ssh_priv_key.age
--- a/reference/secrets/nixos/nix_config_github_pat.age
+++ b/reference/secrets/nixos/nix_config_github_pat.age
@ -1,27 +1,12 @@
 age-encryption.org/v1
-> ssh-rsa 4p6DaQ
-bQrpj5stBmy83Fk3M0sIno+WvcuNcc45JBUjlodontzHOig5ZduC26G8HXuegMVV
-RWgv2Go/S2Rpbyq+u+l8acDmWfNRQyhpi20d+Erei4pYIBP0NvRntdCUDqcJNlI5
-pFr6QbnUC6GI+zqobaRVJ3bg9DsNDb/HZHIkmZjLvO6uD2muAdLY9UdOQh0O/bKm
-1ZBAiBdtT3gZ2TWGk25XpCe+2If+aTsEHDBGOtjsofcaQgNG/+GEvpwSFopX80Nm
-IrfS9DB+bm0WHt6gh/5wRpyYteIv7+Bd/M3pa00OYXbWDjFBmulXGb8UQ4RNJiJz
-7ETRMHe50NTqxyOZC0iJ6GIr7zEbbpwEM5BCoat8R4VPZs5zJ8OUG2G0QfwD29nA
-TlHVZT2wJP4xrjdmS9wUofLknRsEFxNWEjenibhrCSz837RS+z/Pvi4/+PTVwpQs
-afQRK27wbMZpFkfxaZz5q6Xn+qWCFh8H8X0Ke78ycm4LvC0wjTR0DE705JC6F67c
-
-> ssh-rsa pv6HEg
-aKV2D6LoyPgaHnCQxsRDZ7dz1wuyz6VCNocsdZluwxwuO3z+SFhrc/4gg4iL6iMF
-ENr2MznrXddXBWdhap9L6RmJt4YbjSolxBmI/cHwCmFGZEeAPsOjX21bdCCHB7D9
-8lf0Fqjs4D1SC5djPqTFQJV8AIvkdsTF53bf9ZnN1s28Tpvvx/x4kwhiqR9v7DGc
-gi4K0ClBW711+wvzzkPAnn0oklYrbcuZNGwTW7t8TG+hmF2o0aHB1kJ4ngMn6LUb
-E5WlIy3ykYlGCd0sfognRYIrQwjqq4VQACmnQ+Fh/F43GxWCTruF5GejcRew1zDu
-+W+L9Z4A+rR/5E5Xjt4isGFYxEsnyYwH5Dvj1M1ANAU8VMS1H30YTAuL57WXih9p
-RrWadNdW1uxvZHysyEWDa9j3wBbh0b0HhDYJAtFeJcB8IAzNnyBLXWFYukISZ6Rc
-qylG2DhtzqdyUi08socUQ/okL0FIbbMLT69faPbgkJk+w5iTCL8ZA9AMMKnN9a3z
-11nXmgqTf1zTJe5Z6o9C3eLMiKlWvIrJ+WMbedBy/h6Qp9IdNnGEk6FCjrV1lxlr
-UIvpSEsOa7vscKKiAaRcQ+Uq7Kqn2OORdcPJXJd5n817ziAOtglX6K2OSpIoAnOY
-KE7xOTN+fQq5Yw61UaP3Nl25Zns5u4sQAzhHjIBmoEw
--- cZ6bbJKB4uN0RX9l0MWaH0Hgr81cGxhnMTgSuVKUfI4
-qÀRpŒ[µ0*CÕ»Ï;oø·Š½‹Q
¨
<0A>><3E>—
-Ñ‹¦Bóu<EFBFBD>æ[j˜"/†=±‚.€VÝnmx°¦†öƒÍŽÁ
-û:‚TTŸƒºjŸ<6A>"+<2B><>2ËÝ×„iPM€O¸vÄ–)Î$\ëV¦Ñ0Ñ_È½§€Næšˆ^€‹Ó*Y(d“R;€-ûÍ™™Z'o\øY¨5-
+-> ssh-ed25519 ouRmYQ LcJhXf7RDzV69B18oyBQalIa7PuxKvgWf8WsQqS2QXQ
+FEAVwjc/S8FzBtBlVTNmnYiEBeqLJ1BgFlGGCCSKAFA
+-> ssh-ed25519 lpWvhA gPmCbveLyfreFJBiSiwaA0PUwaPoWR3oxj6bcDCR32c
+z9PqoqZB4oExgdGHFczW/GfFXCwUAdX2y/6+OrAsvW4
+-> ssh-ed25519 KcJLrw L0AgAq8eYHi4/DmkqpTa6zPachBjzALJDPmTw0ZvZkc
+OSeCrAA5cqyO+vldzWhtXqqbn/BMQRkvZMjB5hnDF2E
+-> ssh-ed25519 0Pd3rA VwOeP0xx3Dl1pFDeBnqLfMjuvHJo9JLNv1HWP4pYIyo
+u00jU8gTl5i9CcPEm8erkzVv8arX5FnMZS3hCYA1TPE
+--- kpytaizU3BFiS+wK5Pwb2t09GtV4EZSc0AZexkFxxRE
+X<EFBFBD>á(7!ñ@ž%¼Á{â\Dþ'¼–ì¼>åÑš<C391>ØµÎ’
+)ËHk%h&¿%\$–èìñ=‹ÊQvìÀ($V/ò×´hËÕÕãOŠöüEÜîÛllb¸—® >Ý‡ìO4ÆU(ä®Ù|áŽ‘þÇ*ß·¦1M<>ÅcËÎ4ûs 9W“±T”ú&Ë.5©+»Ê²Ã—BIQ
--- a/reference/secrets/nixos/secrets.nix
+++ b/reference/secrets/nixos/secrets.nix
@ -1,11 +1,7 @@
 let
-  youwen = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCrIRHcvh0fxYNc0sukl8nSGRU8z1RjRmuc20iuk9TUqAxeew+0pSvY9lU4vshhrcGUe2OKIxgKJ76xdfGRw5ofmmd5Fr4If6tzWAWdE6Jr3J/w58YL6/ISOyRwjTserjWFIaO41y9OuLzf3UtzBF/1zexnGwq2lMJ7MAi0JNJ5O+umgrcnF1BDWyw7ymVkiQTruJ3LV2XgJDpOKQlFnVGKgYyMgVGeGYjiZO9Sj8edq1ZFeEH1jN5TnAdnqsiwhFgZpCrBxFFZKohuQLyH+QaOmBsdgSZwsg4Prndtxp5GTrknupPCgEWJ1rgvykEchYajeWQLxyeW/O/4iSST7VLKS7dgzUHZ5Dxf/QP1iCSeJqCIIJssuIslMK1vYmJZYk098ZDlLrFCLepQqy0YGvZe4OVP4BK4UNu5DKKLTpPNwDnyf1NSNTT2q2TsWXKWBDl1eurX9MBR24ZQEoP0gvcnTKr+2rheOTWJ5asDswEWphp5zQxBjztPGe55H0zjnqk= youwen@demeter";
-  users = [ youwen ];
-
-  demeter = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDdcVbgUyQb+W3UjmYb3K9l9jkq/NkTSWAGFUJczJ07kEAg9nUUEfU6RGMCzCEbwWsVpNZysRfef6nxerQBcKiRz/bLUocFl/80ZoylQuxkWU8cvGdImFCtP76YKoVNwuHS0R31Qi90zQLnxs1oLmULSACH6Mw7+suYkVtH1prQdUHdx2bcOPqFk8Qpm8WuRNHxEbrFNuHNarHF3XHo/iIgJh8OeMbwE+MtoZCSfPMEnWGg4nKal3fQ3GO21wUyIZIZrSCMiYKzfvWrlLhd8rkKbGp+VRNe3m5q7k5p+pGSJMYHTRaGwOGY92L+GJOjjr/HrloINiEMC82zmUWctXQhK+4ni3ssPmOesEblfr9tXfwU0Xh0zNhqeljw/ptaZrM3k/yMW4h1DgI9BeBwcNcYqaHLwX6IqG5b8XxI+/JQniQmZIZM+kBx6GyZFrPxM84XWxhwjRKnn4oBU8kVn3RBlNwz3AFIjGpOh86Rd343X8Q6JbrMT/z17bL6StKXZfUFqgOWEs/JJEHT/DWKL2zF2ppqa5ZuJhzevrtKfAxomURXnQ77MPCUtbo2PFHmcl3fUD+yS2GD/8a492rUlCG2d5FS7KfW3L9rQwTnNBqQMGUu1Uc6qz5LWLEF7yoBtdKKZ3Y4lyPP3/lAQPs5j0Jx+coBdySca3xrmmvMj4/aIQ== root@nixos";
-  systems = [ demeter ];
+  keys = import ../authorized_keys.nix;
 in
 {
-  "nix_config_github_pat.age".publicKeys = users ++ systems;
-  "github_ssh_priv_key.age".publicKeys = users ++ systems;
+  "nix_config_github_pat.age".publicKeys = keys.all;
+  "github_ssh_priv_key.age".publicKeys = keys.all;
 }
--- a/reference/users/youwen/secrets/github_cli_secret_config.age
+++ b/reference/users/youwen/secrets/github_cli_secret_config.age
--- a/reference/users/youwen/secrets/github_ssh_priv_key.age
+++ b/reference/users/youwen/secrets/github_ssh_priv_key.age
--- a/reference/users/youwen/secrets/secrets.nix
+++ b/reference/users/youwen/secrets/secrets.nix
@ -1,16 +1,13 @@
 let
-  youwen = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCrIRHcvh0fxYNc0sukl8nSGRU8z1RjRmuc20iuk9TUqAxeew+0pSvY9lU4vshhrcGUe2OKIxgKJ76xdfGRw5ofmmd5Fr4If6tzWAWdE6Jr3J/w58YL6/ISOyRwjTserjWFIaO41y9OuLzf3UtzBF/1zexnGwq2lMJ7MAi0JNJ5O+umgrcnF1BDWyw7ymVkiQTruJ3LV2XgJDpOKQlFnVGKgYyMgVGeGYjiZO9Sj8edq1ZFeEH1jN5TnAdnqsiwhFgZpCrBxFFZKohuQLyH+QaOmBsdgSZwsg4Prndtxp5GTrknupPCgEWJ1rgvykEchYajeWQLxyeW/O/4iSST7VLKS7dgzUHZ5Dxf/QP1iCSeJqCIIJssuIslMK1vYmJZYk098ZDlLrFCLepQqy0YGvZe4OVP4BK4UNu5DKKLTpPNwDnyf1NSNTT2q2TsWXKWBDl1eurX9MBR24ZQEoP0gvcnTKr+2rheOTWJ5asDswEWphp5zQxBjztPGe55H0zjnqk= youwen@demeter";
-  users = [ youwen ];
-
-  demeter = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDdcVbgUyQb+W3UjmYb3K9l9jkq/NkTSWAGFUJczJ07kEAg9nUUEfU6RGMCzCEbwWsVpNZysRfef6nxerQBcKiRz/bLUocFl/80ZoylQuxkWU8cvGdImFCtP76YKoVNwuHS0R31Qi90zQLnxs1oLmULSACH6Mw7+suYkVtH1prQdUHdx2bcOPqFk8Qpm8WuRNHxEbrFNuHNarHF3XHo/iIgJh8OeMbwE+MtoZCSfPMEnWGg4nKal3fQ3GO21wUyIZIZrSCMiYKzfvWrlLhd8rkKbGp+VRNe3m5q7k5p+pGSJMYHTRaGwOGY92L+GJOjjr/HrloINiEMC82zmUWctXQhK+4ni3ssPmOesEblfr9tXfwU0Xh0zNhqeljw/ptaZrM3k/yMW4h1DgI9BeBwcNcYqaHLwX6IqG5b8XxI+/JQniQmZIZM+kBx6GyZFrPxM84XWxhwjRKnn4oBU8kVn3RBlNwz3AFIjGpOh86Rd343X8Q6JbrMT/z17bL6StKXZfUFqgOWEs/JJEHT/DWKL2zF2ppqa5ZuJhzevrtKfAxomURXnQ77MPCUtbo2PFHmcl3fUD+yS2GD/8a492rUlCG2d5FS7KfW3L9rQwTnNBqQMGUu1Uc6qz5LWLEF7yoBtdKKZ3Y4lyPP3/lAQPs5j0Jx+coBdySca3xrmmvMj4/aIQ== root@nixos";
-  systems = [ demeter ];
+  keys = import ../../../secrets/authorized_keys.nix;
+  inherit (keys) users;
 in
 {
-  "youwenw_app_password.age".publicKeys = users ++ systems;
-  "youwen_ucsb_client_id.age".publicKeys = users ++ systems;
-  "youwen_ucsb_client_secret.age".publicKeys = users ++ systems;
-  "tincan_app_password.age".publicKeys = users ++ systems;
-  "github_cli_secret_config.age".publicKeys = users ++ systems;
-  "github_ssh_priv_key.age".publicKeys = users ++ systems;
-  "youwen_dev_ssh_priv_key.age".publicKeys = users ++ systems;
+  "youwenw_app_password.age".publicKeys = users;
+  "youwen_ucsb_client_id.age".publicKeys = users;
+  "youwen_ucsb_client_secret.age".publicKeys = users;
+  "tincan_app_password.age".publicKeys = users;
+  "github_cli_secret_config.age".publicKeys = users;
+  "github_ssh_priv_key.age".publicKeys = users;
+  "youwen_dev_ssh_priv_key.age".publicKeys = users;
 }
--- a/reference/users/youwen/secrets/tincan_app_password.age
+++ b/reference/users/youwen/secrets/tincan_app_password.age
--- a/reference/users/youwen/secrets/youwen_dev_ssh_priv_key.age
+++ b/reference/users/youwen/secrets/youwen_dev_ssh_priv_key.age
--- a/reference/users/youwen/secrets/youwen_ucsb_client_id.age
+++ b/reference/users/youwen/secrets/youwen_ucsb_client_id.age
--- a/reference/users/youwen/secrets/youwen_ucsb_client_secret.age
+++ b/reference/users/youwen/secrets/youwen_ucsb_client_secret.age
@ -1,26 +1,7 @@
 age-encryption.org/v1
-> ssh-rsa 4p6DaQ
-p0c0dK2Vlgj+nPitibtXJuzRr3g5crae4CS/6OH18WQkqb8tzaWRw1ZXxS/7nxGD
-MCk8PcVEhgdysS1cwrgrycpUp02LMxUp1zTc8ML0Cemv93hnaVINgNGb9DWiGBXH
-v8//XUeNpBs4oGkC9RWb9HDgBlgzpTH0XYUwqDBRT9ltn5nki5YvxM4powiOf8IG
-SdUTE2hbRYhaQOEm5A41z4XQ+WAKlehwP2wn0yJDrW8rDXjSK5PEHyhONXJX1QuM
-XvS60Vz/vWqyVnUL5UdsW1XjXdQRu9kn8vzDUINeUeqXN2A89xVlYovH3n9dVzFs
-J2Bq6HhDAMl1TxbEIVcL/ufYjDK+tBkDa66SYtBV/FeIIAMGQ2Kbw+OwLqbjehZN
-p7/TGAlKc+HsMVm455l7rTOqSSfJHKik2iFBGhVXoSF+fZu3stOqdnHAk13164+s
-/9U/50xgyUNEMmVYdebvtBY2DCWqvgwIMXtm3RUItizyrc1gQLLy/3/mlDiWBPu+
-
-> ssh-rsa pv6HEg
-jpXa6cht5Ys/XSorbSdXKEahM4VgyseILKd2zIDQEF28tbQgpvzojVxctAjK7YFa
-ZVqmwdA+9vK1KEUg/qEfqqkaqo6MlnBgmUTe0VRMbvW45G6eN0/ky5hC3Mz5FUUn
-G1AxOTCkThSx1/4+JjcsvlUZsXrKe627grrgZu2891XsISTjBxu/+Iiaok9f8rvL
-q/JGkg2YL1DlcV4ZecEIHSNq5ysEp9had6SJz9e1/hSAWZVnTCyZc2gYn0ZUUKx5
-gRD/PQpdgIvG1SJcn3snDkiAyolYLzhJ6BQUfnVIX77Q6nkwooUXbYq2fOEUMZVp
-vHhpOrwBC1J+hgr+V6lGUtkui20Uqz6ouVKHxtcLEauxVVJPGiid0mSAsvFbcewx
-my5N9lYJYjMNw45kOAMgOragA246qM3ciVK2r6mq8ZPqY1t3UdmObMkrSysnn8Ks
-yNzB+MG3SHuLtS5q9Ex0epRq6ttKUCLWbfhcRsQ/+1WQSH98xTNR7q+6t/YLnnUj
-OZn09I3ZhLUk5hHraSdpuSB10f+SBqSroC54SChut/9VFk3kcolm4/rnldxwVvAg
-HZ6PGjEszP/qQzqsTivcxAmAZzQ2tJlpUWF6olmEnn8O9Qw/a4uOPhPj406OUJzI
-G6PV6OewbsjoJVKVAkC0BoM2Lg2P0pCilUa4MvlnwR4
--- pQ2bkSw35IPQjKNrfnj8Uvvb3lVDc6IuJpcbLwFmI7A
-p©'W?ÿ¨F˜
-¶q8»KØ(XÛp@2ŽzàÞu8³r¬œ6þ~(IO@ª¶Öü9÷’qÆKWËƒkpªIa‘À
+-> ssh-ed25519 ouRmYQ 1+lNK5IbFFikjqTNo3iMTnAigc4IuK9o5QLwTuC5RwQ
+h42XZCru60LAGVtDZ7W+flmLkz6PK43jWBi9/Lq92kQ
+-> ssh-ed25519 lpWvhA 4lgTQgn/iIdicT2wobAhiKR7axBe0MHZKqqeAsN0Aww
+9hwc6P68HkzVWHtlHs7Y7WDSWSesolxIGSheFfl4zI
+--- pmooYxJ75vGwgekLA0gwndejezn6NW8kpuxZTfX7Kzk
+ùŸOˆ^¢à9Ó9ü;8Ñ¢Ž¯pz¾73ººNóR†Bs´™4#ÈÖ!táÍÑóÎÈG!ü¯›Gg<1D>ÅWŠ&ŠRs
--- a/reference/users/youwen/secrets/youwenw_app_password.age
+++ b/reference/users/youwen/secrets/youwenw_app_password.age
@ -1,27 +1,7 @@
 age-encryption.org/v1
-> ssh-rsa 4p6DaQ
-G3vtF60a5f1UJt2RcDTYTQimSLwGKECFJhzHNbtZMc/UGlV0NiEWd2rbr/7OZ8r3
-NEQjex4/Q4xH3cvaorcz2k2cO2smAwO+pDR44HLe7688N4OIYGBSnJ5wYJcpBmWg
-AJMOSaCFPJE5y2R38+9CGPPJIaUZqjvVzhEXjY5bUuiGp+af2sjoWi6PkG3f+7UK
-KjIVcBPyHoUy1IV9teSja9wPjHuaV/hVaPjvz/tTL4RbmsMQ/31VQjjTfX+tGIfO
-VeY87+r/RG5aYcukV5SC9wH1PELKAgtlN98IXofXuy8SlasFkBfFgDgA7ihdNAig
-OL5tInwds3NucozRBKfCSFcn7aOdKoAvuEto9MKpGg4Y78a4ERnL1oktkglir8VS
-0jGl0yb1XBjYNMPAX0EIkQjTpr6D+KQeAI76/JPliVJUZ8Wq1BX2Z+RStB6nDOtt
-HQcCtKxbOVwb64WBn8eb9hMM83PJSardNHNcREwlGbhnkc06CcM49hK/vJrxts99
-
-> ssh-rsa pv6HEg
-Y+1vBBwaHsCXdZKRbGbYp2mWztFZBguLRbi0bMzvmtBOrxqYCtGJbRhNmBGHMqg5
-EKl8ei/pFgn7n5B34/JCLXvgWko120Wy3kCSDMxm+GnI8n8LKQZQgPlX++fWGsXh
-GUkoR5VPZ6kuWDNpO11ll8cBNKwDD7VwVwUNMGRIen2EC2efKw7GbCdgx9vcmuyZ
-MQnQK2cqq99UjdeIAj0SqcoH+ro6qy+QFafoxOrNCksR9uVG7Kn7AFe/ZKk/DPO5
-CbuaaCrzI9G0qpLwYMf5GkMMrpP/9j8xVgMIHFRi/xxw3hnSTmxTFEpzZtfYboyA
-QXEBWloH70lzukAu2cOslEAzbwSVCkkpm3Sw0LRjl6oXeV5uGWPW/Q929oW9Jqtf
-57FIdPXd3H4xkFVuuFrKXcVdyqU5WRfw/y/Y4mJouQDs1gxYs7zlg2oeoY6nw9Mr
-+Yo1cya3bg2DmiIl03VuzU7XDxDQF1/MLDvBfy5fpEapMJC9Rj+scSI75SHSiGOw
-pOQWmN7AkzvLmB7c7oblvShGQ8GULmtTTd/nPe7u/sJcWucVWEOu8EzOnjnWuF1N
-M7uhn+sOXSuJPhrAFq68JpWq7Bu+rWvLnAsXYtwRfrDprFU/On+NT4YiFop314hg
-/IuPprAkYS5okHbnNMri3PNHvfsusIXFDJELkkT3o6k
--- 6BSSYjyfkhihYDsLHPnwg32tVau6KY6MQ8SIcf6LP3g
-ôc–D%‡Á¬ù4@—=Fsö
-.‰]®x![ŸY´`}1†Í1|2¨
-
²žpÛN¨
+-> ssh-ed25519 ouRmYQ HA4fOUuNkgvdhayKRgFBN5Onx8JaiviH/B5dyhWkYjo
+JbRU9MDFgWQKRodFBcgQhw9ZgWVsGlFybC7QkmPGDgg
+-> ssh-ed25519 lpWvhA RzVnFcTiWPXIOYodeaya9SonrgcosDvEQUWONIQd+GM
+vebx1nyZwN1/ZoQ/y3pQ4idOzmAFE+E1y0v7ulEw1b0
+--- ebSru9WM9TLwhc8ezWE/vfn5kMBxlJm+ny2ylAn148g
+]ü/=³_’#†,Şª¼ààÎ–u VWš—=2L:Vo,çÏ$)Ô´Şqúzò{İzr£j