add backup secrets to config for hosts

2022-08-07 12:50:07 +02:00 · 2022-08-07 12:50:07 +02:00 · 3fccfe3b67
commit 3fccfe3b67
parent c43341a8b2
25 changed files with 242 additions and 75 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,25 @@
 {
  "nodes": {
    "agenix": {
      "inputs": {
        "nixpkgs": [
          "myNixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1652712410,
        "narHash": "sha256-hMJ2TqLt0DleEnQFGUHK9sV2aAzJPU8pZeiZoqRozbE=",
        "owner": "ryantm",
        "repo": "agenix",
        "rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b",
        "type": "github"
      },
      "original": {
        "owner": "ryantm",
        "repo": "agenix",
        "type": "github"
      }
    },
    "doom-emacs": {
      "flake": false,
      "locked": {
@ -580,6 +600,7 @@
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
        "flake-utils": "flake-utils",
        "home-manager": "home-manager",
        "homePage": "homePage",
--- a/flake.nix
+++ b/flake.nix
@ -28,6 +28,10 @@
    recipemd = {
      url = github:dadada/recipemd/nix-flake;
    };
    agenix = {
      url = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "myNixpkgs";
    };
  };
  outputs = { ... } @ args: import ./outputs.nix args;
--- a/nixos/configurations.nix
+++ b/nixos/configurations.nix
@ -1,5 +1,7 @@
 # TODO refactor adapterModule and redundant module config
 { self
 , admins
 , agenixModule
 , nixpkgs
 , nixosSystem
 , home-manager
@ -8,6 +10,7 @@
 , nvd
 , scripts
 , recipemd
 , secretsPath
 ,
 }:
 let
@ -23,17 +26,16 @@ let
      ];
  };
  lib = nixpkgs.lib;
  adminConfig = users: {
    dadada.admin.users = lib.getAttrs users admins;
  };
 in
 {
  gorgon = nixosSystem rec {
    system = "x86_64-linux";
    specialArgs = { inherit admins secretsPath; };
    modules =
      (nixpkgs.lib.attrValues self.nixosModules)
      ++ [
        (adapterModule system)
        agenixModule
        nixos-hardware.nixosModules.lenovo-thinkpad-t14s-amd-gen1
        home-manager.nixosModules.home-manager
        {
@ -52,34 +54,38 @@ in
  };
  ifrit = nixosSystem rec {
    system = "x86_64-linux";
    specialArgs = { inherit admins secretsPath; };
    modules =
      (nixpkgs.lib.attrValues self.nixosModules)
      ++ [
-        (adminConfig [ "dadada" ])
+        agenixModule
        (adapterModule system)
        ./modules/profiles/server.nix
        ./ifrit/configuration.nix
        ./ifrit/hardware-configuration.nix
      ];
  };
  surgat = nixosSystem rec {
    system = "x86_64-linux";
    specialArgs = { inherit admins secretsPath; };
    modules =
      (nixpkgs.lib.attrValues self.nixosModules)
      ++ [
        (adminConfig [ "dadada" ])
        (adapterModule system)
        agenixModule
        ./modules/profiles/server.nix
        ./surgat/configuration.nix
      ];
  };
  pruflas = nixosSystem rec {
    system = "x86_64-linux";
    specialArgs = { inherit admins secretsPath; };
    modules =
      (nixpkgs.lib.attrValues self.nixosModules)
      ++ [
        (adminConfig [ "dadada" ])
        (adapterModule system)
        agenixModule
        ./modules/profiles/laptop.nix
        ./pruflas/configuration.nix
      ];
@ -87,11 +93,12 @@ in
  agares = nixosSystem rec {
    system = "x86_64-linux";
    specialArgs = { inherit admins secretsPath; };
    modules =
      (nixpkgs.lib.attrValues self.nixosModules)
      ++ [
        (adminConfig [ "dadada" ])
        (adapterModule system)
        agenixModule
        ./modules/profiles/server.nix
        ./agares/configuration.nix
      ];
--- a/nixos/gorgon/configuration.nix
+++ b/nixos/gorgon/configuration.nix
@ -1,6 +1,7 @@
 { config
 , pkgs
 , lib
 , secretsPath
 , ...
 }:
 let
@ -50,10 +51,6 @@ in
      };
      vpnExtension = "3";
    };
    backupClient = {
      bs.enable = true;
      gs.enable = false;
    };
  };
  boot.kernel.sysctl = {
--- a/nixos/ifrit/configuration.nix
+++ b/nixos/ifrit/configuration.nix
@ -9,71 +9,12 @@ let
    "media.dadada.li"
    "backup0.dadada.li"
  ];
  backups = "/mnt/storage/backup";
 in
 {
  imports = [
    ./hardware-configuration.nix
  ];
  dadada = {
    admin.enable = true;
-    ddns.domains = [
+    borgServer.enable = true;
-      "backup0.dadada.li"
+    borgServer.path = "/mnt/storage/backup";
    ];
  };
  users.users.borg.home = backups;
  services.borgbackup.repos = {
    "metis" = {
      allowSubRepos = false;
      authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnc1gCi8lbhlLmPKvaExtCxVaAni8RrOuHUQO6wTbzR root@metis" ];
      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
      path = "${backups}/metis";
      quota = "1T";
    };
    "gorgon" = {
      allowSubRepos = false;
      authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6p9b2D7y2W+9BGee2yk2xsCRewNNaE6oS3CqlW61ti root@gorgon" ];
      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
      path = "${backups}/gorgon";
      quota = "1T";
    };
    "surgat" = {
      allowSubRepos = false;
      authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGhatanrNG+M6jAkU7Yi44mJmTreJkqyZ6Z+qiEgV7O root@surgat" ];
      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
      path = "${backups}/surgat";
      quota = "50G";
    };
    "pruflas" = {
      allowSubRepos = false;
      authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBk7f9DSnXCOIUsxFsjCKG23vHShV4TSzzPJunPOwa1I root@pruflas" ];
      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
      path = "${backups}/pruflas";
      quota = "50G";
    };
    "wohnzimmerpi" = {
      allowSubRepos = false;
      authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6uZ8mPQJWOL984gZKKPyxp7VLcxk42TpTh5iPP6N6k root@wohnzimmerpi" ];
      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
      path = "${backups}/wohnzimmerpi";
      quota = "50G";
    };
    "fginfo" = {
      allowSubRepos = false;
      authorizedKeysAppendOnly = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxsyJeZVlVix0FPE8S/Gx0DVutS1ZNESVdYvHBwo36wGlYpSsQoSy/2HSwbpxs88MOGw1QNboxvvpBxCWxZ5HyjxuO5SwYgtmpjPXvmqfVqNXXnLChhSnKgk9b+HesQJCbHyrF9ZAJXEFCOGhOL3YTgd6lTX3lQUXgh/LEDlrPrigUMDNPecPWxpPskP6Vvpe9u+duhL+ihyxXaV+CoPk8nkWrov5jCGPiM48pugbwAfqARyZDgFpmWwL7Xg2UKgVZ1ttHZCWwH+htgioVZMYpdkQW1aq6LLGwN34Hj2VKXzmJN5frh6vQoZr2AFGHNKyJwAMpqnoY//QwuREpZTrh root@fginfo.ibr.cs.tu-bs.de" ];
      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
      path = "${backups}/fginfo";
      quota = "10G";
    };
    "fginfo-git" = {
      allowSubRepos = false;
      authorizedKeysAppendOnly = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmI6cUv3j0T9ofFB286sDwXwwczqi41cp4MZyGH3VWQnqBPNjICqAdY3CLhgvGBCxSe6ZgKQ+5YLsGSSlU1uhrJXW2UiVKuIPd0kjMF/9e8hmNoTTh0pdk9THfz9LLAdI1vPin1EeVReuDXlZkCI7DFYuTO9yiyZ1uLZUfT1KBRoqiqyypZhut7zT3UaDs2L+Y5hho6WiTdm7INuz6HEB7qYXzrmx93hlcuLZA7fDfyMO9F4APZFUqefcUIEyDI2b+Q/8Q2/rliT2PoC69XLVlj7HyVhfgKsOnopwBDNF3rRcJ6zz4WICPM18i4ZCmfoDTL/cFr5c41Lan1X7wS5wR root@fginfo-git" ];
      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" ];
      path = "${backups}/fginfo-git";
      quota = "10G";
    };
  };
  networking.hostName = "ifrit";
--- a/nixos/modules/backup.nix
+++ b/nixos/modules/backup.nix
@ -19,6 +19,7 @@ with lib; let
    "/sys"
    "/tmp"
    "/var/cache"
    "/var/lib/machines"
    "/var/log"
    "/var/tmp"
  ];
--- a/nixos/modules/borg-server.nix
+++ b/nixos/modules/borg-server.nix
@ -0,0 +1,81 @@
 { config, lib, admins, ... }:
 let
  inherit (lib) mkEnableOption mkIf mkOption types;
  cfg = config.dadada.borgServer;
 in
 {
  options = {
    dadada.borgServer = {
      enable = mkEnableOption "Enable Borg backup server";
      path = mkOption {
        type = types.path;
        default = "/var/lib/backup";
        example = "/mnt/storage/backup";
      };
    };
  };
  config = mkIf cfg.enable {
    dadada.ddns.domains = [
      "backup0.dadada.li"
    ];
    users.users.borg.home = cfg.path;
    services.borgbackup.repos = {
      "metis" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnc1gCi8lbhlLmPKvaExtCxVaAni8RrOuHUQO6wTbzR root@metis" ];
        authorizedKeys = admins.dadada.keys;
        path = "${cfg.path}/metis";
        quota = "1T";
      };
      "gorgon" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6p9b2D7y2W+9BGee2yk2xsCRewNNaE6oS3CqlW61ti root@gorgon" ];
        authorizedKeys = admins.dadada.keys;
        path = "${cfg.path}/gorgon";
        quota = "1T";
      };
      "surgat" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGhatanrNG+M6jAkU7Yi44mJmTreJkqyZ6Z+qiEgV7O root@surgat" ];
        authorizedKeys = admins.dadada.keys;
        path = "${cfg.path}/surgat";
        quota = "50G";
      };
      "pruflas" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBk7f9DSnXCOIUsxFsjCKG23vHShV4TSzzPJunPOwa1I root@pruflas" ];
        authorizedKeys = admins.dadada.keys;
        path = "${cfg.path}/pruflas";
        quota = "50G";
      };
      "wohnzimmerpi" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6uZ8mPQJWOL984gZKKPyxp7VLcxk42TpTh5iPP6N6k root@wohnzimmerpi" ];
        authorizedKeys = admins.dadada.keys;
        path = "${cfg.path}/wohnzimmerpi";
        quota = "50G";
      };
      "fginfo" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxsyJeZVlVix0FPE8S/Gx0DVutS1ZNESVdYvHBwo36wGlYpSsQoSy/2HSwbpxs88MOGw1QNboxvvpBxCWxZ5HyjxuO5SwYgtmpjPXvmqfVqNXXnLChhSnKgk9b+HesQJCbHyrF9ZAJXEFCOGhOL3YTgd6lTX3lQUXgh/LEDlrPrigUMDNPecPWxpPskP6Vvpe9u+duhL+ihyxXaV+CoPk8nkWrov5jCGPiM48pugbwAfqARyZDgFpmWwL7Xg2UKgVZ1ttHZCWwH+htgioVZMYpdkQW1aq6LLGwN34Hj2VKXzmJN5frh6vQoZr2AFGHNKyJwAMpqnoY//QwuREpZTrh root@fginfo.ibr.cs.tu-bs.de" ];
        authorizedKeys = admins.dadada.keys;
        path = "${cfg.path}/fginfo";
        quota = "10G";
      };
      "fginfo-git" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmI6cUv3j0T9ofFB286sDwXwwczqi41cp4MZyGH3VWQnqBPNjICqAdY3CLhgvGBCxSe6ZgKQ+5YLsGSSlU1uhrJXW2UiVKuIPd0kjMF/9e8hmNoTTh0pdk9THfz9LLAdI1vPin1EeVReuDXlZkCI7DFYuTO9yiyZ1uLZUfT1KBRoqiqyypZhut7zT3UaDs2L+Y5hho6WiTdm7INuz6HEB7qYXzrmx93hlcuLZA7fDfyMO9F4APZFUqefcUIEyDI2b+Q/8Q2/rliT2PoC69XLVlj7HyVhfgKsOnopwBDNF3rRcJ6zz4WICPM18i4ZCmfoDTL/cFr5c41Lan1X7wS5wR root@fginfo-git" ];
        authorizedKeys = admins.dadada.keys;
        path = "${cfg.path}/fginfo-git";
        quota = "10G";
      };
    };
    systemd.tmpfiles.rules = [
      "d ${cfg.path} 0750 ${config.users.users.borg.name} ${config.users.users.borg.group} - -"
    ];
  };
 }
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@ -1,6 +1,7 @@
 { ... } @ inputs: {
  admin = import ./admin.nix;
  backup = import ./backup.nix;
  borgServer = import ./borg-server.nix;
  ddns = import ./ddns.nix;
  element = import ./element.nix;
  fido2 = import ./fido2.nix;
--- a/nixos/modules/profiles/backup.nix
+++ b/nixos/modules/profiles/backup.nix
@ -0,0 +1,11 @@
 { config, secretsPath, ... }:
 {
  dadada.backupClient.bs = {
    enable = true;
    passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase.path";
    sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key.path";
  };
  age.secrets."${config.networking.hostName}-backup-passphrase".file = "${toString secretsPath}/${config.networking.hostName}-backup-passphrase.age";
  age.secrets."${config.networking.hostName}-backup-ssh-key".file = "${toString secretsPath}/${config.networking.hostName}n-backup-ssh-key.age";
 }
--- a/nixos/modules/profiles/laptop.nix
+++ b/nixos/modules/profiles/laptop.nix
@ -4,10 +4,16 @@
 , ...
 }:
 with lib; {
  imports = [
    ./backup.nix
  ];
  networking.domain = mkDefault "dadada.li";
  services.fwupd.enable = mkDefault true;
  age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  fonts.fonts = mkDefault (with pkgs; [
    source-code-pro
  ]);
--- a/nixos/modules/profiles/server.nix
+++ b/nixos/modules/profiles/server.nix
@ -1,9 +1,16 @@
 { config
 , admins
 , pkgs
 , lib
 , ...
 }:
 with lib; {
  imports = [
    ./backup.nix
  ];
  dadada.admin.users = admins;
  networking.domain = mkDefault "dadada.li";
  networking.tempAddresses = "disabled";
--- a/nixos/pruflas/configuration.nix
+++ b/nixos/pruflas/configuration.nix
@ -103,6 +103,7 @@ with lib; {
  };
  networking.domain = "dadada.li";
  networking.tempAddresses = "disabled";
  users.mutableUsers = true;
--- a/outputs.nix
+++ b/outputs.nix
@ -9,13 +9,18 @@
 , nvd
 , scripts
 , recipemd
 , agenix
 , ...
 } @ inputs:
 let
  secretsPath = ./secrets;
 in
 (flake-utils.lib.eachDefaultSystem (system:
  let
    pkgs = nixpkgs.legacyPackages.${system};
    selfPkgs = self.packages.${system};
    formatter = self.formatter.${system};
    agenix-bin = agenix.packages."${system}".agenix;
  in
  {
    apps.nixos-switch = {
@ -51,7 +56,7 @@
        $link/activate
      '');
    };
-    devShell = pkgs.callPackage ./shell.nix { };
+    devShell = pkgs.callPackage ./shell.nix { inherit agenix-bin; };
    formatter = nixpkgs.legacyPackages."${system}".nixpkgs-fmt;
    checks = {
      format = pkgs.runCommand "check-format" { buildInputs = [ formatter ]; } "${formatter}/bin/nixpkgs-fmt --check ${./.} && touch $out";
@ -63,9 +68,10 @@
  };
  hmModules = import ./home/modules inputs;
  nixosConfigurations = import ./nixos/configurations.nix {
    agenixModule = agenix.nixosModule;
    nixosSystem = nixpkgs.lib.nixosSystem;
    admins = import ./admins.nix;
-    inherit self nixpkgs home-manager nixos-hardware nvd scripts homePage recipemd;
+    inherit self secretsPath nixpkgs home-manager nixos-hardware nvd scripts homePage recipemd;
  };
  nixosModules = import ./nixos/modules inputs;
  overlays = import ./overlays;
--- a/secrets/agares-backup-passphrase.age
+++ b/secrets/agares-backup-passphrase.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 L7f05w zuSOhGaD5loTrVe42D+9wisBe9uLPVk4jB04aNOnVkE
 TPkwqjoryGxiw02PJEOXTU/Ypt3ux5DG0df2FmLVCY0
 -> ssh-ed25519 Otklkw I6aDhKl2KS+JLkKzh1Wh2dlCHsjFaQpfoNvsoudBF38
 HsSCHtawaNCyhd5p8mdXQGiMidCp2PtFydES4frjGY0
 -> C'Lx21-grease "Ab:ca- #
 /jYss39MTt1fbOK1t7s
 --- ulSvMSFv1Ow1k20uMbgeQCO62S8wRNtuWuJVkjAlx/4
 u„¼(6'ò4á0½¨Ë°£9)ßU^np5›:ïËÍtdD§æMÓò…å?OD×ÄZÏøZ÷39Á6ÈlüÐÒ
--- a/secrets/agares-backup-ssh-key.age
+++ b/secrets/agares-backup-ssh-key.age
--- a/secrets/gorgon-backup-passphrase.age
+++ b/secrets/gorgon-backup-passphrase.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> ssh-ed25519 0aOabg 2h4VEFdhUUGkviD4i0wm3NL9944guan9O0BDoz/7mGQ
 D9clRO4ibGPMMA5KLOXU9CPlNSulZA9RmKelxUKqy4E
 -> ssh-ed25519 Otklkw kG8jXHeM2kYTBTpYfo2N4V/hJx2HdLPlgAXTZRKJmR8
 fesI+DSgCTMIY1pLJMx0q86+va3dF1ZFj3kRK+O0MIc
 -> Z7_:1-grease 17g=iG^I #3%B ,.5lz
 6YSTWBwtchUxqxCR2EvUic+OfO+XByzyqirtt8hW8eFdF/blR4McETrV3lb6n+xW
 8SyICmVL60yGj3QDZWmus/FV8xaXh5hSJLqGNtwPdiM82mez
 --- klL1U0W7ki7TRcM/lDsoR+/facAm7PDKTEw7bPWUmvc
 L÷F™<46>7[j?EDc™(ÂÍT±4e„i9—Çˆ6Câs`å8ÿÚ¨2§à"X«5Šø©Yã´ûnB‡ÔáK
ŠšÇm0nÄ?	`ˆ^ÉYWyøc€¦
--- a/secrets/gorgon-backup-ssh-key.age
+++ b/secrets/gorgon-backup-ssh-key.age
--- a/secrets/ifrit-backup-passphrase.age
+++ b/secrets/ifrit-backup-passphrase.age
@ -0,0 +1,11 @@
 age-encryption.org/v1
 -> ssh-ed25519 yMjj5g V9rC+0UIZO6GMFXjsoF3qvSkEnc3iHaqsv9yQHg6XWg
 lLkAndMDp8blMYJqviD+6H4l2uEqzsP9fsr8sZVCdXk
 -> ssh-ed25519 Otklkw ehLzOysl9JmqPb0MuaSwg8MvNnPg44807PGyMsh5hhA
 pf8vtXa85gF1XL2Xm1zCaAzDdCaebNFpZC1wm7lnUCg
 -> #|)e#-g[-grease
 UPUrPqT4ez2irVMxwsVYiAhM6pEaAzWt8RYNWzMtARHsTDLU9J17+x4
 --- rigjthxdwl7djFf8pSoQuZEZfWLsMa0oWLplrQMOe7c
 <EFBFBD>ý
 ˜ü6.Ç=ße	Â}ÛoŒ¾‹ì(<28>9Ë
 ÒµdÀïCÓïÉ«ùV¶š‡…¥9¾z—Ü§Î%J•ßRÒ<52>D_¡
--- a/secrets/ifrit-backup-ssh-key.age
+++ b/secrets/ifrit-backup-ssh-key.age
--- a/secrets/pruflas-backup-passphrase.age
+++ b/secrets/pruflas-backup-passphrase.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> ssh-ed25519 thf/Uw PPtflHayBrV0oWfJQr6RW9nJphdVFI9S5XjI+kmRe1M
 fnwzt27PMwUYMqS25Z+0zxouC27KjeXaIbN4dYZPRLA
 -> ssh-ed25519 Otklkw Ko14b+XMTZHVXMRN/JrfwTUrZA8ndj7bfaxe4O8/BCY
 zRt6bLCbZPhoxKuLDglex2SpDwjUxyP6eKFaHzc0zu0
 -> /:G-grease c5#5Vm+\ KX,
 nljmCZ+NP2fbmIjzA/OiL4i4A2+UPRBf3KrXe3C6/lJaxiRggeXqdrucy/lLNjda
 Y8emrCT5o7DfryEo3QGUQkPujBgUgYvcB4Q/XlaWaLBcsSnW2D4eZQ
 --- SYKRV9hejrBWXgVt8pCRKcTxFNljA2IIFkONLn8+nuo
 5J-òª·	épô³cÜmJ|ö¸Š!Þ®¨@ñí™…<E284A2>à…T]„Ô=<3D>&;Ë5}=9<>ûª§§Ì½y‚é
--- a/secrets/pruflas-backup-ssh-key.age
+++ b/secrets/pruflas-backup-ssh-key.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,20 @@
 let
  dadada = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+bBJptw2H35vMPV7Mfj9oaepR7cHCQH8ZsvL8qnj+r dadada (nix-config-secrets) <dadada@dadada.li>";
  systems = {
    agares = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcbuLtU9/VhFy5VAp/ZI0T+gr7kExG73hmjjvno10gP root@nixos";
    gorgon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCcwG8BkqjZJ1bPdFbLYfXeBgaI10+gyVs1r1aNJ49H root@gorgon";
    ifrit = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEYO4L5EvKRtVUB6YHtHN7R980fwH9kKVt0V3kj6rORS root@nixos";
    pruflas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJKnYOgzxZ4DAeFL88MhIVtNmMEHMQhi/pNJDbwFWOJW root@pruflas";
    surgat = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOJ9UgAle5sX0pAawfRztckVwaQm2U8o0Bawv7cZfXE root@surgat";
  };
  backupSecrets = hostName: {
    "${hostName}-backup-passphrase.age".publicKeys = [ systems.${hostName} dadada ];
    "${hostName}-backup-ssh-key.age".publicKeys = [ systems.${hostName} dadada ];
  };
 in
 { } //
 backupSecrets "gorgon" //
 backupSecrets "ifrit" //
 backupSecrets "pruflas" //
 backupSecrets "surgat" //
 backupSecrets "agares"
--- a/secrets/surgat-backup-passphrase.age
+++ b/secrets/surgat-backup-passphrase.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> ssh-ed25519 jUOjpw U3EPRp3r/aE8kSb+D4kd3F2pJyyPgrG13KvJ4ImavUQ
 lsWg2WW/nC9FT0JrZfhXPHcHduPfd+wm/vktSpUbRBY
 -> ssh-ed25519 Otklkw +Ic/y3KF0l4/hlFGSRCJEQ+HsK1U9eZusMhSsBuIsDc
 QE2W7F9fg49UlX3n0baZVEoq9zsahcEr5oEzOk12FMg
 -> +'GD%5-grease |:[SW0@b c 36`)g
 rvXcBtMeumpqo2OKg4q5wvvIDkCqlnwbdPEzJSqsEXXI2LenSbV0NM1mVjCXyvvr
 4pwDLhQkRnQ3DkftGp3veOluxRLmmg
 --- PMICHLb+oVMRdtD93FZyDc6lWL35bjvF1QWJYXhP2IY
 `õv=ôb>ÏØ”ÈÏmÂ²äò^Ôèùù¡q§5Îù´¯<C2B4>Ñ9™üs®ƒ2¨c"Jåðçµ5[»qR±zj-
--- a/secrets/surgat-backup-ssh-key.age
+++ b/secrets/surgat-backup-ssh-key.age
@ -0,0 +1,12 @@
 age-encryption.org/v1
 -> ssh-ed25519 jUOjpw tm81EffU7KnPZZwEg1qy/fNr8leqD2y0oJcR5CWXTCs
 Rnby8Wipp9jwYmbc0UskdYMRxYQ4t9Yhxa498Wsn8jc
 -> ssh-ed25519 Otklkw q99wMvDcRSZzW5Zu7QtJO9ThlyYKpUBf1Rn9w+j7f2M
 3aqp1If/L7Db7ikXwBlqsAbKTdcozDat+on9jQip+Zg
 -> t1"Uq-grease WXdB"'
 EUhZx0b3UqMCazu+zjPWOfWNs8s+rRWyyZh3TvvvYs5fLNJJzSAfAXbG17zfhHMP
 DgBwNaTjSvwhMjqAiBYafAbsIzuwxp4bcZA3jRQ+FMUerwhWhHrw
 --- sZ0GULTVh54+TtUY+oOfgicZmiDB6RCavVjWkSR7A7s
 ë+O€!pÓ¢W¦RÛ?õÿ/dù"ŽÛ%a6ßHm»dY¹W¢Å„íR
JÉ|ÌðÓ·¿Î?P2HÏ<>´”å+²é€j$0¿<05>Ð§“SoUBæ?œ÷Z™'Cå-K
 á½lE(ÑýDÀÑØ±9—óÃë”EKÈ3öÐ»:O´XÙ
<17><>³R÷ž¨ð'«mXt}¬M
 Aç³ïÔörÎ]ô²Ú¥zApÿt°ÁC·z·l4r‚"3ÇéŸ¸Ø"3¯ ™L1E¬ÓWKÏÃŽýŸpÛxqß|dÚî$ð•rI’Fiš@ùZž|l$;¿‹Øë<C398>×B¥µEÅgìá˜8¦AŒö^< 7GÂñÑ%-º–™¢Øz›ÇoøéVWOE+Î’Ç<¡„ã]çq€<þÙ]ËÐrÌžlÁþä`PâÌ‘`™“:O&êýu*âŠÿ©Ê8fÕo §›U—
7ÄÓ²Å4ÏpVÂžìªÓ÷"p–ßCÅæyìG‡â¬—5Ù¤ßÙ€—9@iÑh4íµšTÙ5ni4³…?î<>!ç<>©
--- a/shell.nix
+++ b/shell.nix
@ -1,5 +1,6 @@
-{ mkShell }:
+{ agenix-bin, mkShell }:
 mkShell {
  buildInputs = [
    agenix-bin
  ];
 }