PlumJam/nixos - Change KOXYNEPMHOWPUOUDAIDAVC2ZPUCLFGN23BM6QJ4UIDGVN73SUO7AC

agenix: Use YubiKey and agenix-rekey.

No more secrets.nix.

Created by PlumJam on October 18, 2025

KOXYNEPMHOWPUOUDAIDAVC2ZPUCLFGN23BM6QJ4UIDGVN73SUO7AC

Dependencies

In channels

main

Change contents

File deletion: secrets.nix

BF:BFD[8.2] → [9.181:216]

BF:BFD[9.216] → [9.1:1]

B:BD[9.1] → [9.2:6]

∅:D[10.61] → [9.121:126]

∅:D[11.63] → [9.121:126]

∅:D[12.71] → [9.121:126]

B:BD[9.121] → [9.121:126]

∅:D[13.80] → [14.293:371]

B:BD[14.293] → [14.293:371]

B:BD[14.371] → [13.81:144]

B:BD[13.144] → [15.1:71]

∅:D[16.68] → [17.205:206]

∅:D[15.71] → [17.205:206]

∅:D[13.144] → [17.205:206]

∅:D[14.371] → [17.205:206]

B:BD[17.205] → [17.205:206]

∅:D[18.69] → [17.277:408]

∅:D[12.762] → [17.277:408]

B:BD[19.277] → [17.277:408]

B:BD[17.408] → [20.1:75]

B:BD[20.75] → [13.145:146]

B:BD[13.146] → [7.1:76]

∅:D[12.520] → [17.275:276]

B:BD[19.139] → [17.275:276]

B:BD[17.276] → [12.521:762]

B:BD[17.206] → [12.277:520]

∅:D[21.54] → [9.178:180]

∅:D[20.75] → [9.178:180]

∅:D[7.76] → [9.178:180]

∅:D[13.146] → [9.178:180]

∅:D[22.156] → [9.178:180]

∅:D[23.212] → [9.178:180]

∅:D[24.332] → [9.178:180]

∅:D[11.368] → [9.178:180]

∅:D[17.408] → [9.178:180]

∅:D[19.413] → [9.178:180]

B:BD[9.178] → [9.178:180]

∅:D[12.276] → [13.1:80]

B:BD[14.220] → [13.1:80]

B:BD[9.126] → [12.72:276]

B:BD[9.6] → [12.1:71]

let
in
{
	"hosts/plum/matrix-registration-secret.age".publicKeys = [ plum ] ++ admins;
  "hosts/plum/cache/key.age".publicKeys = [ plum ] ++ admins;
  "hosts/plum/grafana/password.age".publicKeys = [ plum ] ++ admins;
	"modules/acme/environment.age".publicKeys = all;
  "hosts/kiwi/github2forgejo/environment.age".publicKeys = [ kiwi ] ++ admins;
  "hosts/kiwi/dr-radka-environment.age".publicKeys = [ kiwi ] ++ admins;
  "modules/common/z-ai-key.age".publicKeys = [ yuzu date kiwi ] ++ admins;
	"hosts/date/id.age".publicKeys       = [ date ] ++ admins;
	"hosts/date/password.age".publicKeys = [ date ] ++ admins;
	"hosts/yuzu/id.age".publicKeys       = [ yuzu ] ++ admins;
	"hosts/yuzu/password.age".publicKeys = [ yuzu ] ++ admins;
	"hosts/kiwi/id.age".publicKeys       = [ kiwi ] ++ admins;
  "hosts/kiwi/password.age".publicKeys = [ kiwi ] ++ admins;
  "hosts/pear/id.age".publicKeys       = [ pear ] ++ admins;
	"hosts/pear/password.age".publicKeys = [ pear ] ++ admins;
}
	"hosts/plum/matrix-signing-key.age".publicKeys         = [ plum ] ++ admins;
	"hosts/plum/id.age".publicKeys               = [ plum ] ++ admins;
	"hosts/plum/password.age".publicKeys         = [ plum ] ++ admins;
	"hosts/plum/forgejo-password.age".publicKeys = [ plum ] ++ admins;
	inherit (import ./keys.nix) jam plum pear kiwi yuzu date all admins;

File addition: yubikey.pub (----------)

[8.2]

#       Serial: 12088237, Slot: 4
#         Name: age identity e86f5a7b
#      Created: Sat, 18 Oct 2025 19:46:03 +0000
#   PIN policy: Once   (A PIN is required once per session, if set)
# Touch policy: Never  (A physical touch is NOT required to decrypt)
#    Recipient: age1yubikey1qt6g7rrkjj222fn2rkds2h76r450df5j0s0r7sduysntqdsev7twxht7d3h
AGE-PLUGIN-YUBIKEY-144EMSQY9APH457CHQTN2M

Replacement in modules/matrix.nix at line 10 [14.560]
B:BD[14.789] → [14.789:824]
B:BD[14.824] → [5.7:62]
∅:D[5.62] → [14.873:938]
∅:D[25.729] → [14.873:938]
B:BD[14.873] → [14.873:938]
```
  age.secrets.matrixSigningKey = {
    file  = self + /hosts/plum/matrix-signing-key.age;
    owner = "matrix-synapse";
    group = "matrix-synapse";
  };
```
[14.766]
[14.938]
```
  
```
Deletion in modules/matrix.nix at line 12 [14.560]
B:BD[14.939] → [14.939:982]
B:BD[14.982] → [5.63:126]
∅:D[5.126] → [14.1039:1104]
∅:D[25.788] → [14.1039:1104]
B:BD[14.1039] → [14.1039:1104]
B:BD[14.1104] → [26.8:9]
∅:D[26.9] → [14.1104:1105]
B:BD[14.1104] → [14.1104:1105]
```
  age.secrets.matrixRegistrationSecret = {
    file  = self + /hosts/plum/matrix-registration-secret.age;
    owner = "matrix-synapse";
    group = "matrix-synapse";
  };
```
Replacement in modules/forgejo.nix at line 15 [27.3]
∅:D[21.229] → [19.417:480]
B:BD[19.417] → [19.417:480]
B:BD[19.480] → [5.158:210]
∅:D[5.210] → [19.527:550]
B:BD[19.527] → [19.527:550]
B:BD[19.573] → [19.573:578]
∅:D[19.578] → [27.197:198]
B:BD[27.197] → [27.197:198]
```
  # secrets for forgejo
  age.secrets.forgejoAdminPassword = {
    file = self + /hosts/plum/forgejo-password.age;
    owner = "forgejo";
  };
```
[21.229]
[21.230]
```
  
```
Replacement in modules/dr-radka.nix at line 13 [20.83]
B:BD[20.378] → [20.378:417]
B:BD[20.417] → [5.212:268]
∅:D[5.268] → [20.468:519]
B:BD[20.468] → [20.468:519]
```
  age.secrets.dr-radka-environment = {
    file = self + /hosts/kiwi/dr-radka-environment.age;
    owner = app_user;
    group = app_group;
  };
```
[20.378]
[20.519]
```
  
```
Replacement in modules/common/z-ai-key.age at line 2 [7.130]
B:BD[7.153] → [7.153:723]
[7.153]

File addition: yubikey.nix (----------)

[28.9]

{ pkgs, lib, config, ... }: let
  inherit (lib) mkIf enabled;
in mkIf config.isDesktop {
  services.pcscd                  = enabled;
  programs.yubikey-manager        = enabled;
  programs.yubikey-touch-detector = enabled {
    libnotify = true;
  };
  security.pam.services = {
    login.u2fAuth = true;
    sudo.u2fAuth  = true;
  };
  environment.systemPackages = [ pkgs.yubioath-flutter ];
  home-manager.sharedModules = [{
  }];
}

Insertion in modules/common/packages.nix at line 5 [30.4113]
[3.84]
[29.2247]
```
		pkgs.bitwarden
```
Replacement in modules/common/ai.nix at line 19 [29.3345]
B:BD[7.968] → [7.968:995]
```
    file = ./z-ai-key.age;
```
[7.968]
[7.995]
```
    rekeyFile = ./z-ai-key.age;
```
Replacement in modules/common/agenix.nix at line 1 [31.60]
B:BD[31.60] → [31.61:93]
```
{ config, lib, pkgs, ... }: let
```
[31.60]
[31.93]
```
{ inputs, config, lib, pkgs, ... }: let
```

Replacement in modules/common/agenix.nix at line 12 [31.60]

B:BD[31.263] → [31.263:303]

B:BD[31.303] → [5.4119:4334]

∅:D[5.4334] → [31.360:404]

B:BD[31.360] → [31.360:404]

  environment = mkIf config.isDesktop {
    shellAliases.agenix = if config.isLinux then
      "agenix --identity ${config.users.users.root.home}/.ssh/id"
    else
      "agenix --identity ${config.users.users.${config.system.primaryUser}.home}/.ssh/id";
    systemPackages = [ pkgs.agenix ];
  };

[31.263]

[31.404]

  environment.systemPackages = mkIf config.isDesktop [
    pkgs.agenix
    inputs.agenix-rekey.packages.${pkgs.system}.default
    pkgs.age-plugin-yubikey
  ];

Replacement in modules/acme/environment.age at line 2 [21.2885]
B:BD[21.2908] → [7.2234:3028]
[21.2908]
Deletion in modules/acme/default.nix at line 6 [32.41]
B:BD[32.180] → [32.180:181]
B:BD[32.181] → [21.3517:3580]
```
  config.age.secrets.acmeEnvironment.file = ./environment.age;
```
Insertion in modules/acme/default.nix at line 7 [32.41]
[32.241]
[32.241]
```
  
  
```
Insertion in lib/system.nix at line 21 [34.508]
[33.166]
[33.166]
```
    # inputs.agenix-rekey.nixosModules.default
```
File addition: rekeyed (d--x------)
[12.16324]
File addition: d84eefbeb5169c3af65e5abcc0891956-id.age (----------)
[0.1955]
File addition: 9f3374a93ab60bd7aa836bf0fc89d6bf-key.age (----------)
[0.1955]
File addition: 7d82a470ab41da124e216c236fa25afa-password.age (----------)
[0.1955]
Replacement in hosts/yuzu/password.age at line 2 [12.16342]
B:BD[12.16365] → [7.3066:3440]
[12.16365]
Replacement in hosts/yuzu/id.age at line 2 [12.17005]
B:BD[12.17028] → [7.3442:4141]
[12.17028]

Replacement in hosts/yuzu/default.nix at line 31 [12.18645]

B:BD[12.19426] → [12.19426:19506]

        age.secrets.id.file = ./id.age;
        services.openssh    = enabled {

[12.19426]

[12.19506]

        age.rekey = {
          hostPubkey       = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFDLlddona4PlORWd+QpR/7F5H46/Dic9vV23/YSrZl0 root@yuzu";
          masterIdentities = [ (self + /yubikey.pub) ];
          localStorageDir  = self + "/hosts/${config.networking.hostName}/rekeyed";
          storageMode      = "local";
        };
        age.secrets.id.rekeyFile = ./id.age;
        services.openssh         = enabled {

Replacement in hosts/yuzu/default.nix at line 51 [12.18645]

B:BD[12.19832] → [12.19832:19922]

        age.secrets.password.file = ./password.age;
        users.users               = {

[12.19832]

[12.19922]

        age.secrets.password.rekeyFile = ./password.age;
        users.users                    = {

Insertion in hosts/yuzu/default.nix at line 83 [12.18645]

[12.21183]


        # Ignore power button short presses.
        services.logind.settings.Login.HandlePowerKey = "ignore";

File addition: rekeyed (d--x------)
[35.7]
File addition: fe0ba6ccbe251565bc97593cf2bdf75f-acmeEnvironment.age (----------)
[0.5321]
File addition: f4f79880c8d7deed1cbdb4033529e8dc-password.age (----------)
[0.5321]
File addition: 99c59db88f880332424f3d9044894787-nixServeKey.age (----------)
[0.5321]
File addition: 791b532e988722d9533a0b31689c347f-matrixRegistrationSecret.age (----------)
[0.5321]
File addition: 52dd6cf3febe86ac3ce6200f04478dfd-id.age (----------)
[0.5321]
File addition: 2ca2b92bf88e2f0093e5e5d58d905136-grafanaPassword.age (----------)
[0.5321]
File addition: 2094e37b0080ddb1784778e52e7d2d61-matrixSigningKey.age (----------)
[0.5321]
File addition: 02eb1cb32298e39b71006aa103c1e40f-forgejoAdminPassword.age (----------)
[0.5321]
Replacement in hosts/plum/password.age at line 2 [9.225]
B:BD[9.248] → [7.4148:4521]
[9.248]
Replacement in hosts/plum/matrix-signing-key.age at line 2 [14.5240]
B:BD[14.5263] → [7.4523:4891]
[14.5263]
Replacement in hosts/plum/matrix-registration-secret.age at line 2 [14.5687]
B:BD[14.5710] → [7.4893:5238]
[14.5710]
Replacement in hosts/plum/id.age at line 2 [23.596]
B:BD[23.619] → [7.5240:5939]
[23.619]
Replacement in hosts/plum/grafana/password.age at line 2 [15.1727]
B:BD[15.1750] → [7.5943:6257]
[15.1750]

Replacement in hosts/plum/grafana/default.nix at line 13 [15.2110]

B:BD[15.2364] → [15.2364:2414]

    file = ./password.age;
    owner = "grafana";

[15.2364]

[15.2414]

    rekeyFile = ./password.age;
    owner     = "grafana";

Replacement in hosts/plum/grafana/default.nix at line 53 [15.2110]
∅:D[36.2115] → [16.5303:5310]
B:BD[16.5303] → [16.5303:5310]
```
      
```
[36.2115]
[15.3146]
Replacement in hosts/plum/forgejo-password.age at line 2 [19.1344]
B:BD[19.1367] → [7.6262:6636]
[19.1367]

Replacement in hosts/plum/default.nix at line 33 [33.987]

B:BD[37.3760] → [2.385:465]

        age.secrets.id.file = ./id.age;
        services.openssh    = enabled {

[37.3760]

[37.3888]

        age.rekey = {
          hostPubkey       = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBH1S3dhOYCCltqrseHc3YZFHc9XU90PsvDo7frzUGrr root@plum";
          masterIdentities = [ (self + /yubikey.pub) ];
          localStorageDir  = self + "/hosts/${config.networking.hostName}/rekeyed";
          storageMode      = "local";
        };
        age.secrets.id.rekeyFile = ./id.age;
        services.openssh         = enabled {

Replacement in hosts/plum/default.nix at line 58 [33.987]

∅:D[4.250] → [37.4421:4473]

B:BD[37.4421] → [37.4421:4473]

B:BD[37.4473] → [2.466:504]

        age.secrets.password.file = ./password.age;
        users.users               = {

[4.250]

[2.504]

        age.secrets.password.rekeyFile = ./password.age;
        users.users                    = {

Insertion in hosts/plum/default.nix at line 98 [33.987]

[37.5378]

        };
        age.secrets.acmeEnvironment.rekeyFile = self + /modules/acme/environment.age;
        age.secrets.matrixSigningKey = {
          rekeyFile = ./matrix-signing-key.age;
          owner     = "matrix-synapse";
          group     = "matrix-synapse";

Insertion in hosts/plum/default.nix at line 108 [33.987]

[37.5390]

[2.1427]

        age.secrets.matrixRegistrationSecret = {
          rekeyFile = ./matrix-registration-secret.age;
          owner     = "matrix-synapse";
          group     = "matrix-synapse";
        };
        age.secrets.forgejoAdminPassword = {
          rekeyFile = ./forgejo-password.age;
          owner     = "forgejo";
        };

Replacement in hosts/plum/cache/key.age at line 2 [13.323]
B:BD[13.346] → [7.6641:7045]
[13.346]
Replacement in hosts/plum/cache/default.nix at line 11 [13.791]
B:BD[13.1030] → [13.1030:1072]
```
    file = ./key.age;
    owner = "root";
```
[13.1030]
[13.1072]
```
    rekeyFile = ./key.age;
    owner     = "root";
```
File addition: rekeyed (d--x------)
[22.169]
File addition: 8e4a796dd97579c7c310a15c2d9c782e-password.age (----------)
[0.13619]
File addition: 2f89dbe88eb93b7b6696598ffd8fe5d3-id.age (----------)
[0.13619]
File addition: 06099a5685a3e2df69d03b4eb2185fc2-key.age (----------)
[0.13619]
Replacement in hosts/pear/password.age at line 2 [38.100]
B:BD[38.123] → [7.7049:7423]
[38.123]
Replacement in hosts/pear/id.age at line 2 [22.187]
B:BD[22.210] → [7.7425:8124]
[22.210]

Insertion in hosts/pear/default.nix at line 20 [33.1239]

[2.1631]

[37.5938]


        age.rekey = {
          hostPubkey       = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL2/Pg/5ohT3Dacnzjw9pvkeoQ1hEFwG5l1vRkr3v2sQ root@pear";
          masterIdentities = [ (self + /yubikey.pub) ];
          localStorageDir  = self + "/hosts/${config.networking.hostName}/rekeyed";
          storageMode      = "local";
        };

Replacement in hosts/pear/default.nix at line 28 [33.1239]

B:BD[37.5939] → [2.1632:1712]

        age.secrets.id.file = ./id.age;
        services.openssh    = enabled {

[37.5939]

[37.6094]

        age.secrets.id.rekeyFile = ./id.age;
        services.openssh         = enabled {

Replacement in hosts/pear/default.nix at line 70 [33.1239]

B:BD[37.7521] → [2.2236:2326]

        age.secrets.password.file = ./password.age;
        users.users               = {

[37.7521]

[2.2326]

        age.secrets.password.rekeyFile = ./password.age;
        users.users                    = {

File addition: rekeyed (d--x------)
[24.2123]
File addition: e72e6cbfce74b3aaf9f11cb4d964b290-acmeEnvironment.age (----------)
[0.16983]
File addition: d578dd8185a5fdb2ed6974daab6ee0e9-github2forgejoEnvironment.age (----------)
[0.16983]
File addition: 881f1dd5ede01e97e66921b8c62fb10a-dr-radka-environment.age (----------)
[0.16983]
File addition: 701d424111d3c4d76e2d3e4ab5e04fdc-id.age (----------)
[0.16983]
File addition: 2305e74466e7dbdb58f43b1124183821-password.age (----------)
[0.16983]
Replacement in hosts/kiwi/password.age at line 2 [24.2141]
B:BD[24.2164] → [7.8131:8504]
[24.2164]
Replacement in hosts/kiwi/id.age at line 2 [24.2583]
B:BD[24.2606] → [7.8506:9205]
[24.2606]

Replacement in hosts/kiwi/github2forgejo/github2forgejo.nix at line 4 [17.470]

B:BD[17.527] → [17.527:638]

  age.secrets.github2forgejoEnvironment = {
    file  = ./environment.age;
    owner = "github2forgejo";
  };

[17.527]

[17.638]

Replacement in hosts/kiwi/github2forgejo/environment.age at line 2 [17.801]
B:BD[17.824] → [7.9209:9743]
[17.824]
Replacement in hosts/kiwi/dr-radka-environment.age at line 2 [20.3333]
B:BD[20.3356] → [7.9745:10670]
[20.3356]

Replacement in hosts/kiwi/default.nix at line 26 [33.1791]

B:BD[37.11592] → [2.5679:5759]

        age.secrets.id.file = ./id.age;
        services.openssh    = enabled {

[37.11592]

[37.11629]

        age.rekey = {
          hostPubkey       = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIElcSHxI64xqUUKEY83tKyzEH+fYT5JCWn3qCqtw16af root@kiwi";
          masterIdentities = [ (self + /yubikey.pub) ];
          localStorageDir  = self + "/hosts/${config.networking.hostName}/rekeyed";
          storageMode      = "local";
        };
        age.secrets.id.rekeyFile = ./id.age;
        services.openssh         = enabled {

Replacement in hosts/kiwi/default.nix at line 51 [33.1791]

∅:D[4.396] → [37.12162:12214]

B:BD[37.12162] → [37.12162:12214]

B:BD[37.12214] → [2.5760:5798]

        age.secrets.password.file = ./password.age;
        users.users               = {

[4.396]

[2.5798]

        age.secrets.password.rekeyFile = ./password.age;
        users.users                    = {

Insertion in hosts/kiwi/default.nix at line 101 [33.1791]

[37.13122]

        };
        age.secrets.acmeEnvironment.rekeyFile = self + /modules/acme/environment.age;
        age.secrets.dr-radka-environment = {
          rekeyFile = ./dr-radka-environment.age;
          owner     = "dr-radka";
          group     = "dr-radka";

Insertion in hosts/kiwi/default.nix at line 111 [33.1791]

[37.13134]

[2.7072]

        age.secrets.github2forgejoEnvironment = {
          rekeyFile = ./github2forgejo/environment.age;
          owner     = "github2forgejo";
        };

File addition: rekeyed (d--x------)
[12.30764]
File addition: f641ee7409d9f390e6a23fb0a9445a77-password.age (----------)
[0.23756]
File addition: eddd1ed62b3eacbeea5d1da9a8ecac49-id.age (----------)
[0.23756]
File addition: 2be8c331b5460f82c1d14ba2476925a8-key.age (----------)
[0.23756]
Replacement in hosts/date/password.age at line 2 [12.30782]
B:BD[12.30805] → [7.10675:11049]
[12.30805]
Replacement in hosts/date/id.age at line 2 [12.31445]
B:BD[12.31468] → [7.11051:11751]
[12.31468]

Insertion in hosts/date/default.nix at line 25 [12.33086]

[12.33706]


        age.rekey = {
          hostPubkey       = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEzfoVKZDyiyyMiX1JRFaaTELspG25MlLNq0kI2AANTa root@date";
          masterIdentities = [ (self + /yubikey.pub) ];
          localStorageDir  = self + "/hosts/${config.networking.hostName}/rekeyed";
          storageMode      = "local";
        };

Replacement in hosts/date/default.nix at line 33 [12.33086]

B:BD[12.33707] → [12.33707:33787]

        age.secrets.id.file = ./id.age;
        services.openssh    = enabled {

[12.33707]

[12.33787]

        age.secrets.id.rekeyFile = ./id.age;
        services.openssh         = enabled {

Replacement in hosts/date/default.nix at line 46 [12.33086]

B:BD[12.34113] → [12.34113:34203]

        age.secrets.password.file = ./password.age;
        users.users               = {

[12.34113]

[12.34203]

        age.secrets.password.rekeyFile = ./password.age;
        users.users                    = {

Replacement in flake.nix at line 76 [8.24075]

B:BD[39.1242] → [39.1242:1300]

      url                    = "github:yaxitech/ragenix";

[39.1242]

[39.1300]

      url                    = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    agenix-rekey = {
      url                    = "github:oddlama/agenix-rekey";

Replacement in flake.nix at line 101 [8.24075]

B:BD[8.24519] → [40.5117:5173]

  outputs = inputs @ { nixpkgs, nix-darwin,  ... }: let

[8.24519]

[33.2128]

  outputs = inputs @ { self, nixpkgs, nix-darwin,  ... }: let

Insertion in flake.nix at line 127 [8.24075]

[41.602]

[34.4595]

    agenix-rekey = inputs.agenix-rekey.configure {
      userFlake = self;
      nixosConfigurations = self.nixosConfigurations;
    };

Replacement in flake.lock at line 5 [8.25342]

B:BD[9.1392] → [39.1686:1780]

        "agenix": "agenix_2",
        "crane": "crane",
        "flake-utils": "flake-utils",

[9.1392]

[39.1780]

        "darwin": "darwin",
        "home-manager": "home-manager",

Replacement in flake.lock at line 10 [8.25342]
B:BD[39.1832] → [39.1832:1871]
```
        "rust-overlay": "rust-overlay"
```
[39.1832]
[39.1871]
```
        "systems": "systems"
```

Replacement in flake.lock at line 13 [8.25342]

B:BD[39.1898] → [39.1898:2123]

        "lastModified": 1744897914,
        "narHash": "sha256-GIVU92o2TZBnKQXTb76zpQbWR4zjU2rFqWKNIIpXnqA=",
        "owner": "yaxitech",
        "repo": "ragenix",
        "rev": "40f2e17ecaeab4d78ec323e96a04548c0aaa5223",

[39.1898]

[39.2123]

        "lastModified": 1754433428,
        "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
        "owner": "ryantm",
        "repo": "agenix",
        "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",

Replacement in flake.lock at line 21 [8.25342]

B:BD[39.2177] → [39.2177:2233]

        "owner": "yaxitech",
        "repo": "ragenix",

[39.2177]

[39.2233]

        "owner": "ryantm",
        "repo": "agenix",

Replacement in flake.lock at line 26 [8.25342]
B:BD[39.2273] → [39.2273:2291]
```
    "agenix_2": {
```
[39.2273]
[39.2291]
```
    "agenix-rekey": {
```

Replacement in flake.lock at line 28 [8.25342]

∅:D[39.2309] → [9.1392:1460]

B:BD[9.1392] → [9.1392:1460]

        "darwin": "darwin",
        "home-manager": "home-manager",

[39.2309]

[9.1460]

        "devshell": "devshell",
        "flake-parts": "flake-parts",

Deletion in flake.lock at line 31 [8.25342]
B:BD[9.1481] → [39.2310:2330]
```
          "agenix",
```

Replacement in flake.lock at line 33 [8.25342]

B:BD[9.1512] → [9.1512:1541]

        "systems": "systems"

[9.1512]

[9.1541]

        "pre-commit-hooks": "pre-commit-hooks",
        "treefmt-nix": "treefmt-nix"

Replacement in flake.lock at line 37 [8.25342]

B:BD[9.1568] → [39.2331:2441]

∅:D[39.2441] → [9.1678:1731]

B:BD[9.1678] → [9.1678:1731]

B:BD[9.1731] → [39.2442:2501]

        "lastModified": 1736955230,
        "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
        "owner": "ryantm",
        "repo": "agenix",
        "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",

[9.1568]

[9.1790]

        "lastModified": 1759699908,
        "narHash": "sha256-kYVGY8sAfqwpNch706Fy2+/b+xbtfidhXSnzvthAhIQ=",
        "owner": "oddlama",
        "repo": "agenix-rekey",
        "rev": "42362b12f59978aabf3ec3334834ce2f3662013d",

Replacement in flake.lock at line 45 [8.25342]

B:BD[9.1844] → [9.1844:1897]

        "owner": "ryantm",
        "repo": "agenix",

[9.1844]

[9.1897]

        "owner": "oddlama",
        "repo": "agenix-rekey",

Replacement in flake.lock at line 52 [8.25342]
B:BD[42.28686] → [39.2502:2542]
```
        "flake-utils": "flake-utils_2",
```
[42.28686]
[42.28724]
```
        "flake-utils": "flake-utils",
```

Replacement in flake.lock at line 72 [8.25342]

B:BD[9.1978] → [39.2543:2558]

    "crane": {

[9.1978]

[39.2558]

    "darwin": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },

Replacement in flake.lock at line 80 [8.25342]

B:BD[39.2576] → [39.2576:2798]

        "lastModified": 1741481578,
        "narHash": "sha256-JBTSyJFQdO3V8cgcL08VaBUByEU6P5kXbTJN6R0PFQo=",
        "owner": "ipetkov",
        "repo": "crane",
        "rev": "bb1c9567c43e4434f54e9481eb4b8e8e0d50f0b5",

[39.2576]

[39.2798]

        "lastModified": 1744478979,
        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",

Replacement in flake.lock at line 88 [8.25342]

B:BD[39.2852] → [39.2852:2905]

        "owner": "ipetkov",
        "repo": "crane",

[39.2852]

[39.2905]

        "owner": "lnl7",
        "ref": "master",
        "repo": "nix-darwin",

Replacement in flake.lock at line 94 [8.25342]
∅:D[39.2945] → [9.1978:1994]
B:BD[9.1978] → [9.1978:1994]
```
    "darwin": {
```
[39.2945]
[9.1994]
```
    "devshell": {
```
Replacement in flake.lock at line 97 [8.25342]
B:BD[9.2033] → [39.2946:2966]
∅:D[39.2966] → [9.2033:2053]
B:BD[9.2033] → [9.2033:2053]
```
          "agenix",
          "agenix",
```
[9.2033]
[9.2053]
```
          "agenix-rekey",
```

Replacement in flake.lock at line 102 [8.25342]

B:BD[9.2110] → [39.2967:3077]

∅:D[39.3077] → [9.2220:2275]

B:BD[9.2220] → [9.2220:2275]

B:BD[9.2275] → [39.3078:3137]

        "lastModified": 1700795494,
        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",

[9.2110]

[9.2334]

        "lastModified": 1728330715,
        "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
        "owner": "numtide",
        "repo": "devshell",
        "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",

Replacement in flake.lock at line 110 [8.25342]

B:BD[9.2388] → [9.2388:2468]

        "owner": "lnl7",
        "ref": "master",
        "repo": "nix-darwin",

[9.2388]

[42.29167]

        "owner": "numtide",
        "repo": "devshell",

Insertion in flake.lock at line 159 [8.25342]

[8.25962]

        "lastModified": 1696426674,
        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-compat_2": {
      "flake": false,
      "locked": {

Replacement in flake.lock at line 188 [8.25342]
B:BD[8.26347] → [42.29208:29229]
```
    "flake-utils": {
```
[43.3343]
[42.29229]
```
    "flake-parts": {
```

Replacement in flake.lock at line 190 [8.25342]

B:BD[42.29247] → [9.2469:2500]

        "systems": "systems_2"

[42.29247]

[39.3309]

        "nixpkgs-lib": [
          "agenix-rekey",
          "nixpkgs"
        ]

Replacement in flake.lock at line 196 [8.25342]

B:BD[39.3336] → [39.3336:3564]

        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",

[39.3336]

[39.3564]

        "lastModified": 1733312601,
        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",

Replacement in flake.lock at line 204 [8.25342]

B:BD[39.3618] → [39.3618:3677]

        "owner": "numtide",
        "repo": "flake-utils",

[39.3618]

[39.3677]

        "owner": "hercules-ci",
        "repo": "flake-parts",

Replacement in flake.lock at line 209 [8.25342]
B:BD[39.3717] → [39.3717:3740]
```
    "flake-utils_2": {
```
[39.3717]
[39.3740]
```
    "flake-utils": {
```
Replacement in flake.lock at line 211 [8.25342]
B:BD[39.3758] → [39.3758:3789]
```
        "systems": "systems_3"
```
[39.3758]
[42.29276]
```
        "systems": "systems_2"
```
Replacement in flake.lock at line 232 [8.25342]
B:BD[17.1923] → [39.3790:3821]
```
        "systems": "systems_4"
```
[17.1923]
[17.1954]
```
        "systems": "systems_3"
```

Insertion in flake.lock at line 245 [8.25342]

[17.2328]

[40.5175]

        "type": "github"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
          "agenix-rekey",
          "pre-commit-hooks",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709087332,
        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",

Insertion in flake.lock at line 263 [8.25342]

[40.5200]

      },
      "original": {
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "type": "github"

Replacement in flake.lock at line 275 [8.25342]
B:BD[40.5300] → [39.3822:3863]
```
        "rust-overlay": "rust-overlay_2"
```
[40.5300]
[40.5339]
```
        "rust-overlay": "rust-overlay"
```
Deletion in flake.lock at line 295 [8.25342]
B:BD[9.2553] → [39.3864:3884]
```
          "agenix",
```

Replacement in flake.lock at line 299 [8.25342]

B:BD[8.26465] → [39.3885:3995]

        "lastModified": 1703113217,
        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",

[8.26465]

[9.2664]

        "lastModified": 1745494811,
        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",

Replacement in flake.lock at line 303 [8.25342]

B:BD[9.2730] → [39.3996:4055]

        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",

[9.2730]

[9.2789]

        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",

Replacement in flake.lock at line 432 [8.25342]
B:BD[8.26922] → [8.26922:26962]
```
        "flake-compat": "flake-compat",
```
[8.26922]
[8.26962]
```
        "flake-compat": "flake-compat_2",
```

Insertion in flake.lock at line 497 [8.25342]

[43.5189]

        "type": "github"
      }
    },
    "pre-commit-hooks": {
      "inputs": {
        "flake-compat": "flake-compat",
        "gitignore": "gitignore",
        "nixpkgs": [
          "agenix-rekey",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1735882644,
        "narHash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
        "rev": "a5a961387e75ae44cc20f0a57ae463da5e959656",

Insertion in flake.lock at line 516 [8.25342]

[43.5214]

      },
      "original": {
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
        "type": "github"

Insertion in flake.lock at line 526 [8.25342]
[9.3130]
[42.30686]
```
        "agenix-rekey": "agenix-rekey",
```

Deletion in flake.lock at line 558 [8.25342]

B:BD[40.5756] → [40.5756:5795]

B:BD[40.5795] → [39.4227:4711]

      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1741400194,
        "narHash": "sha256-tEpgT+q5KlGjHSm8MnINgTPErEl8YDzX3Eps8PVc09g=",
        "owner": "oxalica",
        "repo": "rust-overlay",
        "rev": "16b6045a232fea0e9e4c69e55a6e269607dd8e3f",
        "type": "github"
      },
      "original": {
        "owner": "oxalica",
        "repo": "rust-overlay",
        "type": "github"
      }
    },
    "rust-overlay_2": {

Replacement in flake.lock at line 623 [8.25342]

B:BD[39.5150] → [39.5150:5169]

    "systems_4": {

[39.5150]

[9.3174]

    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
          "agenix-rekey",
          "nixpkgs"
        ]
      },

Replacement in flake.lock at line 631 [8.25342]

B:BD[9.3192] → [9.3192:3420]

        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",

[9.3192]

[9.3420]

        "lastModified": 1735135567,
        "narHash": "sha256-8T3K5amndEavxnludPyfj3Z1IkcFdRpR23q+T0BVeZE=",
        "owner": "numtide",
        "repo": "treefmt-nix",
        "rev": "9e09d30a644c57257715902efbb3adc56c79cf28",

Replacement in flake.lock at line 639 [8.25342]

B:BD[9.3474] → [9.3474:3533]

        "owner": "nix-systems",
        "repo": "default",

[9.3474]

[6.9750]

        "owner": "numtide",
        "repo": "treefmt-nix",

agenix: Use YubiKey and agenix-rekey.

Dependencies

In channels

Change contents

File deletion: secrets.nix

File addition: yubikey.pub (----------)

Replacement in modules/matrix.nix at line 10 [14.560]

Deletion in modules/matrix.nix at line 12 [14.560]

Replacement in modules/forgejo.nix at line 15 [27.3]

Replacement in modules/dr-radka.nix at line 13 [20.83]

Replacement in modules/common/z-ai-key.age at line 2 [7.130]

File addition: yubikey.nix (----------)

Insertion in modules/common/packages.nix at line 5 [30.4113]

Replacement in modules/common/ai.nix at line 19 [29.3345]

Replacement in modules/common/agenix.nix at line 1 [31.60]

Replacement in modules/common/agenix.nix at line 12 [31.60]

Replacement in modules/acme/environment.age at line 2 [21.2885]

Deletion in modules/acme/default.nix at line 6 [32.41]

Insertion in modules/acme/default.nix at line 7 [32.41]

Insertion in lib/system.nix at line 21 [34.508]

File addition: rekeyed (d--x------)

File addition: d84eefbeb5169c3af65e5abcc0891956-id.age (----------)

File addition: 9f3374a93ab60bd7aa836bf0fc89d6bf-key.age (----------)

File addition: 7d82a470ab41da124e216c236fa25afa-password.age (----------)

Replacement in hosts/yuzu/password.age at line 2 [12.16342]

Replacement in hosts/yuzu/id.age at line 2 [12.17005]

Replacement in hosts/yuzu/default.nix at line 31 [12.18645]

Replacement in hosts/yuzu/default.nix at line 51 [12.18645]

Insertion in hosts/yuzu/default.nix at line 83 [12.18645]

File addition: rekeyed (d--x------)

File addition: fe0ba6ccbe251565bc97593cf2bdf75f-acmeEnvironment.age (----------)

File addition: f4f79880c8d7deed1cbdb4033529e8dc-password.age (----------)

File addition: 99c59db88f880332424f3d9044894787-nixServeKey.age (----------)

File addition: 791b532e988722d9533a0b31689c347f-matrixRegistrationSecret.age (----------)

File addition: 52dd6cf3febe86ac3ce6200f04478dfd-id.age (----------)

File addition: 2ca2b92bf88e2f0093e5e5d58d905136-grafanaPassword.age (----------)

File addition: 2094e37b0080ddb1784778e52e7d2d61-matrixSigningKey.age (----------)

File addition: 02eb1cb32298e39b71006aa103c1e40f-forgejoAdminPassword.age (----------)

Replacement in hosts/plum/password.age at line 2 [9.225]

Replacement in hosts/plum/matrix-signing-key.age at line 2 [14.5240]

Replacement in hosts/plum/matrix-registration-secret.age at line 2 [14.5687]

Replacement in hosts/plum/id.age at line 2 [23.596]

Replacement in hosts/plum/grafana/password.age at line 2 [15.1727]

Replacement in hosts/plum/grafana/default.nix at line 13 [15.2110]

Replacement in hosts/plum/grafana/default.nix at line 53 [15.2110]

Replacement in hosts/plum/forgejo-password.age at line 2 [19.1344]

Replacement in hosts/plum/default.nix at line 33 [33.987]

Replacement in hosts/plum/default.nix at line 58 [33.987]

Insertion in hosts/plum/default.nix at line 98 [33.987]

Insertion in hosts/plum/default.nix at line 108 [33.987]

Replacement in hosts/plum/cache/key.age at line 2 [13.323]

Replacement in hosts/plum/cache/default.nix at line 11 [13.791]

File addition: rekeyed (d--x------)

File addition: 8e4a796dd97579c7c310a15c2d9c782e-password.age (----------)

File addition: 2f89dbe88eb93b7b6696598ffd8fe5d3-id.age (----------)

File addition: 06099a5685a3e2df69d03b4eb2185fc2-key.age (----------)

Replacement in hosts/pear/password.age at line 2 [38.100]

Replacement in hosts/pear/id.age at line 2 [22.187]

Insertion in hosts/pear/default.nix at line 20 [33.1239]

Replacement in hosts/pear/default.nix at line 28 [33.1239]

Replacement in hosts/pear/default.nix at line 70 [33.1239]

File addition: rekeyed (d--x------)

File addition: e72e6cbfce74b3aaf9f11cb4d964b290-acmeEnvironment.age (----------)

File addition: d578dd8185a5fdb2ed6974daab6ee0e9-github2forgejoEnvironment.age (----------)

File addition: 881f1dd5ede01e97e66921b8c62fb10a-dr-radka-environment.age (----------)

File addition: 701d424111d3c4d76e2d3e4ab5e04fdc-id.age (----------)

File addition: 2305e74466e7dbdb58f43b1124183821-password.age (----------)

Replacement in hosts/kiwi/password.age at line 2 [24.2141]

Replacement in hosts/kiwi/id.age at line 2 [24.2583]

Replacement in hosts/kiwi/github2forgejo/github2forgejo.nix at line 4 [17.470]

Replacement in hosts/kiwi/github2forgejo/environment.age at line 2 [17.801]

Replacement in hosts/kiwi/dr-radka-environment.age at line 2 [20.3333]

Replacement in hosts/kiwi/default.nix at line 26 [33.1791]

Replacement in hosts/kiwi/default.nix at line 51 [33.1791]

Insertion in hosts/kiwi/default.nix at line 101 [33.1791]

Insertion in hosts/kiwi/default.nix at line 111 [33.1791]

File addition: rekeyed (d--x------)

File addition: f641ee7409d9f390e6a23fb0a9445a77-password.age (----------)

File addition: eddd1ed62b3eacbeea5d1da9a8ecac49-id.age (----------)

File addition: 2be8c331b5460f82c1d14ba2476925a8-key.age (----------)