plumjam/nixos - Change 3JJNSJEGODVFHBIC2AOLOB3JZSFPPQBENWFLKHTSOGH7YGVW6GTQC

hosts: Move openssh and agenix-rekey configs to modules.

Created by PlumJam on January 8, 2026

3JJNSJEGODVFHBIC2AOLOB3JZSFPPQBENWFLKHTSOGH7YGVW6GTQC

Dependencies

In channels

main

Change contents

File addition: openssh.nix (----------)

[6.2]

{ config, lib, ... }: let
  inherit (lib) enabled mkIf types;
in {
  options.openssh = {
    enable = lib.mkEnableOption "openssh";
    idFile = lib.mkOption {
      type = types.path;
      example = "/run/agenix/id";
      description = "Path to the secret SSH id file";
    };
  };
  config = mkIf config.openssh.enable {
    age.secrets.id.rekeyFile = config.openssh.idFile;
    services.openssh = enabled {
      hostKeys = [{
        type = "ed25519";
        path = config.age.secrets.id.path;
      }];
      settings = {
        PasswordAuthentication       = false;
        KbdInteractiveAuthentication = false;
        AcceptEnv                    = [ "SHELLS" "COLORTERM" ];
      };
    };
  };
}

File addition: age-rekey.nix (----------)

[6.2]

{ self, config, lib, ... }: let
  inherit (lib) mkIf types;
in {
  options.age-rekey = {
    enable = lib.mkEnableOption "age-rekey";
    hostPubkey = lib.mkOption {
      type = types.str;
      example = "ssh-ed25519 ...";
      description = "Host public key for rekeying";
    };
  };
  config = mkIf config.age-rekey.enable {
    age.rekey = {
      hostPubkey       = config.age-rekey.hostPubkey;
      masterIdentities = [ (self + /yubikey.pub) ];
      localStorageDir  = self + "/secrets/rekeyed/${config.networking.hostName}";
      storageMode      = "local";
    };
  };
}

Insertion in hosts/yuzu.nix at line 14 [7.18645]

[3.243]

[7.18978]

          (self + /modules/openssh.nix)
          (self + /modules/age-rekey.nix)

Replacement in hosts/yuzu.nix at line 33 [7.18645]

B:BD[7.19426] → [8.4677:4878]

B:BD[8.4878] → [5.19233:19319]

∅:D[5.19319] → [8.4962:5000]

B:BD[8.4962] → [8.4962:5000]

        age.rekey = {
          hostPubkey       = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFDLlddona4PlORWd+QpR/7F5H46/Dic9vV23/YSrZl0 root@yuzu";
          masterIdentities = [ (self + /yubikey.pub) ];
          localStorageDir  = self + "/secrets/rekeyed/${config.networking.hostName}";
          storageMode      = "local";

[7.19426]

[8.5000]

        age-rekey = enabled {
          hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFDLlddona4PlORWd+QpR/7F5H46/Dic9vV23/YSrZl0 root@yuzu";

Replacement in hosts/yuzu.nix at line 37 [7.18645]

B:BD[8.5012] → [9.1546:1610]

∅:D[9.1610] → [8.5057:5102]

B:BD[8.5057] → [8.5057:5102]

∅:D[8.5102] → [7.19506:19744]

B:BD[7.19506] → [7.19506:19744]

B:BD[7.19744] → [10.244:313]

∅:D[10.313] → [7.19807:19820]

B:BD[7.19807] → [7.19807:19820]

        age.secrets.id.rekeyFile = self + /secrets/yuzu-id.age;
        services.openssh         = enabled {
          hostKeys = [{
            type = "ed25519";
            path = config.age.secrets.id.path;
          }];
          settings = {
            PasswordAuthentication       = false;
            KbdInteractiveAuthentication = false;
            AcceptEnv                    = [ "SHELLS" "COLORTERM" ];
          };

[8.5012]

[7.19820]

        openssh = enabled {
          idFile = self + /secrets/yuzu-id.age;

Insertion in hosts/plum.nix at line 28 [12.987]

[2.2689]

[11.3615]

          (self + /modules/openssh.nix)
          (self + /modules/age-rekey.nix)

Replacement in hosts/plum.nix at line 35 [12.987]

B:BD[11.3760] → [8.12033:12234]

B:BD[8.12234] → [5.19354:19440]

∅:D[5.19440] → [8.12318:12356]

B:BD[8.12318] → [8.12318:12356]

        age.rekey = {
          hostPubkey       = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBH1S3dhOYCCltqrseHc3YZFHc9XU90PsvDo7frzUGrr root@plum";
          masterIdentities = [ (self + /yubikey.pub) ];
          localStorageDir  = self + "/secrets/rekeyed/${config.networking.hostName}";
          storageMode      = "local";

[11.3760]

[8.12356]

        age-rekey = enabled {
          hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBH1S3dhOYCCltqrseHc3YZFHc9XU90PsvDo7frzUGrr root@plum";

Replacement in hosts/plum.nix at line 39 [12.987]

B:BD[8.12368] → [9.2143:2207]

∅:D[9.2207] → [8.12413:12458]

B:BD[8.12413] → [8.12413:12458]

∅:D[13.465] → [11.3888:4126]

∅:D[8.12458] → [11.3888:4126]

B:BD[11.3888] → [11.3888:4126]

B:BD[11.4126] → [10.441:510]

∅:D[10.510] → [11.4189:4202]

B:BD[11.4189] → [11.4189:4202]

        age.secrets.id.rekeyFile = self + /secrets/plum-id.age;
        services.openssh         = enabled {
          hostKeys = [{
            type = "ed25519";
            path = config.age.secrets.id.path;
          }];
          settings = {
            PasswordAuthentication       = false;
            KbdInteractiveAuthentication = false;
            AcceptEnv                    = [ "SHELLS" "COLORTERM" ];
          };

[8.12368]

[11.4202]

        openssh = enabled {
          idFile = self + /secrets/plum-id.age;

Insertion in hosts/pear.nix at line 15 [12.1239]

[4.268]

[11.5750]

          (self + /modules/openssh.nix)
          (self + /modules/age-rekey.nix)

Replacement in hosts/pear.nix at line 23 [12.1239]

B:BD[8.16451] → [8.16451:16652]

B:BD[8.16652] → [5.19475:19561]

∅:D[5.19561] → [8.16736:16774]

B:BD[8.16736] → [8.16736:16774]

        age.rekey = {
          hostPubkey       = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL2/Pg/5ohT3Dacnzjw9pvkeoQ1hEFwG5l1vRkr3v2sQ root@pear";
          masterIdentities = [ (self + /yubikey.pub) ];
          localStorageDir  = self + "/secrets/rekeyed/${config.networking.hostName}";
          storageMode      = "local";

[8.16451]

[8.16774]

        age-rekey = enabled {
          hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL2/Pg/5ohT3Dacnzjw9pvkeoQ1hEFwG5l1vRkr3v2sQ root@pear";

Replacement in hosts/pear.nix at line 27 [12.1239]

B:BD[11.5939] → [9.2435:2499]

∅:D[9.2499] → [8.16831:16876]

B:BD[8.16831] → [8.16831:16876]

∅:D[13.1712] → [11.6094:6332]

∅:D[8.16876] → [11.6094:6332]

B:BD[11.6094] → [11.6094:6332]

B:BD[11.6332] → [10.524:593]

∅:D[10.593] → [11.6395:6408]

B:BD[11.6395] → [11.6395:6408]

        age.secrets.id.rekeyFile = self + /secrets/pear-id.age;
        services.openssh         = enabled {
          hostKeys = [{
            type = "ed25519";
            path = config.age.secrets.id.path;
          }];
          settings = {
            PasswordAuthentication       = false;
            KbdInteractiveAuthentication = false;
            AcceptEnv                    = [ "SHELLS" "COLORTERM" ];
          };

[11.5939]

[11.6408]

        openssh = enabled {
          idFile = self + /secrets/pear-id.age;

Deletion in hosts/pear.nix at line 31 [12.1239]
B:BD[11.6511] → [11.6511:6512]

Insertion in hosts/kiwi.nix at line 22 [12.1791]

[2.3266]

[11.11356]

          (self + /modules/openssh.nix)
          (self + /modules/age-rekey.nix)

Replacement in hosts/kiwi.nix at line 29 [12.1791]

B:BD[11.11592] → [8.22805:23006]

B:BD[8.23006] → [5.19630:19716]

∅:D[5.19716] → [8.23090:23128]

B:BD[8.23090] → [8.23090:23128]

        age.rekey = {
          hostPubkey       = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIElcSHxI64xqUUKEY83tKyzEH+fYT5JCWn3qCqtw16af root@kiwi";
          masterIdentities = [ (self + /yubikey.pub) ];
          localStorageDir  = self + "/secrets/rekeyed/${config.networking.hostName}";
          storageMode      = "local";

[11.11592]

[8.23128]

        age-rekey = enabled {
          hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIElcSHxI64xqUUKEY83tKyzEH+fYT5JCWn3qCqtw16af root@kiwi";

Replacement in hosts/kiwi.nix at line 33 [12.1791]

B:BD[8.23140] → [9.3156:3220]

∅:D[9.3220] → [8.23185:23230]

B:BD[8.23185] → [8.23185:23230]

∅:D[13.5759] → [11.11629:11867]

∅:D[8.23230] → [11.11629:11867]

B:BD[11.11629] → [11.11629:11867]

B:BD[11.11867] → [10.620:689]

∅:D[10.689] → [11.11930:11943]

B:BD[11.11930] → [11.11930:11943]

        age.secrets.id.rekeyFile = self + /secrets/kiwi-id.age;
        services.openssh         = enabled {
          hostKeys = [{
            type = "ed25519";
            path = config.age.secrets.id.path;
          }];
          settings = {
            PasswordAuthentication       = false;
            KbdInteractiveAuthentication = false;
            AcceptEnv                    = [ "SHELLS" "COLORTERM" ];
          };

[8.23140]

[11.11943]

        openssh = enabled {
          idFile = self + /secrets/kiwi-id.age;

Insertion in hosts/date.nix at line 14 [7.33086]

[3.352]

[7.33419]

          (self + /modules/openssh.nix)
          (self + /modules/age-rekey.nix)

Replacement in hosts/date.nix at line 28 [7.33086]

B:BD[8.26519] → [8.26519:26720]

B:BD[8.26720] → [5.19751:19837]

∅:D[5.19837] → [8.26804:26842]

B:BD[8.26804] → [8.26804:26842]

        age.rekey = {
          hostPubkey       = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEzfoVKZDyiyyMiX1JRFaaTELspG25MlLNq0kI2AANTa root@date";
          masterIdentities = [ (self + /yubikey.pub) ];
          localStorageDir  = self + "/secrets/rekeyed/${config.networking.hostName}";
          storageMode      = "local";

[8.26519]

[8.26842]

        age-rekey = enabled {
          hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEzfoVKZDyiyyMiX1JRFaaTELspG25MlLNq0kI2AANTa root@date";

Replacement in hosts/date.nix at line 32 [7.33086]

B:BD[7.33707] → [9.3621:3685]

∅:D[9.3685] → [8.26899:26944]

B:BD[8.26899] → [8.26899:26944]

∅:D[8.26944] → [7.33787:34025]

B:BD[7.33787] → [7.33787:34025]

B:BD[7.34025] → [10.704:773]

∅:D[10.773] → [7.34088:34101]

B:BD[7.34088] → [7.34088:34101]

        age.secrets.id.rekeyFile = self + /secrets/date-id.age;
        services.openssh         = enabled {
          hostKeys = [{
            type = "ed25519";
            path = config.age.secrets.id.path;
          }];
          settings = {
            PasswordAuthentication       = false;
            KbdInteractiveAuthentication = false;
            AcceptEnv                    = [ "SHELLS" "COLORTERM" ];
          };

[7.33707]

[7.34101]

        openssh = enabled {
          idFile = self + /secrets/date-id.age;