plumjam/nixos - Change OPVLEXF5H3CHSU43PIQ4M75UAE3UIKQ5WTVYUOD4M7MPUHLP26LQC

dendritic: Migrate secret management configs.

Created by PlumJam on January 10, 2026

OPVLEXF5H3CHSU43PIQ4M75UAE3UIKQ5WTVYUOD4M7MPUHLP26LQC

Dependencies

In channels

main

Change contents

File deletion: age-rekey.nix

BF:BFD[4.2] → [5.1528:1565]

BF:BFD[5.1565] → [5.939:939]

B:BD[5.939] → [5.940:1218]

B:BD[5.1218] → [3.121999:122229]

∅:D[3.122229] → [5.1218:1273]

B:BD[5.1218] → [5.1218:1273]

B:BD[5.1273] → [3.122230:122305]

∅:D[3.122305] → [5.1273:1527]

B:BD[5.1273] → [5.1273:1527]

{ self, config, lib, ... }: let
  inherit (lib) mkIf types;
in {
  options.age-rekey = {
    enable = lib.mkEnableOption "age-rekey";
    hostPubkey = lib.mkOption {
      type = types.str;
      example = "ssh-ed25519 ...";
      description = "Host public key for rekeying";
    };
    # TODO(1/2): Per OS type handling. Probably better to not use an option.
    typeOf = lib.mkOption {
      type = types.str;
      example = "linux";
      description = "OS type (linux|darwin) for age identity paths";
    };
  };
  config = mkIf config.age-rekey.enable {
    # TODO(2/2): Per OS type.
    age.identityPaths = [ "/root/.ssh/id" ];
    age.rekey = {
      hostPubkey       = config.age-rekey.hostPubkey;
      masterIdentities = [ (self + /yubikey.pub) ];
      localStorageDir  = self + "/secrets/rekeyed/${config.networking.hostName}";
      storageMode      = "local";
    };
  };
}

File move: yubikey.mod.nix → yubikey.nix
BF:BFD[4.2] → [3.2655:2694]
BF:BF[3.2694] → [3.1286:1286]
[4.2]
[3.1286]
Replacement in modules/yubikey.nix at line 2 [3.1286]
B:BD[3.1289] → [3.1289:1334]
```
  config.flake.modules.homeModules.yubikey =
```
[3.1289]
[3.1334]
```
  config.flake.modules.hjem.yubikey =
```
Replacement in modules/yubikey.nix at line 15 [3.1286]
B:BD[3.1533] → [3.1533:1579]
```
  config.flake.modules.nixosModules.yubikey =
```
[3.1533]
[3.1579]
```
  config.flake.modules.nixos.yubikey =
```
Replacement in modules/yubikey.nix at line 40 [3.1286]
B:BD[3.2093] → [3.2093:2140]
```
  config.flake.modules.darwinModules.yubikey =
```
[3.2093]
[3.2140]
```
  config.flake.modules.darwin.yubikey =
```

File addition: secret-manager.nix (----------)

[4.2]

{ self, inputs, ... }:
{
  config.flake.agenix-rekey = inputs.age-rekey.configure {
    userFlake = self;
    inherit (self) nixosConfigurations;
  };
  config.flake.modules.nixos.secret-manager =
    { config, ... }:
    {
      imports = [
        inputs.age.nixosModules.default
        inputs.age-rekey.nixosModules.default
      ];
      config.age.rekey = {
        storageMode = "local";
        masterIdentities = [ ../yubikey.pub ];
        localStorageDir = ../secrets/rekeyed/${config.networking.hostName};
      };
    };
  config.flake.modules.darwin.secret-manager = {
    imports = [
      inputs.age.darwinModules.default
    ];
  };
}

File deletion: agenix.nix
BF:BFD[6.9] → [7.408:442]
BF:BFD[7.442] → [7.60:60]
∅:D[8.1434] → [7.93:173]
B:BD[7.93] → [7.93:173]
∅:D[9.4044] → [7.195:204]
B:BD[7.195] → [7.195:204]
∅:D[9.4118] → [7.257:263]
B:BD[7.257] → [7.257:263]
∅:D[8.1595] → [7.404:407]
B:BD[7.404] → [7.404:407]
B:BD[7.263] → [8.1435:1506]
∅:D[10.761] → [8.1562:1595]
B:BD[8.1562] → [8.1562:1595]
B:BD[8.1506] → [10.685:761]
B:BD[7.204] → [9.4045:4118]
B:BD[7.173] → [9.3996:4044]
B:BD[7.60] → [8.1394:1434]
```
  inherit (lib) mkIf;
in {
  age.identityPaths = [
    (if config.isLinux then
    else
  ];
}
  environment.systemPackages = mkIf config.isDesktop [
    pkgs.agenix
    pkgs.age-plugin-yubikey
  ];
    inputs.agenix-rekey.packages.${pkgs.stdenv.hostPlatform.system}.default
      "${config.users.users.${config.system.primaryUser}.home}/.ssh/id")
      "${config.users.users.root.home}/.ssh/id"
{ inputs, config, lib, pkgs, ... }: let
```

File deletion: yubikey.nix

BF:BFD[6.9] → [8.1253:1288]

BF:BFD[8.1288] → [8.809:809]

B:BD[8.809] → [8.810:1091]

∅:D[2.142] → [8.1117:1143]

B:BD[8.1117] → [8.1117:1143]

∅:D[11.82] → [8.1143:1149]

∅:D[2.169] → [8.1143:1149]

B:BD[8.1143] → [8.1143:1149]

B:BD[8.1250] → [8.1250:1252]

B:BD[8.1149] → [11.83:276]

B:BD[8.1143] → [11.56:82]

B:BD[11.82] → [2.143:169]

B:BD[8.1091] → [2.55:142]

{ pkgs, lib, config, ... }: let
  inherit (lib) mkIf enabled;
in mkIf config.isDesktop {
  services.pcscd                  = enabled;
  programs.yubikey-manager        = enabled;
  programs.yubikey-touch-detector = enabled {
    libnotify = true;
  };
  security.pam.services = {
    sudo.u2fAuth  = true;
  };
}
  environment.systemPackages = [
    pkgs.yubikey-personalization
    pkgs.yubioath-flutter
    pkgs.age-plugin-yubikey
  ];
  services.udev.packages = [
    pkgs.yubikey-personalization
  ];
    su.u2fAuth    = true;
    sshd.u2fAuth  = true;
    login = {
      u2fAuth            = true;
      enableGnomeKeyring = true;
    };

dendritic: Migrate secret management configs.

Dependencies

In channels

Change contents

File deletion: age-rekey.nix

File move: yubikey.mod.nix → yubikey.nix

Replacement in modules/yubikey.nix at line 2 [3.1286]

Replacement in modules/yubikey.nix at line 15 [3.1286]

Replacement in modules/yubikey.nix at line 40 [3.1286]

File addition: secret-manager.nix (----------)

File deletion: agenix.nix

File deletion: yubikey.nix