Personal Nix flake
nixos
home-manager
nix
chore: merge branch 'wip-ssh-secrets' into develop
+291
-98
+1
.github/workflows/update-flake.yml
+1
.github/workflows/update-flake.yml
+4
-2
just/u2f.just
+4
-2
just/u2f.just
···
4
4
mkdir -p ~/.config/Yubico
5
5
[ -e ~/.config/Yubico/u2f_keys ] \
6
6
&& pamu2fcfg \
7
+
--appid="pam://auth" \
7
8
--origin="pam://localhost" \
8
-
--appid="pam://auth" \
9
+
--no-user-presence \
9
10
--nouser \
10
11
>> ~/.config/Yubico/u2f_keys \
11
12
|| pamu2fcfg \
13
+
--appid="pam://auth" \
12
14
--origin="pam://localhost" \
13
-
--appid="pam://auth" \
15
+
--no-user-presence \
14
16
> ~/.config/Yubico/u2f_keys
15
17
16
18
# Clear enrolled security keys, if any
+1
keys/github.pub
+1
keys/github.pub
···
1
+
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJMlCP3GL7MCCZHvQcbNyET6HGT2BbLuBkDQPZ2tk8TU github.com
+1
keys/tangled.pub
+1
keys/tangled.pub
···
1
+
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ+uIAmaOxc9or9djd+yUcmrPKcdjzIQhydOPrLipUbW tangled.com
+1
keys/yubikey-25388788.pub
+1
keys/yubikey-25388788.pub
···
1
+
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIOq7xMJxBehEnVZHYtUvrS51OjJskVQBkgMM/wIrQVKpAAAACnNzaDpnaXRodWI= ssh:github
+1
keys/yubikey-26583315.pub
+1
keys/yubikey-26583315.pub
···
1
+
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIL92uxU/gdt0slWOcy0Lx4LUPlgZmfiMTWR4GYAV2iZgAAAACnNzaDpnaXRodWI= ssh:github
+2
-4
nix/home/configs/cheina@pc082.nix
+2
-4
nix/home/configs/cheina@pc082.nix
···
23
23
profiles = {
24
24
standalone = true;
25
25
};
26
+
hostName = "pc082";
26
27
};
27
28
28
-
age.rekey = {
29
-
hostPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCsmGjx90M2NbHLmhVYvvYtvRy0h1mr1JLZA7fTP/lo8hMmecIToyMpaNeZDXIVdMCwp5LdUltXDmhqs/AicWQZml+oBgkPzdy8DduLxQRKGwrckglVzhESzijfblbgeP8jEa1n8cxz/TAdOF5mc9QI08QdwrkeNTK0UkYQPFmkMRDPeDyFkscmSWqsxmCKDNX6Q/z9n9KAr8OHxfJomVjsR+BxG6pLXYTg4S85BbzWCE5s6idtLZmt9M5mdrQurUc/xiLwW4JIYH+4XpGvrpWyuUwkgrjYVqqJyMy+Nryl97oD1sfdl5yzrgIHmtQ1baj188cOcsDHQdHZUh115teudAKWIpqaM+veaXrvbYSX8QYXamy0V7KuXfUzw8JiSPSiFs4s7vVGTgIEFmA776zeL0SpXtJxSX8ox3WEW8bqxBt4Ab5xxiOWL+GqWwnbpYbqt6RMFFYmm/lQVVqP0O3NLn4R2IRVUAZmfKX+J4AGvRGJSLyKMM0xvL+wKzlY5TU=";
30
-
localStorageDir = root + "/rekeyed/pc082-cheina";
31
-
};
29
+
age.rekey.hostPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCsmGjx90M2NbHLmhVYvvYtvRy0h1mr1JLZA7fTP/lo8hMmecIToyMpaNeZDXIVdMCwp5LdUltXDmhqs/AicWQZml+oBgkPzdy8DduLxQRKGwrckglVzhESzijfblbgeP8jEa1n8cxz/TAdOF5mc9QI08QdwrkeNTK0UkYQPFmkMRDPeDyFkscmSWqsxmCKDNX6Q/z9n9KAr8OHxfJomVjsR+BxG6pLXYTg4S85BbzWCE5s6idtLZmt9M5mdrQurUc/xiLwW4JIYH+4XpGvrpWyuUwkgrjYVqqJyMy+Nryl97oD1sfdl5yzrgIHmtQ1baj188cOcsDHQdHZUh115teudAKWIpqaM+veaXrvbYSX8QYXamy0V7KuXfUzw8JiSPSiFs4s7vVGTgIEFmA776zeL0SpXtJxSX8ox3WEW8bqxBt4Ab5xxiOWL+GqWwnbpYbqt6RMFFYmm/lQVVqP0O3NLn4R2IRVUAZmfKX+J4AGvRGJSLyKMM0xvL+wKzlY5TU=";
32
30
33
31
home.sessionVariables.XDEBUG_MODE = "off";
34
32
+1
-1
nix/home/modules/cli/atuin/default.nix
+1
-1
nix/home/modules/cli/atuin/default.nix
+19
-3
nix/home/modules/misc/default.nix
+19
-3
nix/home/modules/misc/default.nix
···
1
1
{
2
2
lib,
3
+
config,
3
4
osConfig ? {},
4
5
...
5
6
}: {
6
-
options.my.deprecated =
7
-
lib.mkEnableOption "deprecation marker"
8
-
// {default = osConfig.my.deprecated or false;};
7
+
options.my = {
8
+
hostName = lib.mkOption {
9
+
type = with lib.types; nullOr str;
10
+
default = osConfig.networking.hostName or null;
11
+
};
12
+
deprecated =
13
+
lib.mkEnableOption "deprecation marker"
14
+
// {default = osConfig.my.deprecated or false;};
15
+
};
16
+
17
+
config = {
18
+
assertions = [
19
+
{
20
+
assertion = config.my.hostName != null;
21
+
message = "config.my.hostName must be set manually in standalone home configurations";
22
+
}
23
+
];
24
+
};
9
25
}
+1
-1
nix/home/modules/nix/default.nix
+1
-1
nix/home/modules/nix/default.nix
+34
-13
nix/home/modules/secrets/default.nix
+34
-13
nix/home/modules/secrets/default.nix
···
1
1
{
2
2
config,
3
-
inputs,
4
3
lib,
4
+
self,
5
5
osConfig ? {},
6
6
...
7
7
}: let
8
-
inherit (inputs.self.lib.secrets.paths) root;
8
+
inherit (self.lib.secrets.paths) root;
9
+
inherit (self.lib.secrets.helpers) mkSecret mkHostSecret mkUserSecret;
9
10
in {
11
+
options.my.secret.helpers = let
12
+
extraArgs = lib.optionalAttrs (osConfig != {}) {owner = config.home.username;};
13
+
in
14
+
lib.mkOption {
15
+
default = {
16
+
mkSecret = name: args:
17
+
mkSecret name (extraArgs // args);
18
+
mkHostSecret = configOrHost: name: args:
19
+
mkHostSecret configOrHost name (extraArgs // args);
20
+
mkUserSecret = configOrUser: name: args:
21
+
mkUserSecret configOrUser name (extraArgs // args);
22
+
};
23
+
};
24
+
10
25
config = let
11
26
osSecrets = osConfig.age.secrets or {};
12
-
homeSecrets = config.my.secretDefinitions;
27
+
homeSecrets = config.my.secret.definitions;
13
28
standaloneHomeSecrets = lib.removeAttrs homeSecrets (builtins.attrNames osSecrets);
14
-
in {
15
-
my.secrets = osSecrets // config.age.secrets;
16
-
age = {
17
-
secrets = standaloneHomeSecrets;
18
-
rekey = lib.mkIf (osConfig != {}) {
19
-
inherit (osConfig.age.rekey) hostPubkey;
20
-
localStorageDir = root + "/rekeyed/${osConfig.networking.hostName}-${config.home.username}";
21
-
};
22
-
};
23
-
};
29
+
in
30
+
lib.mkMerge [
31
+
{
32
+
my.secrets = osSecrets // config.age.secrets;
33
+
age.secrets = standaloneHomeSecrets;
34
+
}
35
+
(lib.mkIf (osConfig != {}) {
36
+
age.rekey = {
37
+
inherit (osConfig.age.rekey) hostPubkey;
38
+
localStorageDir = root + "/rekeyed/${osConfig.networking.hostName}-${config.home.username}";
39
+
};
40
+
})
41
+
(lib.mkIf (osConfig == {}) {
42
+
age.rekey.localStorageDir = root + "/rekeyed/${config.my.hostName}-${config.home.username}";
43
+
})
44
+
];
24
45
}
+16
nix/home/modules/ssh/default.nix
+16
nix/home/modules/ssh/default.nix
···
4
4
osConfig ? {},
5
5
...
6
6
}: let
7
+
inherit (config.my.secret.helpers) mkSecret mkHostSecret;
7
8
cfg = config.my.ssh;
8
9
in {
9
10
options.my.ssh.enable =
···
11
12
// {default = osConfig.my.ssh.enable or false;};
12
13
13
14
config = lib.mkIf cfg.enable {
15
+
my.secret.definitions = {
16
+
"ssh" = mkHostSecret config "ssh" {generator.script = "ssh-ed25519-keypair";};
17
+
"ssh-github" = mkSecret "ssh-github" {};
18
+
"ssh-tangled" = mkSecret "ssh-tangled" {};
19
+
"ssh-yubikey-25388788" = mkSecret "ssh-yubikey-25388788" {};
20
+
"ssh-yubikey-26583315" = mkSecret "ssh-yubikey-26583315" {};
21
+
};
22
+
14
23
programs.ssh = {
15
24
enable = true;
16
25
enableDefaultConfig = false;
17
26
matchBlocks = {
18
27
"*" = {
19
28
addKeysToAgent = "yes";
29
+
compression = false;
30
+
forwardAgent = false;
20
31
identitiesOnly = false;
21
32
identityFile = [
33
+
config.my.secrets.ssh-yubikey-25388788.path
34
+
config.my.secrets.ssh-yubikey-26583315.path
35
+
config.my.secrets.ssh.path
22
36
"~/.ssh/id_ed25519"
23
37
"~/.ssh/id_rsa"
24
38
];
···
26
40
TERM = "xterm-256color";
27
41
};
28
42
};
43
+
"*.github.com".identityFile = config.my.secrets.ssh-github.path;
44
+
"*.tangled.com".identityFile = config.my.secrets.ssh-tangled.path;
29
45
};
30
46
};
31
47
+20
-33
nix/home/modules/syncthing/default.nix
+20
-33
nix/home/modules/syncthing/default.nix
···
2
2
config,
3
3
lib,
4
4
pkgs,
5
-
self,
6
5
osConfig ? {},
7
6
...
8
7
}: let
9
-
inherit (self.lib.secrets.helpers) mkHostSecret;
8
+
inherit (config.my.secret.helpers) mkHostSecret;
10
9
syncthingtray = config.services.syncthing.tray.package;
11
10
cfg = config.my.syncthing;
12
11
in {
13
-
options.my.syncthing = {
14
-
enable =
15
-
lib.mkEnableOption "syncthing"
16
-
// {default = osConfig.my.syncthing.enable or false;};
17
-
host = lib.mkOption {
18
-
type = with lib.types; nullOr str;
19
-
default = osConfig.networking.hostName or null;
20
-
};
21
-
};
12
+
options.my.syncthing.enable =
13
+
lib.mkEnableOption "syncthing"
14
+
// {default = osConfig.my.syncthing.enable or false;};
22
15
23
16
config = lib.mkIf cfg.enable {
24
-
assertions = [
25
-
{
26
-
assertion = cfg.host != null;
27
-
message = "config.my.syncthing.host must be set";
28
-
}
29
-
];
30
-
31
-
my.secretDefinitions = let
32
-
owner =
33
-
if (osConfig != {})
34
-
then config.home.username
35
-
else "0";
36
-
in
37
-
lib.mkIf (cfg.host != null) {
38
-
"host.syncthing-cert" = mkHostSecret cfg.host "syncthing-cert" {
39
-
inherit owner;
40
-
};
41
-
"host.syncthing-key" = mkHostSecret cfg.host "syncthing-key" {
42
-
inherit owner;
43
-
};
44
-
};
17
+
my.secret.definitions = lib.mkIf (config.my.hostName != null) {
18
+
"host.syncthing-cert" = mkHostSecret config "syncthing-cert" {};
19
+
"host.syncthing-key" = mkHostSecret config "syncthing-key" {};
20
+
};
45
21
46
22
services.syncthing = {
47
23
enable = true;
48
24
tray.enable = true;
49
25
cert = config.my.secrets."host.syncthing-cert".path;
50
26
key = config.my.secrets."host.syncthing-key".path;
27
+
overrideDevices = true;
28
+
overrideFolders = true;
51
29
settings = {
52
30
gui.theme = "dark";
53
31
options = {
···
59
37
folders = let
60
38
computers = ["desktop" "laptop" "steamdeck"];
61
39
phones = ["galaxyS23"];
62
-
servers = ["server"];
40
+
servers = ["raspberrypi" "server"];
63
41
allDevices = computers ++ phones ++ servers;
64
42
trashVersioning = {
65
43
type = "trashcan";
···
87
65
versioning = trashVersioning;
88
66
devices = allDevices;
89
67
};
68
+
"~/Notes/Work" = {
69
+
id = "gkcpi-lubwx";
70
+
label = "Notes/Work";
71
+
type = "sendreceive";
72
+
versioning = trashVersioning;
73
+
devices = allDevices;
74
+
};
90
75
"~/.steam/steam/userdata/85204334/config/grid" = {
91
76
id = "steam-custom-icons";
92
77
label = "Steam/Custom Icons";
···
104
89
pixel7.name = "Pixel 7 Pro";
105
90
galaxyS23.id = "DPARDTW-7LHI6VK-CRKEYI4-VK6BWWP-DMW6KOG-6LWAT4O-QFGDFPR-XVO6RAF";
106
91
galaxyS23.name = "Galaxy S23";
92
+
raspberrypi.id = "XT3UPMT-4I4FJ5W-YTHHID6-GGM57IS-RE7Z7PU-FMYJMGW-T7MJVZF-3MLJTQK";
93
+
raspberrypi.name = "Raspberry Pi";
107
94
server.id = "X5LHXQ6-NOCD2NO-RQ7FPLO-WFLLFRE-5BTTVL6-XLH3DAV-4ZIYI47-EEOVYAK";
108
95
server.name = "Server";
109
96
steamdeck.id = "OBZRWRW-B7DYVZC-RL5JV3D-6YNWG4O-MAIN2GY-KTEBY6V-DWQK36S-5E2O7AB";
+27
-3
nix/lib/config.nix
+27
-3
nix/lib/config.nix
···
20
20
shell = "fish";
21
21
wallpaper = assetWithPrefix "wallpaper";
22
22
profilePicture = assetWithPrefix "profile-picture";
23
+
ssh.publicKeys = {
24
+
github = ../../keys/github.pub;
25
+
tangled = ../../keys/tangled.pub;
26
+
perHost =
27
+
../../secrets/perHost
28
+
|> lib.filesystem.listFilesRecursive
29
+
|> builtins.filter (lib.hasSuffix "ssh.pub")
30
+
|> map (value: {
31
+
inherit value;
32
+
name =
33
+
value
34
+
|> toString
35
+
|> lib.splitString "/"
36
+
|> lib.reverseList
37
+
|> (list: lib.elemAt list 1);
38
+
})
39
+
|> builtins.listToAttrs;
40
+
perYubikey = {
41
+
"25388788" = ../../keys/yubikey-25388788.pub;
42
+
"26583315" = ../../keys/yubikey-26583315.pub;
43
+
};
44
+
};
23
45
nix = {
24
46
pkgs = {
25
47
config = {
···
33
55
auto-optimise-store = true;
34
56
extra-experimental-features = "flakes nix-command pipe-operator";
35
57
extra-substituters = [
36
-
# The NixOS and nix-community ones are set by default
58
+
# cache.nixos.org is set by default
37
59
"https://lpchaim.cachix.org"
38
-
"https://hyprland.cachix.org"
60
+
"https://nix-comunity.cachix.org"
39
61
"https://nix-gaming.cachix.org"
40
62
];
41
63
extra-trusted-public-keys = [
42
-
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
43
64
"lpchaim.cachix.org-1:2xOuvojcUDNhJRzCpvgewQ2DdNZz3QzGVV4Z/7C+Lio="
65
+
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
44
66
"nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
45
67
];
68
+
http-connections = 100;
46
69
keep-derivations = true;
47
70
keep-outputs = true;
48
71
max-jobs = "auto";
72
+
max-substitution-jobs = 100;
49
73
trusted-users = ["root" "@wheel"];
50
74
};
51
75
};
+1
-1
nix/lib/default.nix
+1
-1
nix/lib/default.nix
···
7
7
config = import ./config.nix args;
8
8
flake = import ./flake.nix args;
9
9
packages = import ./packages.nix args;
10
-
secrets = import ./secrets.nix;
10
+
secrets = import ./secrets.nix args;
11
11
services = import ./services.nix args;
12
12
storage = import ./storage args;
13
13
strings = import ./strings.nix args;
+4
-2
nix/lib/secrets.nix
+4
-2
nix/lib/secrets.nix
···
1
-
rec {
1
+
{lib, ...}: rec {
2
2
paths = rec {
3
3
root = ../../secrets;
4
4
identities = root + /identities;
···
25
25
args
26
26
// {
27
27
rekeyFile = let
28
-
host = configOrHost.networking.hostName or configOrHost;
28
+
host = configOrHost.networking.hostName
29
+
or configOrHost.my.hostName
30
+
or configOrHost;
29
31
in
30
32
paths.perHost + /${host}/${name}.age;
31
33
};
-1
nix/nixos/configs/raspberrypi/default.nix
-1
nix/nixos/configs/raspberrypi/default.nix
+24
-17
nix/nixos/modules/secrets/default.nix
+24
-17
nix/nixos/modules/secrets/default.nix
···
1
1
{
2
2
config,
3
-
inputs,
3
+
self,
4
4
lib,
5
5
...
6
6
}: let
7
-
inherit (inputs.self.lib.secrets.paths) root;
7
+
inherit (self.lib.secrets.paths) root;
8
+
inherit (self.lib.secrets) helpers;
8
9
in {
9
-
my.secrets = config.age.secrets;
10
-
age = {
11
-
secrets = let
12
-
osSecrets = config.my.secretDefinitions;
13
-
homeConfigs = config.home-manager.users;
14
-
homeSecrets =
15
-
homeConfigs
16
-
|> lib.mapAttrs (_: val: val.my.secretDefinitions)
17
-
|> builtins.attrValues
18
-
|> lib.mergeAttrsList;
19
-
in
20
-
osSecrets // homeSecrets;
21
-
rekey = {
22
-
localStorageDir = root + /rekeyed/${config.networking.hostName};
23
-
forceRekeyOnSystem = "x86_64-linux";
10
+
options.my.secret.helpers = lib.mkOption {
11
+
default = helpers;
12
+
};
13
+
14
+
config = {
15
+
my.secrets = config.age.secrets;
16
+
age = {
17
+
secrets = let
18
+
osSecrets = config.my.secret.definitions;
19
+
homeConfigs = config.home-manager.users;
20
+
homeSecrets =
21
+
homeConfigs
22
+
|> lib.mapAttrs (_: val: val.my.secret.definitions)
23
+
|> builtins.attrValues
24
+
|> lib.mergeAttrsList;
25
+
in
26
+
osSecrets // homeSecrets;
27
+
rekey = {
28
+
localStorageDir = root + /rekeyed/${config.networking.hostName};
29
+
forceRekeyOnSystem = "x86_64-linux";
30
+
};
24
31
};
25
32
};
26
33
}
+7
-6
nix/nixos/modules/security/default.nix
+7
-6
nix/nixos/modules/security/default.nix
···
1
1
{
2
2
config,
3
-
inputs,
4
3
lib,
5
4
options,
6
5
pkgs,
7
6
...
8
7
}: let
9
-
inherit (inputs.self.lib.secrets.helpers) mkSecret;
8
+
inherit (config.my.secret.helpers) mkSecret;
10
9
cfg = config.my.security;
11
10
in {
12
11
options.my.security = {
···
29
28
};
30
29
};
31
30
config = lib.mkIf cfg.enable {
32
-
my.secretDefinitions = {
31
+
my.secret.definitions = {
33
32
"u2f-mappings" = mkSecret "u2f-mappings" {
34
33
group = "wheel";
35
34
mode = "0440";
36
35
};
37
36
};
37
+
38
38
environment.etc = let
39
39
patch = svc:
40
40
lib.replaceStrings
···
50
50
};
51
51
security.pam = {
52
52
services = {
53
-
login.u2fAuth = false;
54
-
sshd.u2fAuth = true;
53
+
login.u2fAuth = true;
55
54
sudo.u2fAuth = true;
56
55
};
57
56
sshAgentAuth.enable = true;
58
57
u2f = {
59
58
inherit (cfg.u2f) control;
60
59
enable = true;
61
-
settings.authfile = "${config.my.secrets."u2f-mappings".path}";
62
60
settings = {
63
61
cue = true;
64
62
appid = "pam://auth";
65
63
origin = "pam://localhost";
64
+
authfile = "${config.my.secrets."u2f-mappings".path}";
65
+
pinverification = 1;
66
+
userpresence = 0;
66
67
};
67
68
};
68
69
};
+1
-1
nix/nixos/modules/tailscale/default.nix
+1
-1
nix/nixos/modules/tailscale/default.nix
+1
-1
nix/nixos/modules/users/emily.nix
+1
-1
nix/nixos/modules/users/emily.nix
+6
-1
nix/nixos/modules/users/lpchaim.nix
+6
-1
nix/nixos/modules/users/lpchaim.nix
···
6
6
...
7
7
}: let
8
8
inherit (config.my.config) name shell;
9
+
inherit (config.my.config.ssh.publicKeys) perHost perYubikey;
9
10
inherit (inputs.self.lib.secrets.helpers) mkUserSecret;
10
11
userName = name.user;
11
12
cfg = config.my.users.lpchaim;
···
13
14
options.my.users.lpchaim.enable = lib.mkEnableOption "lpchaim user";
14
15
15
16
config = lib.mkIf cfg.enable {
16
-
my.secretDefinitions = {
17
+
my.secret.definitions = {
17
18
"user.lpchaim.password" = mkUserSecret "lpchaim" "password" {};
18
19
};
19
20
···
28
29
group = userName;
29
30
shell = pkgs.${shell};
30
31
hashedPasswordFile = "${config.my.secrets."user.lpchaim.password".path}";
32
+
openssh.authorizedKeys.keyFiles =
33
+
perYubikey
34
+
// {inherit (perHost) laptop desktop;}
35
+
|> builtins.attrValues;
31
36
};
32
37
};
33
38
systemd.services.ollama.serviceConfig.ReadWritePaths = [config.users.extraUsers.${userName}.home];
secrets/perHost/desktop/ssh.age
secrets/perHost/desktop/ssh.age
This is a binary file and will not be displayed.
+1
secrets/perHost/desktop/ssh.pub
+1
secrets/perHost/desktop/ssh.pub
···
1
+
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOVKjCWhySfJtOx7bP1rh/w367Qtou0J7GtwG8X+ce9 desktop:ssh
+10
secrets/perHost/laptop/ssh.age
+10
secrets/perHost/laptop/ssh.age
···
1
+
age-encryption.org/v1
2
+
-> piv-p256 0D9K1g A/vXNHdMHwxLGLRON2Pcuy9x4m4GTHUsEMlqb22DX7NB
3
+
QsaKl2NIktY2J5YEFT7T+3ngAK7tGYGMoIKjPpXeZrM
4
+
-> piv-p256 4lCx1w AtOsLHVqcBemob1K0M+Awj6Be6HUxKaSRBAloY/Z2wAk
5
+
VskJ8BYn4VBe0hikVb71qFOJ/Zie6OkZAo+ESho7nX4
6
+
-> mdQb\-grease W+U*uIIp
7
+
eASYe6KoWfJEJ24olYLJNTGAQGov7AR8QK10F14G2zm0TwgbHbseffdvMjk6Y6Kv
8
+
UZBhAqqSZkW5XzSFySXUEMUUcVBrJw
9
+
--- f5YBSE5Wy6QykiADeFGde0YApQiBAcmSiFwpgpNbVyE
10
+
�Q�4�/�8��������kq���w ��
����hr��IN��:-o��ߍ���ֱ
���6��h �6��6���o�(�����qq�}���Pe��^�4�Y��RcLH4�C��#�S�����"�'e)��
��5�|�)�O��6��*�=�D�a��H���{o,��������ipy�ʹ����=�Y=V�sc�"�uEb�
�Vm�����Q+���{������}�̇���+�Z ���E�e�y��U����S�OeYB� 5_�8S�=u
�>j,�1hznE"h��#��$��[�:$���a�w]9f�M)�
�ux*�b�97�k�s�w��ܠ�_}XT��5�}�r���8�)ꚮ���.8P╮��_����
��x��ff��Y�I� �@ǜ+%�s㭾�pVt0%+��j�Ff#�5@Ds
+1
secrets/perHost/laptop/ssh.pub
+1
secrets/perHost/laptop/ssh.pub
···
1
+
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMgKJ96fzBoXVrTZ/g3b/cFYRaGICYo92ZkQV8xXuO5E laptop:ssh
secrets/perHost/pc082/ssh.age
secrets/perHost/pc082/ssh.age
This is a binary file and will not be displayed.
+1
secrets/perHost/pc082/ssh.pub
+1
secrets/perHost/pc082/ssh.pub
···
1
+
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIc1UkYgu+l2ZVl/kabkQAPQb41/ASaUosLfzHIsoiZy cheina:ssh
secrets/perHost/raspberrypi/ssh.age
secrets/perHost/raspberrypi/ssh.age
This is a binary file and will not be displayed.
+1
secrets/perHost/raspberrypi/ssh.pub
+1
secrets/perHost/raspberrypi/ssh.pub
···
1
+
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICaVRXkQRy3zh6OhUDx59exQuQbpiX37XgyKVtAq1GYu raspberrypi:ssh
secrets/perHost/raspberrypi/syncthing-cert.age
secrets/perHost/raspberrypi/syncthing-cert.age
This is a binary file and will not be displayed.
+10
secrets/perHost/raspberrypi/syncthing-key.age
+10
secrets/perHost/raspberrypi/syncthing-key.age
···
1
+
age-encryption.org/v1
2
+
-> piv-p256 0D9K1g Am7IqsMHLkLVtiIkfHpI81ux8czgVs8/piBncZXoiRty
3
+
P5x6Cj27i6UnLN16a+u/7ttuvCmpXBoWrlqtM5OrDuA
4
+
-> piv-p256 4lCx1w A7pR2QoZMJxw2tzhiuEVsBWwv5C4s74kSIOBZyYoDsmv
5
+
Pthsr2UWyBwuyavG0uBgE6vA1KvLg/RsEbvIPoyLUfk
6
+
-> `&-grease n($
7
+
slgZ7o+oOrA6xW+iXPk+
8
+
--- JRsm8ddtmf0juu11DVFeHixddEVAVIMPOKe1Saxb+AU
9
+
`���#������
>L�p�+w(��
�Qy���O H�H�5��ge T}3�!��Nh���܆hJ��K�j�w,J�3fw`�bS"�� $ag���/+�����JI/�M �T7��DF�ߎ!��Uf
10
+
�y�_�����?{G����}s:#
_�ɚ
secrets/perHost/steamdeck/ssh.age
secrets/perHost/steamdeck/ssh.age
This is a binary file and will not be displayed.
+1
secrets/perHost/steamdeck/ssh.pub
+1
secrets/perHost/steamdeck/ssh.pub
···
1
+
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8yWMyWcpXHap62bBfa2OM9AKURy8tf1XXGCFbS5fId steamdeck:ssh
+8
secrets/rekeyed/desktop/256d036f484aaadd21df5bfcff24ca06-u2f-mappings.age
+8
secrets/rekeyed/desktop/256d036f484aaadd21df5bfcff24ca06-u2f-mappings.age
···
1
+
age-encryption.org/v1
2
+
-> ssh-ed25519 RuV4dQ Laqg712sKWtPk33iWboJDGnf6I0YwFte7nKJEV1ZU0Q
3
+
XmKsR6i672JTgrQjHOeqLoTC9Zr6g7e599AB/i+Ougc
4
+
-> T.RK-grease {m42ymI; sw36/
5
+
bOio/L+9SGEPGRI
6
+
--- udYHX08CyTSP1tRtZ4eNCIYlL9+lr4zd8dVxzCL5oek
7
+
�}�
�m�N��(.��e�DW�w����j����L�������f,����
8
+
m�/��
�m�j�i�a���i
η�Y�U(^�l��N����fkAO>��FQ$W�/�a�ӮH�)K���Z[5`&8�u*y���.���:���9\��V;Ʈy�>����8���?
���%�^0�I���Y�/���h�s^��+q�Y�]��*3)P���~y�S�Fy���h5�rH�J��c���ɌQ�3�=�Ǯ�D�=.�1rJ�J
������O1�t���V[��O���]����cQbD
l�ȓcr�~WH6��BN�NgcH
b�~1�M����<%��[i<��7GKx���T��W�+4�#�:�'@����W�Gg�b�RahT�� /j�ra?
6�T����k=�-����@�/�7�=�y�
secrets/rekeyed/desktop/3de6f93d67eced91f4cfe2c09faf04d6-u2f-mappings.age
secrets/rekeyed/desktop/3de6f93d67eced91f4cfe2c09faf04d6-u2f-mappings.age
This is a binary file and will not be displayed.
secrets/rekeyed/desktop/4ddef40b2a305f09d349b5d628456607-ssh-yubikey-26583315.age
secrets/rekeyed/desktop/4ddef40b2a305f09d349b5d628456607-ssh-yubikey-26583315.age
This is a binary file and will not be displayed.
secrets/rekeyed/desktop/7e81191fbfe0b1a820afeb06d633552e-ssh-yubikey-25388788.age
secrets/rekeyed/desktop/7e81191fbfe0b1a820afeb06d633552e-ssh-yubikey-25388788.age
This is a binary file and will not be displayed.
secrets/rekeyed/desktop/9a7ac932e1cfcb87703285d025b6643d-ssh-tangled.age
secrets/rekeyed/desktop/9a7ac932e1cfcb87703285d025b6643d-ssh-tangled.age
This is a binary file and will not be displayed.
secrets/rekeyed/desktop/ac260ef3838671bb0e62f50879dc5343-ssh.age
secrets/rekeyed/desktop/ac260ef3838671bb0e62f50879dc5343-ssh.age
This is a binary file and will not be displayed.
secrets/rekeyed/desktop/c80c4e8bec38b1380730a73e71dff8b2-ssh-github.age
secrets/rekeyed/desktop/c80c4e8bec38b1380730a73e71dff8b2-ssh-github.age
This is a binary file and will not be displayed.
secrets/rekeyed/laptop/05a83993ffd4eb9ddab56b4832dfabec-ssh-yubikey-26583315.age
secrets/rekeyed/laptop/05a83993ffd4eb9ddab56b4832dfabec-ssh-yubikey-26583315.age
This is a binary file and will not be displayed.
secrets/rekeyed/laptop/0a2654ce82949ab68784f9891f20c5a1-u2f-mappings.age
secrets/rekeyed/laptop/0a2654ce82949ab68784f9891f20c5a1-u2f-mappings.age
This is a binary file and will not be displayed.
secrets/rekeyed/laptop/2990df371b9c43aa3a6ad4025ef59155-ssh-yubikey-25388788.age
secrets/rekeyed/laptop/2990df371b9c43aa3a6ad4025ef59155-ssh-yubikey-25388788.age
This is a binary file and will not be displayed.
secrets/rekeyed/laptop/42b3bd8ea24392190a5171cb28eac5d7-ssh-tangled.age
secrets/rekeyed/laptop/42b3bd8ea24392190a5171cb28eac5d7-ssh-tangled.age
This is a binary file and will not be displayed.
secrets/rekeyed/laptop/5c9bdc30417a0efd64cad63be1925bd8-ssh.age
secrets/rekeyed/laptop/5c9bdc30417a0efd64cad63be1925bd8-ssh.age
This is a binary file and will not be displayed.
+11
secrets/rekeyed/laptop/7e399c867c57dcabcfa0c8e4194a8a4a-u2f-mappings.age
+11
secrets/rekeyed/laptop/7e399c867c57dcabcfa0c8e4194a8a4a-u2f-mappings.age
···
1
+
age-encryption.org/v1
2
+
-> ssh-ed25519 9M20hg MW6mBCPqJiijZ97nv9Qoo0xZNTJBaxXn54YQsmXhBF4
3
+
j+4TFR7mtuyB6NvfLiPkpQ8hgYqcf56WaR3fKHkM1WY
4
+
-> GP>)l4/j-grease CVrJq6j( F P3Y:bu= 0LJ
5
+
hPKia89d0nhA3v8/kht1lfQh2tJ85KDdYCkpzkSeSsSiR0NfkC0xoBY
6
+
--- EcyGiAjfXjomCvPKM7Sgk4H232GqKX2bQ6clr/bh8c0
7
+
��7foC!bB)�ӓ�U�
�Xi�fsπ���¯�4�����f^�u���;�9W5AH�S��#'�`�!�,��3z�Iن:IQ�<�K
8
+
��'C�v�b=z��腕B(����
� �
���+k���L�#�X
��n%�WP�=���5���mlv��
9
+
������LV<��!N��� /x9�t\��<�ߧ��J�k`_�Z����,�_�wA�� �
Oc���TPUxq�@������e"���)`�f�w(�
10
+
��w�٫(r
|���8�
11
+
���]3P�
��p�pC���#�e�O�F�
-�;V�N�2ǜA�¶$������E�
k�m��-C���v`� �E?����e@
qF:D�9��
�`����L;��&(gH*����U
l
v'��g&�S9 M)I���J��`�
secrets/rekeyed/laptop/f0c046910d790931d1ff4789e0f588b6-ssh-github.age
secrets/rekeyed/laptop/f0c046910d790931d1ff4789e0f588b6-ssh-github.age
This is a binary file and will not be displayed.
secrets/rekeyed/pc082-cheina/18a816b34ca0643f11634f90b9081a73-ssh-yubikey-25388788.age
secrets/rekeyed/pc082-cheina/18a816b34ca0643f11634f90b9081a73-ssh-yubikey-25388788.age
This is a binary file and will not be displayed.
secrets/rekeyed/pc082-cheina/651a6294d9d25e7b9699b2f79eaab951-ssh-yubikey-26583315.age
secrets/rekeyed/pc082-cheina/651a6294d9d25e7b9699b2f79eaab951-ssh-yubikey-26583315.age
This is a binary file and will not be displayed.
+18
secrets/rekeyed/pc082-cheina/9638da8e247c4fd6d2c59ce49ff81ba2-ssh-tangled.age
+18
secrets/rekeyed/pc082-cheina/9638da8e247c4fd6d2c59ce49ff81ba2-ssh-tangled.age
···
1
+
age-encryption.org/v1
2
+
-> ssh-rsa EE65jg
3
+
dpry/wb/MOLJ8jons5SxErXJWm9FhJKaBYtb7bN7yOKg0oh1fXfvA7IxKZkCN5ng
4
+
7UsACA4UPEqnaB0ogerrM2MWo5NnvzGZBXBvZ0/Qz2LXgf8ybfuTN24wfnsQl+yn
5
+
hOIncK+pSU7bPjfy89iAaup5Y1ZKuc/RgVxqqgBkt5maY5RYYivKFVytVZnDP47s
6
+
X1IpN6+Df1rmN/NO/BIWp/JQeQXX0sJ1nnH2cnliqLNHc/MNzxYWoL2AJCgE/on+
7
+
bhLJpIzq6RhxHLp7s1XkLd1hltxRLsYctF78wNFZD9euIeIiRNpJKOaVNx24PHDY
8
+
62HVI4nnmY2Pb11ruVwmlm73R+OmQI4qzl4lusNq3RWq4nglwHJqtC1LA8nklL90
9
+
ScUGA015YCHeIVnbEaj31T3fkHyTsPhHAloKE+g9wnz5Q/gNWRjblf62geHiUoMt
10
+
rJLTOBz/ntJochZLMWiGMmdFUWau51lJX+HlfGEzNF0x+03xy8CBTZ3K4mddHidY
11
+
12
+
-> |e;&N>-grease o 6
13
+
L+WBLCW3ZoI
14
+
--- nHTWl9x07fmsauF+4KXkOFns7sePsnL9DBzCo1SaMdY
15
+
2���b���N�T�x�z���#���SKI���X�u'̇3�j&��;D�^�'P���^��������b��8d�W����Se����aC����*��C26�<���xi5jYw����8r��4��C���$�YQñ�j tc��D�{L6�?iY���
P�
�fh
&shl��k���y
�YuT�ݨ�H���ɚt�f5���b
16
+
�r��I^k
�7
v��5�fl�J����E� $Wm�*CAo���A�!e��6�hb�=,��@WubT)u;��������*8ױu��Ћ=�hFP�/7y�_�
17
+
��5d^[s�ۓ������d��k
18
+
N�\����*
��{���!�G��'���\��B!{�K�8����*0�Ί������#��KK�T#����{mS��M �A�}��
�Ĉ���qyi�J��p�_Ш��[b֏�
�z�0�!��
secrets/rekeyed/pc082-cheina/b829a5e8da33fae572291bc718910a28-ssh.age
secrets/rekeyed/pc082-cheina/b829a5e8da33fae572291bc718910a28-ssh.age
This is a binary file and will not be displayed.
secrets/rekeyed/pc082-cheina/e367c542136174adaf1a2ee3c7c8ea21-ssh-github.age
secrets/rekeyed/pc082-cheina/e367c542136174adaf1a2ee3c7c8ea21-ssh-github.age
This is a binary file and will not be displayed.
secrets/rekeyed/raspberrypi/1e2794c6efa4e66afe56225bee81b228-ssh-github.age
secrets/rekeyed/raspberrypi/1e2794c6efa4e66afe56225bee81b228-ssh-github.age
This is a binary file and will not be displayed.
secrets/rekeyed/raspberrypi/2a9039df6bc40c2c1443020e50b868ca-u2f-mappings.age
secrets/rekeyed/raspberrypi/2a9039df6bc40c2c1443020e50b868ca-u2f-mappings.age
This is a binary file and will not be displayed.
secrets/rekeyed/raspberrypi/3b240c6f6af979f98088264bbc1f3bbf-ssh-tangled.age
secrets/rekeyed/raspberrypi/3b240c6f6af979f98088264bbc1f3bbf-ssh-tangled.age
This is a binary file and will not be displayed.
secrets/rekeyed/raspberrypi/74c4d42d7f184a8c7e62e39bc05052a3-ssh.age
secrets/rekeyed/raspberrypi/74c4d42d7f184a8c7e62e39bc05052a3-ssh.age
This is a binary file and will not be displayed.
+9
secrets/rekeyed/raspberrypi/7ca16fe6117bbd91659e9b8307f78897-host.syncthing-key.age
+9
secrets/rekeyed/raspberrypi/7ca16fe6117bbd91659e9b8307f78897-host.syncthing-key.age
···
1
+
age-encryption.org/v1
2
+
-> ssh-ed25519 7Q9N6w o+TcXJRjZvaY9/Zl+bcNjKJMrL9Nj8ux47r69M37DCU
3
+
0y2P7E82Y0m3e8+TdZpmaP2/j1cKXx97y4yVFJm8OlU
4
+
-> A-grease %jW7':
5
+
Hn+IQl3GLt9oGQrR4bZGlmL5QkBoDjoKCkWBky5judIyoeTpSkmlWsT74z0bJq/R
6
+
OBavRw4SOC5PU2fQOw
7
+
--- bNU4OmG0/sXPSjT34zNKTw9qCv2H/KlTWcdmuZX7y9Y
8
+
���nM�h?���E��
;��X�=9 ��R*�+�&���0��=
eVx�`O�2������4fgh�,*?E^��Z4#�ş*�,>]�����:r/��d|���0
9
+
:@��?+��2uI�g�����X�O9;.OߑT<N��s�7�\̊Џ�dۻ
secrets/rekeyed/raspberrypi/9c58b7fdc258aa701e7a63d61f882ef3-ssh-yubikey-25388788.age
secrets/rekeyed/raspberrypi/9c58b7fdc258aa701e7a63d61f882ef3-ssh-yubikey-25388788.age
This is a binary file and will not be displayed.
secrets/rekeyed/raspberrypi/d82ca35ed0162f0dbce685ad556b29bb-host.syncthing-cert.age
secrets/rekeyed/raspberrypi/d82ca35ed0162f0dbce685ad556b29bb-host.syncthing-cert.age
This is a binary file and will not be displayed.
secrets/rekeyed/raspberrypi/f042f14639e0c43ecfe76cf43e72f600-u2f-mappings.age
secrets/rekeyed/raspberrypi/f042f14639e0c43ecfe76cf43e72f600-u2f-mappings.age
This is a binary file and will not be displayed.
secrets/rekeyed/raspberrypi/fe76a352418bb3d87224707d63fe24c3-ssh-yubikey-26583315.age
secrets/rekeyed/raspberrypi/fe76a352418bb3d87224707d63fe24c3-ssh-yubikey-26583315.age
This is a binary file and will not be displayed.
+10
secrets/ssh-github.age
+10
secrets/ssh-github.age
···
1
+
age-encryption.org/v1
2
+
-> piv-p256 0D9K1g AuVlbrfXnCTxwQKinl/O3rEpAzte7v57pWsfwgdzljx1
3
+
VyrjnF8OGb8tDUCckjbfLR7//rZ2E1j/lFBX17zxWX0
4
+
-> piv-p256 4lCx1w A60CDwEtNPVNHVUIvDG62ZY/9pwbpiyfLDTp0LG+xJFG
5
+
Pzf24p+ykXtWoqQ2ntWwaMtP5ssWr9oqMvbf6F5LcDE
6
+
-> jj;em.-grease : 13v
7
+
tCKmxXJtiNJc0BIz2Gvp
8
+
--- dRW+PVH9n9vyt6tEexjeFYZgDI2T8zAAqvuBe0SaDVY
9
+
ЪI�3�n���Q�*u��4q��
F���������-�)ݝ�27Ώs�����ʁ��;id�8���_�%ʟ���e�'C�/]�5���J�x�(c�!��R3�Ek�S*%״6��c����K(1����v��B�;�ʮN���A�I
��J}v�F
�D�)b�=O�M�����6�b7���B�R5�\��
10
+
�i]�V��G���B�
%�gZ,��rAqT�b�p(�|.\_�
��A�F��QWl�S�C�w}�8���;���b$+Cl%3��S@��"HV��2�NyTA���ZAP:e���
����_��V�MK�ZP��DT���
�A|X[-������\n�՟�&�K��o�������~�d�����*�B�ΦJn��a�p�/f�
������8�f���J��WqW�?r�,l��X�/m'�P$��u�sN����
+10
secrets/ssh-tangled.age
+10
secrets/ssh-tangled.age
···
1
+
age-encryption.org/v1
2
+
-> piv-p256 0D9K1g ArQSPYAofq2Fb54hHp4Ub2uub8FpMa5nxdfzVv7BejiE
3
+
p/NozKtVyJcgZRGE/VDcpQ1ka69xxeI7k/sULkya8e8
4
+
-> piv-p256 4lCx1w A9jAJVP8zQQwOn0Jh4WDVJOwvblzbNE0VoqLnVsYT2nd
5
+
gvsyu9fyqIhBrKWIwxRqy52b7/6aMlpNaxrzJPCDFKY
6
+
-> pp8=S1]-grease
7
+
o8fPd8FeAs6ceOQdqYM/+71UafDRHhA9ryZvxSCkSjs210hyXp0g4IPm2A
8
+
--- W8P5Gem5ddnjfz9Bx4TJGjRDuunDBeEB0qhBuqez0jk
9
+
�·a���; �Ƣ���t�G��
10
+
S(�UdMs-�X�ϓ�p�dd
�T�����P1�k�u��
�q)��]g�:;D'�K��Ew�k>$(l�`����=�_�i��oϤ�i��
����i�������[`���ƒ���?�zt���`��;�v����B-!�CJVy�@.�����'�֮��p{ֆ5�����.D�#�쏽���Sn��S�?Ӟ������vT�!����Y����6H���1���
��)(|�cm仡��m紩�1��}d��-����n��X���O� ȹ@z��/N�j�z]�!>g1s9�4
�e�З�����Ҽ�U�
��V(�A��j�:�@��{�d
�����x��^\�,�՞��/�E��<�|�1Xr�
zN�r�yK.��(䟹AmU9�,�����W�L�U�p ��W��T�ᾅJӿ
secrets/ssh-yubikey-25388788.age
secrets/ssh-yubikey-25388788.age
This is a binary file and will not be displayed.
secrets/ssh-yubikey-26583315.age
secrets/ssh-yubikey-26583315.age
This is a binary file and will not be displayed.
secrets/u2f-mappings.age
secrets/u2f-mappings.age
This is a binary file and will not be displayed.