nix-config/modules/rekey.nix

{
  lib,
  config,
  pkgs,
  stdenv,
  options,
  ...
}: {
  config = with lib; let
    secretFiles = mapAttrsToList (_: x: x.file) config.rekey.secrets;
    drv = import ./rekey-drv.nix pkgs config;
  in
    mkIf (config.rekey.secrets != {}) {
	  # export all secrets to agenix with rewritten path from rekey
      age = {
        secrets = let
          secretPath = "${drv}/";
          newPath = x: "${secretPath}/${x}.age";
        in
          mapAttrs (name: value: value // {file = newPath name;}) config.rekey.secrets;
      };

      # Warn if rekey has to been executed
	  # use the drvPath to prevent nix from building the derivation in this step
	  # drvPath is not outPath so this warning does not work
	  # to fix it you would need some kind of way to access the outPath without evaluating the derivation
      #warnings = optional ( ! pathExists (removeSuffix ".drv" drv.drvPath)) ''
	  #  Path ${drv.drvPath}
      #  Rekeyed secrets not available.
      #  Maybe you forgot to run "nix run '.#rekey'" to rekey them?
      #'';
    };

  options = with lib; {
    rekey.secrets = options.age.secrets;
    rekey.pubKey = mkOption {
      type = types.coercedTo types.path builtins.readFile types.str;
      description = ''
        The age public key set as a recipient when rekeying.
        either a path to a public key file or a string public key
        **NEVER set this to a private key part**
        ~~This will end up in the nix store.~~
      '';
      example = /etc/ssh/ssh_host_ed25519_key.pub;
    };

    rekey.masterIdentityPaths = mkOption {
      type = types.listOf types.path;
      description = ''
        A list of Identities used for decrypting your secrets before rekeying.
        **WARING this will end up in the nix-store**
        Only use yubikeys or password encrypted age keys
      '';
    };

  };
}
WIP: rekey module to rekey all secrets using the yubikey Work apart from interactivity. Pins are thus currently unsopported Will be supperseeded by a flake runable to rekey secrets on demand 2023-01-28 02:50:14 +01:00			`{`
			`lib,`
			`config,`
			`pkgs,`
			`stdenv,`
			`options,`
			`...`
			`}: {`
feat: rekey funktioniert. 2023-01-28 18:41:31 +01:00			`config = with lib; let`
			`secretFiles = mapAttrsToList (_: x: x.file) config.rekey.secrets;`
chore: implemented warning 2023-01-28 20:10:55 +01:00			`drv = import ./rekey-drv.nix pkgs config;`
WIP: rekey module to rekey all secrets using the yubikey Work apart from interactivity. Pins are thus currently unsopported Will be supperseeded by a flake runable to rekey secrets on demand 2023-01-28 02:50:14 +01:00			`in`
feat: rekey funktioniert. 2023-01-28 18:41:31 +01:00			`mkIf (config.rekey.secrets != {}) {`
Fix: removed unusable warning in rekey module 2023-02-07 14:30:39 +01:00			`# export all secrets to agenix with rewritten path from rekey`
WIP: rekey module to rekey all secrets using the yubikey Work apart from interactivity. Pins are thus currently unsopported Will be supperseeded by a flake runable to rekey secrets on demand 2023-01-28 02:50:14 +01:00			`age = {`
			`secrets = let`
chore: implemented warning 2023-01-28 20:10:55 +01:00			`secretPath = "${drv}/";`
feat: rekey funktioniert. 2023-01-28 18:41:31 +01:00			`newPath = x: "${secretPath}/${x}.age";`
WIP: rekey module to rekey all secrets using the yubikey Work apart from interactivity. Pins are thus currently unsopported Will be supperseeded by a flake runable to rekey secrets on demand 2023-01-28 02:50:14 +01:00			`in`
feat: rekey funktioniert. 2023-01-28 18:41:31 +01:00			`mapAttrs (name: value: value // {file = newPath name;}) config.rekey.secrets;`
WIP: rekey module to rekey all secrets using the yubikey Work apart from interactivity. Pins are thus currently unsopported Will be supperseeded by a flake runable to rekey secrets on demand 2023-01-28 02:50:14 +01:00			`};`
Fix: removed unusable warning in rekey module 2023-02-07 14:30:39 +01:00
			`# Warn if rekey has to been executed`
			`# use the drvPath to prevent nix from building the derivation in this step`
			`# drvPath is not outPath so this warning does not work`
			`# to fix it you would need some kind of way to access the outPath without evaluating the derivation`
			`#warnings = optional ( ! pathExists (removeSuffix ".drv" drv.drvPath)) ''`
			`# Path ${drv.drvPath}`
			`# Rekeyed secrets not available.`
			`# Maybe you forgot to run "nix run '.#rekey'" to rekey them?`
			`#'';`
WIP: rekey module to rekey all secrets using the yubikey Work apart from interactivity. Pins are thus currently unsopported Will be supperseeded by a flake runable to rekey secrets on demand 2023-01-28 02:50:14 +01:00			`};`

			`options = with lib; {`
			`rekey.secrets = options.age.secrets;`
			`rekey.pubKey = mkOption {`
Fix: removed unusable warning in rekey module 2023-02-07 14:30:39 +01:00			`type = types.coercedTo types.path builtins.readFile types.str;`
WIP: rekey module to rekey all secrets using the yubikey Work apart from interactivity. Pins are thus currently unsopported Will be supperseeded by a flake runable to rekey secrets on demand 2023-01-28 02:50:14 +01:00			`description = ''`
			`The age public key set as a recipient when rekeying.`
			`either a path to a public key file or a string public key`
			`NEVER set this to a private key part`
			`~~This will end up in the nix store.~~`
			`'';`
			`example = /etc/ssh/ssh_host_ed25519_key.pub;`
			`};`

			`rekey.masterIdentityPaths = mkOption {`
			`type = types.listOf types.path;`
			`description = ''`
			`A list of Identities used for decrypting your secrets before rekeying.`
			`WARING this will end up in the nix-store`
feat: rekey funktioniert. 2023-01-28 18:41:31 +01:00			`Only use yubikeys or password encrypted age keys`
WIP: rekey module to rekey all secrets using the yubikey Work apart from interactivity. Pins are thus currently unsopported Will be supperseeded by a flake runable to rekey secrets on demand 2023-01-28 02:50:14 +01:00			`'';`
			`};`

			`};`
			`}`