feat(secrets)!: Replace sops with agenix-rekey sops-nix is tending to be fairly complex for our use-cases, which adds difficulty to deploying, maintaining our wrapper module, keeping ".env.bin" files, etc. agenix-rekey is a lot simpler. notable in this commit is the `// { outputPath = ...; }` hack in flake.nix. This is needed due to snowfall-lib otherwise butchering paths such that agenix-rekey is unable to show us what secrets exist with `agenix edit`, etc... companion to that is the lib.snowfall.fs stuff in the secrets/default.nix file Change-Id: Id3e79cfc7d37a7b7de7b8cc42f7392c4d8bd07c5 Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/801 Reviewed-by: Skyler Grey <minion@clicks.codes> Tested-by: Skyler Grey <minion@clicks.codes>

commit: 67cf8aa3731dca126803bc3a24a14b6a5fb81ea4 [log] [tgz]
author: Skyler Grey <sky@a.starrysky.fyi> Sun Jul 28 13:21:32 2024 +0000
committer: Skyler Grey <minion@clicks.codes> Fri Aug 02 19:46:49 2024 +0000
tree: 08152526b8813a18e586e75da77f152f6e54f7db
parent: d938392fe420e2f68177cb78668e7ce59d20d6ef [diff]
diff --git a/secrets/keys/minion/collabora-yubikey.pub b/secrets/keys/minion/collabora-yubikey.pub
new file mode 100644
index 0000000..a3061c2
--- /dev/null
+++ b/secrets/keys/minion/collabora-yubikey.pub

@@ -0,0 +1,7 @@
+#       Serial: 20652804, Slot: 1
+#         Name: MINION_COLLABORA_YUBIKEY
+#      Created: Sun, 21 Jul 2024 12:55:44 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Always (A physical touch is required for every decryption)
+#    Recipient: age1yubikey1qd38ggwk5h8y877qwx4kkt3jz89fd4483v843ps450z5fl2uwgc82x8tsz8
+AGE-PLUGIN-YUBIKEY-1QS3NKQVZC38R9FS6T2PNZ

diff --git a/secrets/keys/minion/iyubikey.pub b/secrets/keys/minion/iyubikey.pub
new file mode 100644
index 0000000..ec49feb
--- /dev/null
+++ b/secrets/keys/minion/iyubikey.pub

@@ -0,0 +1,7 @@
+#       Serial: 24039462, Slot: 1
+#         Name: MINION_iYUBIKEY
+#      Created: Sun, 21 Jul 2024 12:57:17 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Always (A physical touch is required for every decryption)
+#    Recipient: age1yubikey1qfczekkv6thu32q5fv272pmzca86rqf4pn4083h9qvfgytrmycquqz23c3d
+AGE-PLUGIN-YUBIKEY-1YMGXUQVZEHAJFXGQ57UKA

diff --git a/secrets/keys/minion/tiny-yubikey.pub b/secrets/keys/minion/tiny-yubikey.pub
new file mode 100644
index 0000000..0838d68
--- /dev/null
+++ b/secrets/keys/minion/tiny-yubikey.pub

@@ -0,0 +1,7 @@
+#       Serial: 23751432, Slot: 1
+#         Name: MINION_TINY_YUBIKEY
+#      Created: Sun, 21 Jul 2024 12:49:01 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Always (A physical touch is required for every decryption)
+#    Recipient: age1yubikey1qf92p7gj5k8pavnzrzg644plfqcpkc8laj2l4avdfnem2re08tuqsu7ynnf
+AGE-PLUGIN-YUBIKEY-1PP4K5QVZR6DHL7G8RVVJ0

diff --git a/secrets/rekeyed/teal/035988d5aa30b83dbdb77a1c7546d45b-clicks.services.headscale.private_key_path.age b/secrets/rekeyed/teal/035988d5aa30b83dbdb77a1c7546d45b-clicks.services.headscale.private_key_path.age
new file mode 100644
index 0000000..a50c96a
--- /dev/null
+++ b/secrets/rekeyed/teal/035988d5aa30b83dbdb77a1c7546d45b-clicks.services.headscale.private_key_path.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 BfRbTA PxPtfASwbluRZaarn28rBJId3YuASEjV+7NC4KcXkUA
+vRy+qGCBKcs8QvlPRalY7SGKNLM/9ePMMM9Teoc1qXE
+-> !-grease Ib, "%_
+bQhUIOKRzSZIr1vX9lFkXNa0PuvEjOCzXOfIda/AjZ8heizSWbNNzP9HIR1ApGwn
+hJpRlYlSab4tkHnJZEOMdDNpOeTR7MQ7hLg
+--- ToA9JamqQKKy+94TIdE8tl+aOnjm/X3dlSB9Ftii0GA
+½ÍASQÿº:MÆwëÿÜ¢e|À°v?¯è®ÄÃh-}üDKD©ÆïóWÃtz-¼UE Æ@.E./lá0<.«n:F<$åÂ·ÙX_ÿG¦Æ½
+#TâH½ö4
\ No newline at end of file

diff --git a/secrets/rekeyed/teal/25168036ffa14e9d60c809ab19491686-clicks.networking.tailscale.authKeyFile.age b/secrets/rekeyed/teal/25168036ffa14e9d60c809ab19491686-clicks.networking.tailscale.authKeyFile.age
new file mode 100644
index 0000000..fc078c7
--- /dev/null
+++ b/secrets/rekeyed/teal/25168036ffa14e9d60c809ab19491686-clicks.networking.tailscale.authKeyFile.age
Binary files differ

diff --git a/secrets/rekeyed/teal/46041cde522a863d67318a4f79e6edb2-clicks.services.headscale.database_password_path.age b/secrets/rekeyed/teal/46041cde522a863d67318a4f79e6edb2-clicks.services.headscale.database_password_path.age
new file mode 100644
index 0000000..fc7569b
--- /dev/null
+++ b/secrets/rekeyed/teal/46041cde522a863d67318a4f79e6edb2-clicks.services.headscale.database_password_path.age
Binary files differ

diff --git a/secrets/rekeyed/teal/6af45862331f8b280a01e768b1736fc4-clicks.services.headscale.oidc.client_secret_path.age b/secrets/rekeyed/teal/6af45862331f8b280a01e768b1736fc4-clicks.services.headscale.oidc.client_secret_path.age
new file mode 100644
index 0000000..ede49f5
--- /dev/null
+++ b/secrets/rekeyed/teal/6af45862331f8b280a01e768b1736fc4-clicks.services.headscale.oidc.client_secret_path.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 BfRbTA FzEL+Xaw+yFAZNdTtrpDr1j3fV3QAENHM9zbmykHtTg
+IEiyq2hbwYorxvb3rxwLj0RZrAFnATz63tOvG1nqXoA
+-> tWj,IJ>N-grease
+wgJnIL2gnA9LaFebTsKncKeNo7b86lmPfpWRe3Mll8rESaifEJuKeetzlRieU2Je
+GL03hZVs836MEv9NU34rB3wIuCky+yTMHOq+cfk/a8EYxj+3fQ
+--- Vu4jHUeusiQ9+XWSnDeiCYBFMeVVJQzmjMN3l/KOl2w
+,å&3ÜW1ì;à%ÔáqÂö(@]ñjâÞ·-Ø9na9¬'1piáæê£D'Åú¶úûà×z£e
\ No newline at end of file

diff --git a/secrets/rekeyed/teal/77463521eace182e324bbe5a15d2e4ca-clicks.services.headscale.noise_private_key_path.age b/secrets/rekeyed/teal/77463521eace182e324bbe5a15d2e4ca-clicks.services.headscale.noise_private_key_path.age
new file mode 100644
index 0000000..f719687
--- /dev/null
+++ b/secrets/rekeyed/teal/77463521eace182e324bbe5a15d2e4ca-clicks.services.headscale.noise_private_key_path.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 BfRbTA jawiGDhN98fuOhz7f+UXHTyCZQdbb+BT1vBsowuJOVA
+yCjkR8A9GEHPEO9kkXBpljXTMy0PIR8cbVz9oTCMXP8
+-> *\J<1-grease
+KwZlxA
+--- flducxiyeXeYWvX9YgJh5/PBLTu6Epdzkkau/YOMheM
+ØÓO;`s?¡tptªQrØyÔÁÛW~)Ð`ßÅÝÚÒëüèFKbÚrkWbÓBwc{q[ÞoJaôI·âj¿ÎDÉH%ô¡®ø«ù%Fn¨
\ No newline at end of file

diff --git a/secrets/rekeyed/teal/86966bd336d1cbac315b909759eb9039-clicks.security.acme.defaults.environmentFile.age b/secrets/rekeyed/teal/86966bd336d1cbac315b909759eb9039-clicks.security.acme.defaults.environmentFile.age
new file mode 100644
index 0000000..88b5816
--- /dev/null
+++ b/secrets/rekeyed/teal/86966bd336d1cbac315b909759eb9039-clicks.security.acme.defaults.environmentFile.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 BfRbTA F3wDStnzHGo44nFGHzvwkzayXr0ACLaMgWJPruIXT0M
+Ii6WDkM/IQA8OUQHuMLo6orko+qOxreSpyeclrXs/Qw
+-> a0v-grease :P.6 V) WO=JTd+
+0IKo7rm6uzGXXZFYdex5SzmE+l3c3YECTg5MY3XMx6worvbkLVPm4/zJTEoXTqUc
+VH8J64o
+--- HdEFiENd3nYo4fQMvKxpr2+VHIdk42sSCdsiqB8pubs
+»ñÌÍ¯j'Gçn
+Äål/àöe©ëÓrÒe×£` á[]Õ¬tSúû´öØæîz¥vFÛ?»1Z4è®ØÖ78ËÇ¬{&Aî¸`
\ No newline at end of file
commit	67cf8aa3731dca126803bc3a24a14b6a5fb81ea4	[log] [tgz]
author	Skyler Grey <sky@a.starrysky.fyi>	Sun Jul 28 13:21:32 2024 +0000
committer	Skyler Grey <minion@clicks.codes>	Fri Aug 02 19:46:49 2024 +0000
tree	08152526b8813a18e586e75da77f152f6e54f7db
parent	d938392fe420e2f68177cb78668e7ce59d20d6ef [diff]