commit 67cf8aa3731dca126803bc3a24a14b6a5fb81ea4
author Skyler Grey <sky@a.starrysky.fyi> Sun Jul 28 13:21:32 2024 +0000
committer Skyler Grey <minion@clicks.codes> Fri Aug 02 19:46:49 2024 +0000
tree 08152526b8813a18e586e75da77f152f6e54f7db
parent d938392fe420e2f68177cb78668e7ce59d20d6ef

feat(secrets)!: Replace sops with agenix-rekey

sops-nix is tending to be fairly complex for our use-cases, which adds
difficulty to deploying, maintaining our wrapper module, keeping
".env.bin" files, etc.

agenix-rekey is a lot simpler.

notable in this commit is the `// { outputPath = ...; }` hack in
flake.nix. This is needed due to snowfall-lib otherwise butchering paths
such that agenix-rekey is unable to show us what secrets exist with
`agenix edit`, etc... companion to that is the lib.snowfall.fs stuff in
the secrets/default.nix file

Change-Id: Id3e79cfc7d37a7b7de7b8cc42f7392c4d8bd07c5
Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/801
Reviewed-by: Skyler Grey <minion@clicks.codes>
Tested-by: Skyler Grey <minion@clicks.codes>

secrets/keys/minion/collabora-yubikey.pub

diff --git a/secrets/keys/minion/collabora-yubikey.pub b/secrets/keys/minion/collabora-yubikey.pub
new file mode 100644
index 0000000..a3061c2
--- /dev/null
+++ b/secrets/keys/minion/collabora-yubikey.pub
@@ -0,0 +1,7 @@
+#       Serial: 20652804, Slot: 1
+#         Name: MINION_COLLABORA_YUBIKEY
+#      Created: Sun, 21 Jul 2024 12:55:44 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Always (A physical touch is required for every decryption)
+#    Recipient: age1yubikey1qd38ggwk5h8y877qwx4kkt3jz89fd4483v843ps450z5fl2uwgc82x8tsz8
+AGE-PLUGIN-YUBIKEY-1QS3NKQVZC38R9FS6T2PNZ