Add machines.keys config and reorganize key structure

- Add config.machines.keys for machine-specific keys (private keys live on that machine)
- Move desktop SSH key to machines.keys.desktop.ssh
- Fix extractName to preserve "yubikey" (only strip .key/.pub extensions)
- Rename key files for clarity (android -> graphone, primary -> yubikey)
- Add age yubikey key for encrypted backups
- Add README files to document key purposes
- Update all machine configs to import system config

src/system/machines/desktop/default.nix

@@ -3,6 +3,7 @@
 {
   imports = [
     ../../../user/config
+    ../../config
     ./hardware.nix
     ./system.nix
     ./modules/disko

src/system/machines/desktop/system.nix

@@ -13,7 +13,7 @@ in
       isNormalUser = true;
       extraGroups = config.user.groups
         ++ [ "video" "audio" "kvm" "libvirtd" "dialout" ];
-      openssh.authorizedKeys.keys = [ "${config.user.keys.ssh.android}" ];
+      openssh.authorizedKeys.keys = [ "${config.user.keys.ssh.graphone}" ];
     };
   };
 

src/system/machines/server/default.nix

@@ -3,6 +3,7 @@
 {
   imports = [
     ../../../user/config
+    ../../config
     ./hardware.nix
     ./system.nix
   ];

src/system/machines/server/system.nix

@@ -12,13 +12,12 @@
     backup = {
       enable = true;
       recipients = [
-        # TODO: Add your age recipients
-        # "${config.user.keys.age.yubikey}"
-        # "${config.user.keys.ssh.desktop}"
+       "${config.user.keys.age.yubikey}"
+       "${config.machines.keys.desktop.ssh}"
       ];
       destination = "gdrive:backups/server"; # TODO: configure rclone remote
       schedule = "daily";
-      keepLast = 7;
+      keepLast = 2;
     };
   };
 
@@ -27,7 +26,7 @@
       isNormalUser = true;
       extraGroups = config.user.groups;
       openssh.authorizedKeys.keys = [
-        "${config.user.keys.ssh.desktop}"
+        "${config.machines.keys.desktop.ssh}"
       ];
     };
   };

src/system/machines/vm/default.nix

@@ -3,6 +3,7 @@
 {
   imports = [
     ../../../user/config
+    ../../config
     ./hardware.nix
     ./system.nix
   ];

src/system/machines/vm/system.nix

@@ -8,7 +8,7 @@
     ${config.user.name} = {
       isNormalUser = true;
       extraGroups = config.user.groups;
-      openssh.authorizedKeys.keys = [ "${config.user.keys.ssh.primary}" ];
+      openssh.authorizedKeys.keys = [ "${config.user.keys.ssh.yubikey}" ];
     };
   };
 

src/system/machines/workstation/default.nix

@@ -3,6 +3,7 @@
 {
   imports = [
     ../../../user/config
+    ../../config
     ./hardware.nix
     ./system.nix
   ];

src/system/machines/workstation/system.nix

@@ -10,7 +10,7 @@ with lib;
       extraGroups = config.user.groups
         ++ [ "video" "audio" "kvm" "libvirtd" "dialout" ];
       openssh.authorizedKeys.keys = [ 
-        "${config.user.keys.ssh.primary}" 
+        "${config.user.keys.ssh.yubikey}" 
         "${config.user.keys.ssh.work}" 
       ];
     };

src/system/machines/wsl/default.nix

@@ -3,6 +3,7 @@
 {
   imports = [
     ../../../user/config
+    ../../config
     ./system.nix
   ];
 }

src/system/machines/wsl/system.nix

@@ -9,8 +9,7 @@
       isNormalUser = true;
       extraGroups = config.user.groups;
       openssh.authorizedKeys.keys = [ 
-        "${config.user.keys.ssh.primary}" 
-        "${config.user.keys.ssh.windows}" 
+        "${config.user.keys.ssh.yubikey}" 
       ];
     };
   };