Add machines.keys config and reorganize key structure

- Add config.machines.keys for machine-specific keys (private keys live on that machine) - Move desktop SSH key to machines.keys.desktop.ssh - Fix extractName to preserve "yubikey" (only strip .key/.pub extensions) - Rename key files for clarity (android -> graphone, primary -> yubikey) - Add age yubikey key for encrypted backups - Add README files to document key purposes - Update all machine configs to import system config
2026-03-24 08:39:42 -04:00 · 2026-03-12 15:17:46 -04:00 · 2026-03-12 15:17:46 -04:00 · 960904cbd9
commit 960904cbd9
parent 570a321e53
24 changed files with 94 additions and 20 deletions
--- a/src/user/config/default.nix
+++ b/src/user/config/default.nix
@ -14,7 +14,7 @@ in
        name = "bryan";
        email = "bryan@ramos.codes";
        shell = bash;
-        keys = import ./keys;
+        keys = import ./keys { inherit lib; };

        groups = [ "wheel" "networkmanager" "home-manager" "input" ];
        bookmarks = import ./bookmarks;
--- a/src/user/config/keys/age/README.md
+++ b/src/user/config/keys/age/README.md
@ -0,0 +1,3 @@
+# Age Keys
+
+yubikey.pub.key - Cold storage backup for age encryption
--- a/src/user/config/keys/age/yubikey.pub.key
+++ b/src/user/config/keys/age/yubikey.pub.key
@ -0,0 +1 @@
+age1yubikey1qfapxqnnkh92zkgayzzm9n0gtpkwaqcvrzy4d4xa4rxnjua8vjhy72hh9r9
--- a/src/user/config/keys/default.nix
+++ b/src/user/config/keys/default.nix
@ -1,13 +1,17 @@
+{ lib }:
+
 with builtins;
 let
-  extractName = string:
+  extractName = filename:
    let
-      metadata = [
-        "pub" "public" "priv" "private"
-        "key" "file" "." "_" "-" "pk"
-      ];
-    in
-      replaceStrings metadata (builtins.map (_: "") metadata) string;
+      # Remove .key extension
+      noKey = lib.removeSuffix ".key" filename;
+      # Remove .pub/.priv/.public/.private markers
+      noMarkers = replaceStrings
+        [ ".pub" ".priv" ".public" ".private" ]
+        [ "" "" "" "" ]
+        noKey;
+    in noMarkers;

  constructKeys = dir: (
    listToAttrs (
@ -17,7 +21,10 @@ let
          map (file: {
            name = extractName file;
            value = readFile "${dir}/${subdir}/${file}";
-          }) (filter (node: (readDir "${dir}/${subdir}").${node} == "regular") (attrNames (readDir "${dir}/${subdir}")))
+          }) (filter (file:
+            (readDir "${dir}/${subdir}").${file} == "regular" &&
+            lib.hasSuffix ".key" file
+          ) (attrNames (readDir "${dir}/${subdir}")))
        );
      }) (filter (node: (readDir dir).${node} == "directory") (attrNames (readDir dir)))
    )
--- a/src/user/config/keys/pgp/README.md
+++ b/src/user/config/keys/pgp/README.md
@ -0,0 +1,5 @@
+# PGP Keys
+
+yubikey.pub.key -
+work.pub.key -> bryan.ramos@concurrent-rt.com
+ccur.pub.key -> ?
--- a/src/user/config/keys/pgp/yubikey.pub.key
+++ b/src/user/config/keys/pgp/yubikey.pub.key
--- a/src/user/config/keys/ssh/README.md
+++ b/src/user/config/keys/ssh/README.md
@ -0,0 +1,5 @@
+# SSH Keys
+
+yubikey.pub.key -> PGP derived from `pgp.yubikey.pub.key`
+work.pub.key - ?
+graphone.pub.key -> For Android `pass`
--- a/src/user/config/keys/ssh/desktop.pub.key
+++ b/src/user/config/keys/ssh/desktop.pub.key
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOYXfu4Jc/HtdyhOfAdCXYzhqCubIq3Bz6Kl9NDUov76 bryan@desktop
--- a/src/user/config/keys/ssh/graphone.pub.key
+++ b/src/user/config/keys/ssh/graphone.pub.key
--- a/src/user/config/keys/ssh/yubikey.pub.key
+++ b/src/user/config/keys/ssh/yubikey.pub.key
				`@ -0,0 +1 @@`
				`age1yubikey1qfapxqnnkh92zkgayzzm9n0gtpkwaqcvrzy4d4xa4rxnjua8vjhy72hh9r9`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOYXfu4Jc/HtdyhOfAdCXYzhqCubIq3Bz6Kl9NDUov76 bryan@desktop`