From 1c0271bc2abd454bdc1a1c8c4d63408d03b82163 Mon Sep 17 00:00:00 2001 From: Bryan Ramos Date: Sun, 15 Mar 2026 11:22:09 -0400 Subject: [PATCH 1/3] removed yubikey --- secrets/README.md | 72 ----------------------------------------------- 1 file changed, 72 deletions(-) diff --git a/secrets/README.md b/secrets/README.md index 56eb406..92e28d4 100644 --- a/secrets/README.md +++ b/secrets/README.md @@ -66,75 +66,3 @@ sops -d secrets/system/wifi.yaml # Update .sops.yaml with new keys, then: sops updatekeys secrets/system/wifi.yaml ``` - -## Migrating to Yubikey - -### 1. Generate a new age identity on Yubikey - -```bash -# Insert Yubikey and run interactive setup -age-plugin-yubikey - -# Follow prompts: -# - Select slot (default: 1) -# - Set PIN policy (default: once per session) -# - Set touch policy (recommended: always) -# -# This generates a NEW key on the Yubikey - you will not know the private key. -# Save the identity to the keys directory: -age-plugin-yubikey --identity > src/user/config/keys/age/yubikey -``` - -The identity file only contains a *reference* to the Yubikey, not the private key. -It will be deployed to `~/.config/sops/age/keys.txt` on rebuild. - -### 2. Update .sops.yaml with Yubikey public key - -```bash -# Get the public key (age1yubikey1...) -age-plugin-yubikey --list - -# Edit .sops.yaml and replace/add the key: -vim .sops.yaml -``` - -```yaml -keys: - - &yubikey age1yubikey1q... # your Yubikey public key - -creation_rules: - - path_regex: secrets/.*\.yaml$ - key_groups: - - age: - - *yubikey -``` - -### 3. Re-key all secrets against the new key - -```bash -# This decrypts with your OLD key and re-encrypts with the NEW key -find secrets -name "*.yaml" -exec sops updatekeys {} \; -``` - -You'll need your old key available during this step. - -### 4. Remove the old age key (optional) - -```bash -# Once all secrets are re-keyed and tested: -# 1. Remove old key from .sops.yaml -# 2. Delete the old key file from the repo: -rm src/user/config/keys/age/local # or whatever your test key was named -``` - -### 5. Test decryption with Yubikey - -```bash -# Should prompt for Yubikey touch/PIN -sops -d secrets/system/wifi.yaml - -# Test a full rebuild -sudo nixos-rebuild switch --flake .#desktop -``` - -If decryption works, your migration is complete. From 94caab1cea4b1cede9074c2c69e735de0377dd37 Mon Sep 17 00:00:00 2001 From: Bryan Ramos Date: Sun, 15 Mar 2026 11:51:06 -0400 Subject: [PATCH 2/3] tooling improved --- flake.nix | 7 +++++++ system/machines/server/modules/backup/default.nix | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index 5e301c6..ff6d08b 100644 --- a/flake.nix +++ b/flake.nix @@ -70,11 +70,18 @@ name = "devShell"; packages = [ just + rclone + age sops + ssh-to-age + git git-crypt gnupg + + yubikey-manager + age-plugin-yubikey ]; }; }; diff --git a/system/machines/server/modules/backup/default.nix b/system/machines/server/modules/backup/default.nix index 511b332..ea7b7bd 100644 --- a/system/machines/server/modules/backup/default.nix +++ b/system/machines/server/modules/backup/default.nix @@ -15,7 +15,7 @@ let set -euo pipefail TIMESTAMP=$(date +%Y%m%d-%H%M%S) - BACKUP_NAME="backup-$TIMESTAMP.tar.age" + BACKUP_NAME="backup-$TIMESTAMP.tar.gz.age" TEMP_DIR=$(mktemp -d) trap "rm -rf $TEMP_DIR" EXIT @@ -23,7 +23,7 @@ let echo "Paths: ${concatStringsSep " " cfg.paths}" export PATH="${pkgs.age-plugin-yubikey}/bin:$PATH" - ${pkgs.gnutar}/bin/tar -C / ${excludeArgs}-cf - ${concatStringsSep " " tarPaths} | \ + ${pkgs.gnutar}/bin/tar -C / ${excludeArgs}-czf - ${concatStringsSep " " tarPaths} | \ ${pkgs.age}/bin/age ${recipientArgs} -o "$TEMP_DIR/$BACKUP_NAME" ${pkgs.rclone}/bin/rclone --config /root/.config/rclone/rclone.conf copy "$TEMP_DIR/$BACKUP_NAME" "${cfg.destination}" From 8f97be72f0a4eb4abf309779247f6c40025a2476 Mon Sep 17 00:00:00 2001 From: Bryan Ramos Date: Sun, 15 Mar 2026 11:55:41 -0400 Subject: [PATCH 3/3] fix --- system/machines/server/modules/backup/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/machines/server/modules/backup/default.nix b/system/machines/server/modules/backup/default.nix index ea7b7bd..cf02ea0 100644 --- a/system/machines/server/modules/backup/default.nix +++ b/system/machines/server/modules/backup/default.nix @@ -22,7 +22,7 @@ let echo "Starting backup: $BACKUP_NAME" echo "Paths: ${concatStringsSep " " cfg.paths}" - export PATH="${pkgs.age-plugin-yubikey}/bin:$PATH" + export PATH="${pkgs.gzip}/bin:${pkgs.age-plugin-yubikey}/bin:$PATH" ${pkgs.gnutar}/bin/tar -C / ${excludeArgs}-czf - ${concatStringsSep " " tarPaths} | \ ${pkgs.age}/bin/age ${recipientArgs} -o "$TEMP_DIR/$BACKUP_NAME"