fix

flake.nix

@@ -70,11 +70,18 @@
       name = "devShell";
       packages = [
         just
+        rclone
+
         age
         sops
+        ssh-to-age
+
         git
         git-crypt
         gnupg
+
+        yubikey-manager
+        age-plugin-yubikey
       ];
     };
   };

secrets/README.md

@@ -66,75 +66,3 @@ sops -d secrets/system/wifi.yaml
 # Update .sops.yaml with new keys, then:
 sops updatekeys secrets/system/wifi.yaml
 ```
-
-## Migrating to Yubikey
-
-### 1. Generate a new age identity on Yubikey
-
-```bash
-# Insert Yubikey and run interactive setup
-age-plugin-yubikey
-
-# Follow prompts:
-#   - Select slot (default: 1)
-#   - Set PIN policy (default: once per session)
-#   - Set touch policy (recommended: always)
-#
-# This generates a NEW key on the Yubikey - you will not know the private key.
-# Save the identity to the keys directory:
-age-plugin-yubikey --identity > src/user/config/keys/age/yubikey
-```
-
-The identity file only contains a *reference* to the Yubikey, not the private key.
-It will be deployed to `~/.config/sops/age/keys.txt` on rebuild.
-
-### 2. Update .sops.yaml with Yubikey public key
-
-```bash
-# Get the public key (age1yubikey1...)
-age-plugin-yubikey --list
-
-# Edit .sops.yaml and replace/add the key:
-vim .sops.yaml
-```
-
-```yaml
-keys:
-  - &yubikey age1yubikey1q...  # your Yubikey public key
-
-creation_rules:
-  - path_regex: secrets/.*\.yaml$
-    key_groups:
-      - age:
-          - *yubikey
-```
-
-### 3. Re-key all secrets against the new key
-
-```bash
-# This decrypts with your OLD key and re-encrypts with the NEW key
-find secrets -name "*.yaml" -exec sops updatekeys {} \;
-```
-
-You'll need your old key available during this step.
-
-### 4. Remove the old age key (optional)
-
-```bash
-# Once all secrets are re-keyed and tested:
-# 1. Remove old key from .sops.yaml
-# 2. Delete the old key file from the repo:
-rm src/user/config/keys/age/local  # or whatever your test key was named
-```
-
-### 5. Test decryption with Yubikey
-
-```bash
-# Should prompt for Yubikey touch/PIN
-sops -d secrets/system/wifi.yaml
-
-# Test a full rebuild
-sudo nixos-rebuild switch --flake .#desktop
-```
-
-If decryption works, your migration is complete.

system/machines/server/modules/backup/default.nix

@@ -15,15 +15,15 @@ let
     set -euo pipefail
 
     TIMESTAMP=$(date +%Y%m%d-%H%M%S)
-    BACKUP_NAME="backup-$TIMESTAMP.tar.age"
+    BACKUP_NAME="backup-$TIMESTAMP.tar.gz.age"
     TEMP_DIR=$(mktemp -d)
     trap "rm -rf $TEMP_DIR" EXIT
 
     echo "Starting backup: $BACKUP_NAME"
     echo "Paths: ${concatStringsSep " " cfg.paths}"
 
-    export PATH="${pkgs.age-plugin-yubikey}/bin:$PATH"
-    ${pkgs.gnutar}/bin/tar -C / ${excludeArgs}-cf - ${concatStringsSep " " tarPaths} | \
+    export PATH="${pkgs.gzip}/bin:${pkgs.age-plugin-yubikey}/bin:$PATH"
+    ${pkgs.gnutar}/bin/tar -C / ${excludeArgs}-czf - ${concatStringsSep " " tarPaths} | \
       ${pkgs.age}/bin/age ${recipientArgs} -o "$TEMP_DIR/$BACKUP_NAME"
 
     ${pkgs.rclone}/bin/rclone --config /root/.config/rclone/rclone.conf copy "$TEMP_DIR/$BACKUP_NAME" "${cfg.destination}"