fix

- Add config.machines.keys for machine-specific keys (private keys live on that machine)
- Move desktop SSH key to machines.keys.desktop.ssh
- Fix extractName to preserve "yubikey" (only strip .key/.pub extensions)
- Rename key files for clarity (android -> graphone, primary -> yubikey)
- Add age yubikey key for encrypted backups
- Add README files to document key purposes
- Update all machine configs to import system config

src/system/config/default.nix

@@ -0,0 +1,14 @@
+{ lib, pkgs, config, ... }:
+
+with lib;
+{
+  options = {
+    machines = mkOption {
+      description = "Machine Configurations";
+      type = types.attrs;
+      default = {
+        keys = import ./keys { inherit lib; };
+      };
+    };
+  };
+}

src/system/config/keys/default.nix

@@ -0,0 +1,33 @@
+{ lib }:
+
+with builtins;
+let
+  extractName = filename:
+    let
+      # Remove .key extension
+      noKey = lib.removeSuffix ".key" filename;
+      # Remove .pub/.priv/.public/.private markers
+      noMarkers = replaceStrings
+        [ ".pub" ".priv" ".public" ".private" ]
+        [ "" "" "" "" ]
+        noKey;
+    in noMarkers;
+
+  constructKeys = dir: (
+    listToAttrs (
+      map (subdir: {
+        name = subdir;
+        value = listToAttrs (
+          map (file: {
+            name = extractName file;
+            value = readFile "${dir}/${subdir}/${file}";
+          }) (filter (file:
+            (readDir "${dir}/${subdir}").${file} == "regular" &&
+            lib.hasSuffix ".key" file
+          ) (attrNames (readDir "${dir}/${subdir}")))
+        );
+      }) (filter (node: (readDir dir).${node} == "directory") (attrNames (readDir dir)))
+    )
+  );
+in
+  constructKeys ./.

src/system/config/keys/desktop/README.md

@@ -0,0 +1,3 @@
+# Desktop Keys
+
+ssh.pub.key - ~/.ssh/id_rsa

src/system/machines/desktop/default.nix

@@ -3,6 +3,7 @@
 {
   imports = [
     ../../../user/config
+    ../../config
     ./hardware.nix
     ./system.nix
     ./modules/disko

src/system/machines/desktop/system.nix

@@ -13,7 +13,7 @@ in
       isNormalUser = true;
       extraGroups = config.user.groups
         ++ [ "video" "audio" "kvm" "libvirtd" "dialout" ];
-      openssh.authorizedKeys.keys = [ "${config.user.keys.ssh.android}" ];
+      openssh.authorizedKeys.keys = [ "${config.user.keys.ssh.graphone}" ];
     };
   };
 
@@ -94,20 +94,7 @@ in
       enable = true;
       allowedTCPPorts = [ 22 80 443 ];
     };
-    nameservers = [ "127.0.0.1" ];
+    nameservers = [ "192.168.0.154" ];
-  };
-
-  services.dnsmasq = {
-    enable = true;
-    settings = {
-      # Only specific subdomains go to local server
-      address = [
-        "/git.ramos.codes/192.168.0.154"
-        "/frigate.ramos.codes/192.168.0.154"
-        "/test.ramos.codes/192.168.0.154"
-      ];
-      server = [ "1.1.1.1" "8.8.8.8" ];
-    };
   };
 
   services = {

src/system/machines/server/default.nix

@@ -3,6 +3,7 @@
 {
   imports = [
     ../../../user/config
+    ../../config
     ./hardware.nix
     ./system.nix
   ];

src/system/machines/server/system.nix

@@ -8,6 +8,19 @@
     nginx.enable = true;
     forgejo.enable = true;
     frigate.enable = false;
+    immich.enable = true;
+
+    backup = {
+      enable = true;
+      recipients = [
+       "${config.user.keys.age.yubikey}"
+       "${config.machines.keys.desktop.ssh}"
+      ];
+      paths = [ "/root/.config/rclone" ];
+      destination = "gdrive:backups/server";
+      schedule = "daily";
+      keepLast = 2;
+    };
   };
 
   users.users = {
@@ -15,7 +28,7 @@
       isNormalUser = true;
       extraGroups = config.user.groups;
       openssh.authorizedKeys.keys = [
-        "${config.user.keys.ssh.desktop}"
+        "${config.machines.keys.desktop.ssh}"
       ];
     };
   };
@@ -98,6 +111,26 @@
     };
   };
 
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      # All *.ramos.codes subdomains -> local server
+      address = "/.ramos.codes/192.168.0.154";
+      # Except www, http, https and bare domain -> forward to upstream
+      server = [
+        "/www.ramos.codes/1.1.1.1"
+        "/http.ramos.codes/1.1.1.1"
+        "/https.ramos.codes/1.1.1.1"
+        "/ramos.codes/1.1.1.1"
+        "1.1.1.1"
+        "8.8.8.8"
+      ];
+      cache-size = 1000;
+    };
+  };
+
+  networking.firewall.allowedUDPPorts = [ 53 ];
+
   services.fail2ban = {
     enable = true;
     maxretry = 5;

src/system/machines/vm/default.nix

@@ -3,6 +3,7 @@
 {
   imports = [
     ../../../user/config
+    ../../config
     ./hardware.nix
     ./system.nix
   ];

src/system/machines/vm/system.nix

@@ -8,7 +8,7 @@
     ${config.user.name} = {
       isNormalUser = true;
       extraGroups = config.user.groups;
-      openssh.authorizedKeys.keys = [ "${config.user.keys.ssh.primary}" ];
+      openssh.authorizedKeys.keys = [ "${config.user.keys.ssh.yubikey}" ];
     };
   };
 

src/system/machines/workstation/default.nix

@@ -3,6 +3,7 @@
 {
   imports = [
     ../../../user/config
+    ../../config
     ./hardware.nix
     ./system.nix
   ];

src/system/machines/workstation/system.nix

@@ -10,7 +10,7 @@ with lib;
       extraGroups = config.user.groups
         ++ [ "video" "audio" "kvm" "libvirtd" "dialout" ];
       openssh.authorizedKeys.keys = [ 
-        "${config.user.keys.ssh.primary}" 
+        "${config.user.keys.ssh.yubikey}" 
         "${config.user.keys.ssh.work}" 
       ];
     };

src/system/machines/wsl/default.nix

@@ -3,6 +3,7 @@
 {
   imports = [
     ../../../user/config
+    ../../config
     ./system.nix
   ];
 }

src/system/machines/wsl/system.nix

@@ -9,8 +9,7 @@
       isNormalUser = true;
       extraGroups = config.user.groups;
       openssh.authorizedKeys.keys = [ 
-        "${config.user.keys.ssh.primary}" 
+        "${config.user.keys.ssh.yubikey}" 
-        "${config.user.keys.ssh.windows}" 
       ];
     };
   };

src/system/modules/backup/default.nix

@@ -0,0 +1,96 @@
+{ pkgs, lib, config, ... }:
+
+with lib;
+let
+  cfg = config.modules.system.backup;
+
+  recipientArgs = concatMapStrings (r: "-r '${lib.strings.trim r}' ") cfg.recipients;
+
+  # Convert absolute paths to relative for tar, preserving structure
+  # e.g., /var/lib/forgejo -> var/lib/forgejo
+  tarPaths = map (p: removePrefix "/" p) cfg.paths;
+
+  backupScript = pkgs.writeShellScript "backup" ''
+    set -euo pipefail
+
+    TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+    BACKUP_NAME="backup-$TIMESTAMP.tar.age"
+    TEMP_DIR=$(mktemp -d)
+    trap "rm -rf $TEMP_DIR" EXIT
+
+    echo "Starting backup: $BACKUP_NAME"
+    echo "Paths: ${concatStringsSep " " cfg.paths}"
+
+    export PATH="${pkgs.age-plugin-yubikey}/bin:$PATH"
+    ${pkgs.gnutar}/bin/tar -C / -cf - ${concatStringsSep " " tarPaths} | \
+      ${pkgs.age}/bin/age ${recipientArgs} -o "$TEMP_DIR/$BACKUP_NAME"
+
+    ${pkgs.rclone}/bin/rclone --config /root/.config/rclone/rclone.conf copy "$TEMP_DIR/$BACKUP_NAME" "${cfg.destination}"
+
+    # Prune old backups
+    ${pkgs.rclone}/bin/rclone --config /root/.config/rclone/rclone.conf lsf "${cfg.destination}" | \
+      sort -r | \
+      tail -n +$((${toString cfg.keepLast} + 1)) | \
+      while read -r old; do
+        ${pkgs.rclone}/bin/rclone --config /root/.config/rclone/rclone.conf delete "${cfg.destination}/$old"
+      done
+
+    echo "Backup complete"
+  '';
+
+in
+{
+  options.modules.system.backup = {
+    enable = mkEnableOption "Encrypted backups";
+
+    paths = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      description = "Absolute paths to include in backup (structure preserved)";
+    };
+
+    recipients = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      description = "Age public keys for encryption";
+    };
+
+    destination = mkOption {
+      type = types.str;
+      default = "";
+      description = "Rclone destination";
+    };
+
+    schedule = mkOption {
+      type = types.str;
+      default = "daily";
+      description = "Systemd calendar expression";
+    };
+
+    keepLast = mkOption {
+      type = types.int;
+      default = 3;
+      description = "Number of backups to keep";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.rclone ];
+
+    systemd.services.backup = {
+      description = "Encrypted backup";
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = backupScript;
+      };
+    };
+
+    systemd.timers.backup = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = cfg.schedule;
+        Persistent = true;
+      };
+    };
+  };
+}

src/system/modules/forgejo/default.nix

@@ -19,7 +19,7 @@ in
       isSystemUser = true;
       group = "git";
       home = "/var/lib/forgejo";
-      shell = "${pkgs.git}/bin/git-shell";
+      shell = "${pkgs.bash}/bin/bash";
     };
 
     users.users.nginx = mkIf nginx.enable {
@@ -28,6 +28,7 @@ in
 
     systemd.tmpfiles.rules = [
       "d /var/lib/forgejo 0750 git git -"
+      "d /var/lib/forgejo/.ssh 0700 git git -"
       "d /var/lib/forgejo/custom 0750 git git -"
       "d /var/lib/forgejo/data 0750 git git -"
     ];
@@ -38,14 +39,36 @@ in
       group = "git";
       stateDir = "/var/lib/forgejo";
 
-      settings.server = {
+      settings = {
-        DOMAIN = "git.${domain}";
+        DEFAULT = {
-        ROOT_URL = "https://git.${domain}/";
+          APP_NAME = "Git Server";
-        PROTOCOL = "http+unix";
+          APP_SLOGAN = "";
-        HTTP_ADDR = socketPath;
+        };
-        SSH_DOMAIN = "git.${domain}";
+
-        SSH_PORT = 22;
+        server = {
-        START_SSH_SERVER = false;
+          DOMAIN = "git.${domain}";
+          ROOT_URL = "https://git.${domain}/";
+          PROTOCOL = "http+unix";
+          HTTP_ADDR = socketPath;
+          SSH_DOMAIN = "git.${domain}";
+          SSH_PORT = 22;
+          START_SSH_SERVER = false;
+          LANDING_PAGE = "explore";
+        };
+
+        service = {
+          REGISTER_MANUAL_CONFIRM = true;
+          DISABLE_REGISTRATION = false;
+          DEFAULT_ALLOW_CREATE_ORGANIZATION = false;
+        };
+
+        admin = {
+          DISABLE_REGULAR_ORG_CREATION = true;
+        };
+
+        auth = {
+          ENABLE_BASIC_AUTHENTICATION = true;
+        };
       };
 
       database = {
@@ -54,6 +77,10 @@ in
       };
     };
 
+    modules.system.backup.paths = [
+      "/var/lib/forgejo"
+    ];
+
     services.nginx.virtualHosts."git.${domain}" = mkIf nginx.enable {
       useACMEHost = domain;
       forceSSL = true;

src/system/modules/immich/default.nix

@@ -0,0 +1,38 @@
+{ pkgs, lib, config, ... }:
+
+with lib;
+let
+  cfg = config.modules.system.immich;
+  nginx = config.modules.system.nginx;
+  domain = "ramos.codes";
+  port = 2283;
+
+in
+{
+  options.modules.system.immich = {
+    enable = mkEnableOption "Immich Photo Server";
+  };
+
+  config = mkIf cfg.enable {
+    services.immich = {
+      enable = true;
+      port = port;
+      host = "127.0.0.1";
+      mediaLocation = "/var/lib/immich";
+      machine-learning.enable = false;
+    };
+
+    modules.system.backup.paths = [
+      "/var/lib/immich"
+    ];
+
+    services.nginx.virtualHosts."photos.${domain}" = mkIf nginx.enable {
+      useACMEHost = domain;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}

src/user/config/default.nix

@@ -14,7 +14,7 @@ in
         name = "bryan";
         email = "bryan@ramos.codes";
         shell = bash;
-        keys = import ./keys;
+        keys = import ./keys { inherit lib; };
 
         groups = [ "wheel" "networkmanager" "home-manager" "input" ];
         bookmarks = import ./bookmarks;

src/user/config/keys/age/README.md

@@ -0,0 +1,3 @@
+# Age Keys
+
+yubikey.pub.key - Cold storage backup for age encryption

src/user/config/keys/age/yubikey.pub.key

@@ -0,0 +1 @@
+age1yubikey1qfapxqnnkh92zkgayzzm9n0gtpkwaqcvrzy4d4xa4rxnjua8vjhy72hh9r9

src/user/config/keys/default.nix

@@ -1,13 +1,17 @@
+{ lib }:
+
 with builtins;
 let
-  extractName = string:
+  extractName = filename:
     let
-      metadata = [
+      # Remove .key extension
-        "pub" "public" "priv" "private"
+      noKey = lib.removeSuffix ".key" filename;
-        "key" "file" "." "_" "-" "pk"
+      # Remove .pub/.priv/.public/.private markers
-      ];
+      noMarkers = replaceStrings
-    in
+        [ ".pub" ".priv" ".public" ".private" ]
-      replaceStrings metadata (builtins.map (_: "") metadata) string;
+        [ "" "" "" "" ]
+        noKey;
+    in noMarkers;
 
   constructKeys = dir: (
     listToAttrs (
@@ -17,7 +21,10 @@ let
           map (file: {
             name = extractName file;
             value = readFile "${dir}/${subdir}/${file}";
-          }) (filter (node: (readDir "${dir}/${subdir}").${node} == "regular") (attrNames (readDir "${dir}/${subdir}")))
+          }) (filter (file:
+            (readDir "${dir}/${subdir}").${file} == "regular" &&
+            lib.hasSuffix ".key" file
+          ) (attrNames (readDir "${dir}/${subdir}")))
         );
       }) (filter (node: (readDir dir).${node} == "directory") (attrNames (readDir dir)))
     )

src/user/config/keys/pgp/README.md

@@ -0,0 +1,5 @@
+# PGP Keys
+
+yubikey.pub.key -
+work.pub.key -> bryan.ramos@concurrent-rt.com
+ccur.pub.key -> ?

src/user/config/keys/pgp/windows.pub.key

@@ -1,109 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBGcvfPEBEADDOLjLG3Ay0EmvbC8OySQElS9NkdUeq9XU01CDcqo9iH4S84dR
-cApM9YocnC4foqFy/mJ5RtDPDq2Bwkt80OVe3uv9ZUwC6Mx9ZKOqUDNC5nNaA9kx
-bByVbaKFQH6WAJWM83W52NUoQFdpkFrgn1dwMP/Q/DMJKOh10lMI11ziG2o1DNpf
-SYhXb10qD7z1s96RRpWlyY0C64yHZtZ7kyhzlo3zxUOGy3Xrrkv+2f0n+sBBHRfP
-QFB7h8HduUYZJ8u+CuTS0Fl1rd1K5MVGxQrW1OfWKGUHyggPP3tlc2eSAntWQ1W3
-o7ret4yoNRMe8XfYcWMG9Eoc8U1/VsPO4YTQgMqZrICja9XeldTBoBbkmMePZO0r
-XKm1TN8vbzZvHaON1+MISJGx6j5evmfs6vz70IE1DWJ9H0IG6L/SwZLFxeg6MU+C
-5xh/IC59CwFJJrLqcXutqnxbu5brXauiIzlVucJ9p1nwODkQPeDcLHTU6P5m6FkC
-8PLxKvCWh+uuy8jZay9C4uoYfiKgM4/ixLKYoDPm3J26JWZU7prsY91/yYUmfc9T
-fb/uMWpsrVmdOrCrTIFyT4xPYFDn1L44j5qV3ofq3OQpq8lu/EmDmH/PTmWwLz4i
-cs2E+4uROlKqYYmkyaL4GopWk5LyzS9ToHKQBT3Io4y2QdYlnPCckOAIpwARAQAB
-tClCcnlhbiBSYW1vcyAod2luZG93cykgPGJyeWFuQHJhbW9zLmNvZGVzPokCTAQT
-AQoANgQLCQgHBBUKCQgFFgIDAQACHgUCF4AWIQTPP4g9xyNrKgYe2zzureX+FD+y
-HAUCZy99VgIbAQAKCRDureX+FD+yHOpqD/4xJwk1IZV/9MLPaJv0K/Isu0K1jynE
-5O7iPedXurSbl38tPP92/8QOBzPT/xBGCuECVZyjpyNJzhs11e+HcRXLZN+dUb32
-eWwtylibc+yVGpms+aVfwXpL0YtGD/rX/942v+nF1iLNz6JSLudS5JSLywIVZpI5
-scguBPd7CkM1lmiSp/vDhs1dzMnJHWdoP2OnTOYxsRYIuMBhMU8aGSnEDHzszZTe
-An0ytlPbZry2SOSzDG/EsSxrWHu0PQXkZ6/OjlMXMiPbEqrgvFnCfTmc0Pf0ETRX
-SInNr49ezjygpBhFS02tGemg+M6PlRns40rdZtT9/XizkqoqnerUYqrfJ3ST/W4U
-hx7GpJGgx+PrtySFaHpbWTos5AndTWjkEkMZN2hzUqWQCd3B8HQHOSebp9prEQl0
-nYTaFSpZoGYeGD9JyLw5mErfDdHrOict58mq5WDOrREYbZMqLUOFx0Z7N5M1uDYK
-Jbk2itHVJNwyBfAZZ9ZFeE1Id7DBMdK+EDP4xqz0oPYwnpvex4+W0Ke28AKRATMV
-+BeDBZKCXhqoScqhDsddmBpu5wjKVuz+QdNP/yKUjk8JqMi1sR6l1WMp0aeCSunf
-hqVCIMrGZvEVHOhKQNWs4ySWPCLKoBpsz/tycih06LOiJXuQhqJ9Vq6XxufPvFXB
-8Tj1wWqk9rhHobkCDQRnL32EARAAwSU64xTvvcXGZF0Nn3/q1hPvUtMeuBNuzRzl
-CviHI8I1oQJ2uLFfZWV3f+Rb4uNyoSWh94ZGAx4qD23WuZNr44JUGfu2wf7UPD9D
-IOVAVc8V1nC6Q9+DawLB7orrHD3bnaZRg260KoRNSJEqlJgM4uQtt1aXa5ltWJCd
-I6TknwVqYRmHYTykYsvD1nMSyQI3NfhIB/aSY+7oS9doDisCXi9wSoX4tMAIWbDV
-CC1J6U/WmKBLx+i8VCmiJRFU3g+5TUceNqITEv0UGioDBXTErBOeQiskGRCz03yw
-2h9hneGP/0vqwKZNUhYvATueTtzpaIigCwkSAiHTd7yyd0tnZMMOBwFVtFbb2l/A
-dPUIhOfOtybfYT4nHmrWBtkigNb7Vr/cO3SPyiVTeLon9g2Oi6arSjGSS+BO76xF
-N6HXpwTFqRcZD6ZW+6fu5mBsnHzwIYG9YR1/NW9z/3kXeJdas0O78JM1sVEAuU47
-gfM+1RSbs3CueIk32WM4B49qZ+HvwoVQIs/9933/ioohxmkN6tc8oBdoMPsa0hTM
-BWawuUfx/nqF9n/vaMK3btSPtz9VyBXxl9dc5kYBgO8FHqIeswig3KlssDYEwbVh
-u2z4SzNtLU1yVbdakbwRUACveK8F3bQ45DwsM0gEqy+rEcnkycuZSHGZ5bguCEpN
-MUUcwJMAEQEAAYkEawQYAQoAIBYhBM8/iD3HI2sqBh7bPO6t5f4UP7IcBQJnL32E
-AhsCAkAJEO6t5f4UP7IcwXQgBBkBCgAdFiEE9/MujKBsmqq1yXgU5dNUMpELN6wF
-AmcvfYQACgkQ5dNUMpELN6zDgA/5AUxKgQ9ujNoFWMTlRVKUU/Rmsojg+pMW276J
-XNWDNpENt32ozZr2+X/d0qZKgqRgraccXGknejrXNgmWJuk1wcyXUuUqmU4C53vC
-R0bsmtegNk/fMP4BNkR9oWvo4GavxrQeu6FcauTS8FOEj3oxxdiPhEtQTY1rpRw5
-lvO0YsluUa1glUlwlkW0q5bAc2VMs7n/fJkX3dQUIobGfFBEMEXmy/Qnf9S42Dv5
-etO+iLMQvCcS3jNudYhJpbcuFaMLKg57kdZrnMoDRlfF5jSxlxU8YsZQA0oQRFD8
-aQAgTAV9SGWIEowaehLmTMhGNvzThD3RXeUnX3tFd3eLWGqN/qPACwUofBCJEgxK
-7XBzhJmVrCvszR34fuQceK3RI4VGI3biMltGmqZnfuR0enR483dU3fQ/fASVuSB7
-a8GHCYDZ1ilhpDa+WAAMiCV4HLflwqPxDpEdMGH6yhBwKutX9ig/ytGIxsL9+t5E
-KfFYuONtSmBQxCfWIp3+vQzVIlmEG5JB6w9SF4NG5tCBQBQ5Uw13N6SwbU/psJ1z
-u9CvTFCCz3hmJmH4VTRniaKqidJnIQS0gTrgNbc5hjGO2P2XxEK1Og3K3sU054cO
-OnmsweDX8XswN9IQRJrN+sBous/YIrTA3Jk7Cmi1P268OIDpjErnUfISvJxfpq+6
-ahs3pHfweA/4+wSj2lSiEMCWC3Sog7368Ej+rw2CP4MUb13rX8+o7fvodZqvX68v
-qMpKvEOEgwmzx/622yaxxbUj/d5UeI4rH5xFJ/P2NJBazLlUdU9Q657XWXdTM4ET
-r3KnjNhQdKoUW8wwVcsQ+RSKH5jIWzfQmJXMfeafuS+76VkWNPipZDKx12tqxHZf
-VUjVWknLcryXYSRW0OPTgu0bsS5JA8ZTWSq+zSjYpksfVm1j/jxcmuF7vgy4T1wv
-STFEDqNBuAwxOWHxnsqGSF6ayM7iwMYtqAzlfybvHl0BTaj/Zz4FWqfShBh2TcTG
-8spt1l50dIaMJbQJHFE+VKSO4zu/cGGMnLINWIjgAiI1KFd2oehNx5q/dOaK0TAs
-m57RPwnZ1vFuRCKB0OtMDapdDmIXGg3QrSuxtsBXkkCS9N/X0FF6+XyM25fZ045G
-h0gPUU1G/lz6F6yYGEE9ly87VOTkpwcPeZJSHdBBM4MdO+urm9vqTdstD/dJuOOV
-B7ZKIKcir9mJ2yyaLx9eMKeiPz1mLHWT297QEg/iRW8MMkaV0HWRgtciUlzVzI86
-k+nGpbP8kqBzh7K0tbqSiy+8GpTyTL+3SjS4Ed3SHaxq5H8fUp+Fh3xBPHGOiA1/
-/ywCBysht4o6eKxfTC70fr6Egvng7qhh2NxS7pjsMNA2KMtCkfPjVbkCDQRnL32e
-ARAAtQUAFWyMlOTxzlSskcGtQTCPcQFJMo6XhomppSvWPhGl6lOof8QxAcX6XENG
-0qYcy1o2VpLHYB4dFPhvsgU0nvG4HIfejXqOnLsOg5pZduwCqH6dzJxbLU3Vq5Kr
-hYf/pgIoG7/JwRbf7kUFoZHoOPV5MrYWrfpypM0StUYBAygx/MCtM4W6ep5spWNL
-Qkg/hSuXCI/HdGk0+3yapSaQ+6J1wSlWn9lYNDD9micB4MIFLFt6MAARtJcuGCZ2
-OSVAKd69n76jT2m+AGi1nIa//gR9YSSDjdQgUKA/rIxQ4VyzlInworch46Cm256l
-1e2dp4TZNx0CtvUDd3NIGB67ghTU59v+e5NaJGqaH/bL+7gL2JJOo6NnHOGihuBD
-LWaqEqDvdquIT1FDn2nEEVknHvqDsLsedP6wjhuXHFcRnGyIVngujGfwUKjGGT3q
-tDVa/U+9bcIV2Fl78d6zdQ5Z/4IJgmopNT2ygm3rDJO1lwh+drP5cIgWCUhsox+Z
-dL8Htrs77Tglfc4UVGr7lJjduu0t7c9InElRy+W6nPUdleAzj8EAALPnohhnXGQC
-Mh7ImUkgOv8OJadrcIkixoGn/rEmy3Xmai+9y06m+OJ9QY6Th2sM6tWWyIw/g0IM
-FOvZlmINdD8J1RErLmpY+WYV95h2vDz5jxZujhSknYCjY7EAEQEAAYkCNgQYAQoA
-IBYhBM8/iD3HI2sqBh7bPO6t5f4UP7IcBQJnL32eAhsMAAoJEO6t5f4UP7IcY84P
-/RqUCS4hF6cwMRyAHQ2s3AZETodKmaZFucShIcMh0f+3aN/6Si2s44NFukbGHzhf
-S/4YUUwryoXyW8E7BV2+L65rBknIsuTUiwIeqBDwb3ySWB3CubHA+OBThPx85ElV
-pyjW/ctR/UDEFyF7Fml+DW5gkhuw6dYiFoKj1gPyGsdsvi7Z35zh6PyFPg95Cvr9
-KncfrVizNCcFSaLX4hYRlD/i+NwI4jEr4j+AqcNnIiHE7Bpg6gG2qkYbMJR/kma5
-9+Jrmp40In1TygKCqLEvGS25k6Sk5Sysh27ltWQHGaMeMv+tVqWWvbyfPgxQH6Lx
-08rCHz9GMcgRrVOtaoBrm82wEZiL5PO/ra3rx/xne1VZn+QWaRTWDwYEpsEmz8kY
-+rqRGiaHgqEHqa9h37OdkISZUhz3zQAcvGM/G/9j5ci92m/3Ck7f7IZ4yMTksEkn
-Hdu4wJXXRm4av7mIyYeTC+vmLqM8vhlRqveF2jKkLiB3yH1YvUrYJ0wjbsrRqmHg
-VRrINN3vgsQQ+PdzYvKMHgJcjQBwYqMxQHgxjniyYR+6y/sDF6GUjf5OEXqTFxFg
-eSy684gp8Rl4F+i/v+k6So3l4P1GngpEZg7dVMVSKuTezD73L1bR3jiSQYURLR19
-nRILXk1ktcbVqjo/kF2HFKFuHlOekqlhD/YFFsJ6LN4ZuQINBGcvfggBEAC3eMlv
-WWybrwoDwbwVnPgoUHq7DFATgzO5cW9bHvEOkp74Bi0dZtpgGF1od9m2MdJ9P+PW
-d6w6sHIP5/a08XCZLXBm+qPQxJkSy+zsNqlHMyqlUFcgmC1r7+R5h7yMrz0MN8ib
-567D755TbPkqi+MR3zg8kZERD015eeZfpLIrNfcDVv4VuDUxuXSLZ3d8XF756BCR
-TyW0Jypmsg80MPyujWdrRI51FvZxwxF2y7Om8Y/ktywu9BgjRGdZ4XyRQmJhpmNR
-/a7/tL5OsJsw/r5IMPJqPMoTWatDzbmfyxG34TP9XM/DhOfd9t7c3RDZVeWCWb8s
-WpzaKNn/vyoETf6IljfHLpXi973xCH/fHPqLyCP0Dt/JCVFeba6s9MOlkfmsydRP
-KA9TS+Pgqc6IBS/h3UkGcL/NJtTyWZdrM4zL9PJBipHVVuOvHzfeiHUdhw/1zoOK
-2FsMUmoWmfMXEWBWN4KHw9Wx45gxe686eI9eoS60NHwyZ6zvNLvms2Z8j33DOHVL
-CXxZL20pqqRaNHbYeESGkHr0HRvMURrZjgMhVnFWVJvVQHg4+LkRhO8RJtIRmRVr
-l3QPOl5bjIX/2PYwkdZP/ht5edjYQY8YJNtZZuKVU13DRXkxxNM1Epe1izqA8Ye/
-cdE26op/P7B/C83gxzMBcY4y13avF+39JOivTwARAQABiQItBBgBCgAhFiEEzz+I
-PccjayoGHts87q3l/hQ/shwFAmcvfggDGyAEAACLmRAAsP9Z9mjjls+IiZPYwPzj
-Z88XcoHtWMbU+gbnZDE9vKcesjbM5706gHXqT+FiVxfEN1aGxZtGdpYvTycveoYM
-Nx3CJvQP5dQYX8tNcOCU0Xs/TYDrt/5KGitDJhpLXQBzXNSpypEraYRchNc0twj7
-YMj0EOrFChojH5K93JJM07zSwDig1/9B04pguSegGliiyTuSeS573P2mmOGjn4D1
-uEbOGUZcOTPvaOub01GXOFyXKlU52sDgexe6vMnqZ2WbkrBF2+26cdCJUyRsRizu
-QmZPN/ZyOmD1VgZ91geKz4A33Qpq5QuwORfFgJYnXIHQfozy3rd5T705/l9jd8M6
-3/y4x4oT48tB3jpV/n+PwcklUdWA9UtpwPpLxlcb276RB+AT4OYE8VL7ZlfwGFnQ
-o6XfOWhJAxtgOPzpCH+Zmps0xN5btWWJvSOTjytXO1D0F6rmLBIpdYFhX/hiVoxY
-JUsYwKqorjZ7xoscieynf3Xn+hOkr5tJbBTdXwOWlFZNzl76dbOWHQWcJCnk9EVt
-2XRZWCuscFStOCcFVfewm6h36s52K2dDU719OSnaAgxpiDInbfJSrWWLtNWnWK4s
-lBW1khV3mIsVOVdwFBGWToBjNb435E7XieFflvW8q9eNIONCGhHWIh14PzcdU5Pf
-HRncE+dM4PA+Ge8YbBCL6pU=
-=X5C7
------END PGP PUBLIC KEY BLOCK-----

src/user/config/keys/ssh/README.md

@@ -0,0 +1,5 @@
+# SSH Keys
+
+yubikey.pub.key -> PGP derived from `pgp.yubikey.pub.key`
+work.pub.key - ?
+graphone.pub.key -> For Android `pass`

src/user/config/keys/ssh/android.pub.key

@@ -1 +0,0 @@
-"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJM1HutPcWXdeTaAXY7ha8SlgeZFtLJGwNa3Kd/DL/R38fq5+fkh3iCoHgv+iiKcordtVTMhbOsHhz3H+Jm274c="

src/user/config/keys/ssh/graphone.pub.key

@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJM1HutPcWXdeTaAXY7ha8SlgeZFtLJGwNa3Kd/DL/R38fq5+fkh3iCoHgv+iiKcordtVTMhbOsHhz3H+Jm274c=

src/user/config/keys/ssh/primary.pub.key

@@ -1 +0,0 @@
-"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDl4895aB9P5p/lp8Hq5rHun4clvhyTSHFi3U2d6OOBoW5Fm+VcQnW/xbjmCBsXk5BdiowsBxQhwnzdfz/KJL7J5RobomUEaVRwb9UwT88eJveLp14BG8j2J3SjfyhrCX+4jkPx0bPQk1HGcuYY+tPEXf1q/ps88Dhu0CARBIzYQOTYY6b1qWzxpDoFZGHjKG8g5iY6FIu65yKKvvVy1f8IgZ3l3IpwBWVamxgkTcYY0QYSrmzo1n7TXxwrWbvenAqBsQ0cBPs+gVa3uIr+1TJl0Az5SElBVGu3LvUdlk58trtPUj6TQR3YUkg7Vjll7WHOdqhux5ZQNhjkOsHerf0Tw86e6cEzgeTuIbQHIb0LcsUunwKcuh2+au7RO599cvHn0+xZE5MZBxloDDaJ3JsiliM8kyPP/U3ERj03cWLW7BqbT+sfjAOl21RCzk0iQxk1wt/8VmtCr9Adv7IyrtaYvf/bwRP+g+9ldmzKGt8Mdb605uVzZ70H/LLm17f40Te+QHaex5by/6p6cuwEEZtgIg53Wpglu0rA6UxrBfQEHKl/Jt3FLeE0mnEyYkkR2MnHNtyWRIXtuqYZMAm2Ub1pFHH7jQV1gGiDVTw6a2eIwK21a/hXtRjFUpFd1nB1n+KNfJBE4zT3wm3Ud7mKw/6rWnoRyhYZvGXkFdp+iEs49Q=="

src/user/config/keys/ssh/windows.pub.key

@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCo2BuGY1zz2UjY7/4Rq6rse3dDbxkSA+GyqI2xJi86dqzpmnsQPDYCM61xBNGIJWCQRSRPvNMhQjL8zFo2+u3EyFZXP7twO9mtZCyo5guBRUYuzoCNMtxHt7ZERVei2NI+T7ZmU34L1cuo+fSluhC62hGGD8mMO/wQURO9CwXN+JGAgP5jxLnHKfS6xP7FHDvH7XbbgiC1M7B1B7mCyjzLadQqQebkmJYDnKcdz424VBljxVHlrSjDU0wsnBNpj/nP4eTsnzL+dGTWxkLwUzCDeSIvNoFjSe617iGfYK7y9imZsIb6zAUY7zwFqCN9co9PRJzBDKKhygFNkoZ9/OjIRm0MXWEn7eFsiaO7mB+tSoGCgi+/R34tRaaelmDS6D09HdWBgnOSsqW8VIa1YhAuDzSk3p0UQrSNSTuwMLh5fwDF8fpZ5c7M4U6oJzzfRp/ssWuq6XUnrVt43OqlacgCctFzRcdyZjQedF//ucUoG5dudmvYOGX9NnYEuIYdGtMVneMzsoGTycSi7fAtLC7ORyj6Q3LiOR+rEE+t+Wvw7pmnzmc2PH/C3yVBZhLGPgR+rH0NIjPQa6TnX8Y2NOCn4T4vL7LGxVfVOYoMzRcgYdB1JmrUxz6TweBX3IIpkbV+EmGpq3f0vhJAF1kE6fsrcrw/jWzIIVbymV0fim+ZGQ== bryan@ramos.codes

src/user/config/keys/ssh/yubikey.pub.key

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDl4895aB9P5p/lp8Hq5rHun4clvhyTSHFi3U2d6OOBoW5Fm+VcQnW/xbjmCBsXk5BdiowsBxQhwnzdfz/KJL7J5RobomUEaVRwb9UwT88eJveLp14BG8j2J3SjfyhrCX+4jkPx0bPQk1HGcuYY+tPEXf1q/ps88Dhu0CARBIzYQOTYY6b1qWzxpDoFZGHjKG8g5iY6FIu65yKKvvVy1f8IgZ3l3IpwBWVamxgkTcYY0QYSrmzo1n7TXxwrWbvenAqBsQ0cBPs+gVa3uIr+1TJl0Az5SElBVGu3LvUdlk58trtPUj6TQR3YUkg7Vjll7WHOdqhux5ZQNhjkOsHerf0Tw86e6cEzgeTuIbQHIb0LcsUunwKcuh2+au7RO599cvHn0+xZE5MZBxloDDaJ3JsiliM8kyPP/U3ERj03cWLW7BqbT+sfjAOl21RCzk0iQxk1wt/8VmtCr9Adv7IyrtaYvf/bwRP+g+9ldmzKGt8Mdb605uVzZ70H/LLm17f40Te+QHaex5by/6p6cuwEEZtgIg53Wpglu0rA6UxrBfQEHKl/Jt3FLeE0mnEyYkkR2MnHNtyWRIXtuqYZMAm2Ub1pFHH7jQV1gGiDVTw6a2eIwK21a/hXtRjFUpFd1nB1n+KNfJBE4zT3wm3Ud7mKw/6rWnoRyhYZvGXkFdp+iEs49Q==

src/user/modules/security/default.nix

@@ -7,7 +7,7 @@ let
     pass-audit
     pass-otp
     pass-update
-    pass-tomb
+    #pass-tomb
   ]);
 
 in

src/user/modules/security/modules/gpg/default.nix

@@ -18,12 +18,7 @@ in
       };
       publicKeys = [
         {
-          text = "${config.user.keys.pgp.primary}";
+          text = "${config.user.keys.pgp.yubikey}";
-          trust = 5;
-        }
-      ] ++ optionals (osConfig.networking.hostName == "desktop") [
-        {
-          text = "${config.user.keys.pgp.windows}";
           trust = 5;
         }
       ] ++ optionals (osConfig.networking.hostName == "workstation") [