feat: security - password-store, gpg, age, etc...

2026-03-31 14:43:11 +02:00 · 2024-01-27 15:22:47 +08:00
parent b9b9a55ede
commit 05682dbac9
7 changed files with 155 additions and 52 deletions
--- a/secrets/darwin.nix
+++ b/secrets/darwin.nix
@@ -39,9 +39,10 @@
    # no one can read/write this file, even root.
    # ---------------------------------------------

-    "ryan4yin-gpg-subkeys.priv" =
+    # .age means the decrypted file is still encrypted by age(via a passphrase)
+    "ryan4yin-gpg-subkeys.priv.age" =
      {
-        file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age";
+        file = "${mysecrets}/ryan4yin-gpg-subkeys-2024-01-27.priv.age.age";
      }
      // noaccess;

@@ -107,8 +108,8 @@
      source = config.age.secrets."ssh-key-romantic".path;
    };

-    "agenix/ryan4yin-gpg-subkeys.priv" = {
-      source = config.age.secrets."ryan4yin-gpg-subkeys.priv".path;
+    "/agenix/ryan4yin-gpg-subkeys.priv.age" = {
+      source = config.age.secrets."ryan4yin-gpg-subkeys.priv.age".path;
    };

    # The following secrets are used by home-manager modules
--- a/secrets/nixos.nix
+++ b/secrets/nixos.nix
@@ -40,9 +40,10 @@
    # no one can read/write this file, even root.
    # ---------------------------------------------

-    "ryan4yin-gpg-subkeys.priv" =
+    # .age means the decrypted file is still encrypted by age(via a passphrase)
+    "ryan4yin-gpg-subkeys.priv.age" =
      {
-        file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age";
+        file = "${mysecrets}/ryan4yin-gpg-subkeys-2024-01-27.priv.age.age";
      }
      // noaccess;

@@ -117,8 +118,8 @@
      user = username;
    };

-    "agenix/ryan4yin-gpg-subkeys.priv" = {
-      source = config.age.secrets."ryan4yin-gpg-subkeys.priv".path;
+    "/agenix/ryan4yin-gpg-subkeys.priv.age" = {
+      source = config.age.secrets."ryan4yin-gpg-subkeys.priv.age".path;
      mode = "0000";
    };