claude'd better security things

configuration.nix

@@ -14,6 +14,8 @@
     ./hardware.nix
     ./zfs.nix
     ./impermanence.nix
+    ./usb-secrets.nix
+    ./age-secrets.nix
 
     ./services/postgresql.nix
     ./services/jellyfin.nix
@@ -26,8 +28,6 @@
     ./services/qbittorrent.nix
     ./services/bitmagnet.nix
 
-    # ./services/matrix.nix
-    # ./services/owntracks.nix
     ./services/soulseek.nix
 
     ./services/llama-cpp.nix
@@ -111,16 +111,18 @@
   };
 
   system.activationScripts = {
-    # extract all my secureboot keys
-    # TODO! awful secrets management, it's globally readable in /nix/store
-    "secureboot-keys".text = ''
-      #!/bin/sh
-      rm -fr ${config.boot.lanzaboote.pkiBundle} || true
-      mkdir -p ${config.boot.lanzaboote.pkiBundle}
-      ${pkgs.gnutar}/bin/tar xf ${./secrets/secureboot.tar} -C ${config.boot.lanzaboote.pkiBundle}
-      chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
-      chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
-    '';
+    # extract secureboot keys from agenix-decrypted tar
+    "secureboot-keys" = {
+      deps = [ "agenix" ];
+      text = ''
+        #!/bin/sh
+        rm -fr ${config.boot.lanzaboote.pkiBundle} || true
+        mkdir -p ${config.boot.lanzaboote.pkiBundle}
+        ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot-tar.path} -C ${config.boot.lanzaboote.pkiBundle}
+        chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
+        chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
+      '';
+    };
   };
 
   environment.etc = {
@@ -286,7 +288,7 @@
     ];
 
     # TODO! use proper secrets management
-    hashedPassword = lib.strings.trim (builtins.readFile ./secrets/hashedPass);
+    hashedPasswordFile = config.age.secrets.hashedPass.path;
 
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop