claude'd better security things

2025-10-17 19:35:58 -04:00
parent 9e35448f04
commit f9515dd160
34 changed files with 327 additions and 144 deletions
--- a/secrets.nix
+++ b/secrets.nix
@@ -0,0 +1,22 @@
+let
+  # USB secrets key - for encrypting/decrypting all secrets
+  usbSecretsKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8+eSX2LH5wEHVG9sSv97ceD5zdTarV0lRvoUso4A7p USB secrets decryption key";
+in
+{
+  # ZFS encryption key
+  "zfs-key.age".publicKeys = [ usbSecretsKey ];
+
+  # Secureboot keys archive
+  "secureboot.tar.age".publicKeys = [ usbSecretsKey ];
+
+  # System passwords and auth
+  "hashedPass.age".publicKeys = [ usbSecretsKey ];
+
+  # Service authentication
+  "caddy_auth.age".publicKeys = [ usbSecretsKey ];
+  "jellyfin-api-key.age".publicKeys = [ usbSecretsKey ];
+  "slskd_env.age".publicKeys = [ usbSecretsKey ];
+
+  # Network configuration
+  "wg0.conf.age".publicKeys = [ usbSecretsKey ];
+}