1  {
 2    description = "Description for the project";
 3  
 4    inputs = {
 5      flake-parts.url = "github:hercules-ci/flake-parts";
 6      nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
 7      agenix-rekey = {
 8        url = "github:oddlama/agenix-rekey";
 9        inputs.nixpkgs.follows = "nixpkgs";
10      };
11      ragenix = {
12        url = "github:yaxitech/ragenix";
13        inputs.nixpkgs.follows = "nixpkgs";
14        inputs.agenix.follows = "agenix";
15      };
16      agenix = {
17        url = "github:oluceps/agenix/with-sysuser";
18        inputs.nixpkgs.follows = "nixpkgs";
19      };
20    };
21  
22    outputs =
23      inputs@{ flake-parts, ... }:
24      flake-parts.lib.mkFlake { inherit inputs; } {
25        systems = [
26          "x86_64-linux"
27          "aarch64-linux"
28          "aarch64-darwin"
29          "x86_64-darwin"
30        ];
31        perSystem =
32          {
33            pkgs,
34            system,
35            ...
36          }:
37          {
38            _module.args.pkgs = import inputs.nixpkgs {
39              inherit system;
40              overlays = with inputs; [ agenix-rekey.overlays.default ];
41            };
42  
43            devShells.default = pkgs.mkShell {
44              packages = [ pkgs.agenix-rekey ];
45            };
46          };
47        flake = {
48          # The usual flake attributes can be defined here, including system-
49          # agnostic ones like nixosModule and system-enumerating ones, although
50          # those are more easily expressed in perSystem.
51          agenix-rekey = inputs.agenix-rekey.configure {
52            userFlake = inputs.self;
53            nodes = inputs.self.nixosConfigurations;
54          };
55  
56          nixosConfigurations.ager = inputs.nixpkgs.lib.nixosSystem {
57            modules = [
58              ./configuration.nix
59              inputs.ragenix.nixosModules.default
60              inputs.agenix-rekey.nixosModules.default
61              {
62  
63                age.identityPaths = [ "/persist/keys/ssh_host_ed25519_key" ];
64  
65                age = {
66                  rekey = {
67                    hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaeKFjaE611RF7iHQzl+xfWxrIPA1+d10/qh2IhTq4l";
68                    extraEncryptionPubkeys = [ "age1jr2x2m85wtte9p0s7d833e0ug8xf3cf8a33l9kjprc9vlxmvjycq05p2qq" ];
69                    # yubikey piv credential
70                    # age-plugin-yubikey --generate --slot 1
71                    masterIdentities = [ ./sec/age-yubikey-identity-7d5d5540.txt.pub ];
72                    storageMode = "local";
73                    localStorageDir = ./sec/rekeyed/ager;
74                  };
75                  secrets = {
76                    test = {
77                      rekeyFile = ./sec/test.age;
78                      mode = "640";
79                      owner = "root";
80                      group = "users";
81                      name = "te";
82                    };
83                  };
84                }; # Use the systemd-boot EFI boot loader.
85              }
86            ];
87          };
88        };
89      };
90  }