secrets: proper agenix for desktop hosts via TPM identity

Browse Source

- modules/desktop-age-secrets.nix: agenix + rage wrapped with age-plugin-tpm,
  TPM identity primary, admin SSH key fallback for recovery/pre-bootstrap
- modules/desktop-lanzaboote-agenix.nix: extract secureboot.tar at activation
- modules/desktop-networkmanager.nix: revert to simple import of git-crypt file
- modules/server-age-secrets.nix: renamed from age-secrets.nix
- modules/desktop-common.nix: wire netrc + password-hash to agenix paths
- hosts/yarn/impermanence.nix: persist /var/lib/agenix across tmpfs wipes
- secrets/secrets.nix: recipient declarations (admin + tpm + muffin USB)
- secrets/desktop/*.age: secureboot.tar, nix-cache-netrc, password-hash
- scripts/bootstrap-desktop-tpm.sh: generate TPM identity + print recipient

...

This commit is contained in:

Simon Gardling

2026-04-23 19:24:34 -04:00

parent a3f7a19cc2

commit 06ccc337c1

4 changed files with 0 additions and 0 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

BIN

secrets/desktop/nix-cache-netrc.age

Binary file not shown.

BIN

secrets/desktop/password-hash.age

Binary file not shown.

BIN

secrets/desktop/secureboot.tar.age

Binary file not shown.

BIN

secrets/secrets.nix

Binary file not shown.