secrets overhaul: use tpm for laptop (need to migrate desktop later)

2026-04-23 14:05:43 -04:00
parent 22282691e7
commit e019f2d4fb
17 changed files with 218 additions and 25 deletions
--- a/hosts/muffin/default.nix
+++ b/hosts/muffin/default.nix
@@ -19,7 +19,7 @@
    ../../modules/zfs.nix
    ../../modules/server-impermanence.nix
    ../../modules/usb-secrets.nix
-    ../../modules/age-secrets.nix
+    ../../modules/server-age-secrets.nix
    ../../modules/server-lanzaboote-agenix.nix
    ../../modules/no-rgb.nix
    ../../modules/server-security.nix
--- a/hosts/yarn/impermanence.nix
+++ b/hosts/yarn/impermanence.nix
@@ -12,6 +12,14 @@
      "/var/lib/systemd/coredump"
      "/var/lib/nixos"
      "/var/lib/systemd/timers"
+      # agenix identity sealed by the TPM. Must survive the tmpfs root
+      # wipe so decryption at activation finds the right handle.
+      {
+        directory = "/var/lib/agenix";
+        mode = "0700";
+        user = "root";
+        group = "root";
+      }
    ];

    files = [