feat: initializes secrets file for fragile; adds yubikey u2f key to secrets and set it to be in the home path of ${username}

2026-05-06 11:02:20 +02:00 · 2026-04-29 00:06:01 +02:00 · 2026-04-29 00:06:01 +02:00 · 175f5eb789
commit 175f5eb789
parent f12a9a2c09
3 changed files with 30 additions and 0 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -2,6 +2,7 @@ keys:
  - &sakura age1yzapmznelujajfyrpw5mxmy86ckg377494w5ap4yej39jatewursfxls9w
  - &violet age1zegau3chyn53tqvkwud6tuyggpkazc88pdkqv8cknavaudu49enqm2f0h3
  - &dandelion age1dpzajxcx7dcumda55qc3hncxqd43a7k85t2cdwtcvy5qsgp6k5tsugxqmd
+  - &fragile age1yu47wk9z3j5tspymyda8lw3u5snr66u96f2lzhqfdfmm7xv8xpxqcz9fcv
 creation_rules:
  - path_regex: secrets/sakura/secrets.yaml
    key_groups:
@ -17,3 +18,7 @@ creation_rules:
      - age:
          - *sakura
          - *dandelion
+  - path_regex: secrets/fragile/secrets.yaml
+    key_groups:
+      - age:
+          - *fragile
--- a/modules/core/sops.nix
+++ b/modules/core/sops.nix
@ -49,6 +49,14 @@
          "dandelionSyncthingId" = { };
          "sakuraSyncthingId" = { };
        }
+      else if (host == "fragile") then
+        {
+          "systemMailerPassword" = { };
+          "yubikeySecret" = {
+            owner = username;
+            path = "/home/${username}/.config/Yubico/u2f_keys";
+          };
+        }
      else
        { };
  };
--- a/secrets/fragile/secrets.yaml
+++ b/secrets/fragile/secrets.yaml
@ -0,0 +1,17 @@
+systemMailerPassword: ENC[AES256_GCM,data:N4xRgg40VtTgeHI16YC/ZOg4BN/N2GM67m81rqPrQUuMoFmarmBM0sYbxBVjpkyjyzH5kWyZ3Y6tY15FuY+d8kjFbCqmYc2B1OzaU/uHhyO4ewuZFBlgtu0PFWvPsKCfpx8D39sZwXpIQVnAbR7DbKaZmMdWCIxxfsYKJzhJiU8=,iv:xWLw1WTgqVt/I5ylbUjg2EIc7MoeMi4UPwm6zjmD3Xw=,tag:lPzhddRvi6qQZD7Gef2Uzg==,type:str]
+yubikeySecret: ENC[AES256_GCM,data:L46VgDAtIlxtdtnYhb59cFeU3v/j1nlkXLF/lkCnCpIS28NeG+3YrSAm0Gv0uwqBX7/XU6hBg2r9y1e4KrfYJn5+pBku18rPJz8eNLl+/9fzRDRba3251AyaoC8n3TuNVvwrLmXu14r1bR8LCIFX4D8N9QFREQeLMELlPrSzaKY7AT9K/rNgFZ7vDmJCqpKlv2Y1nMCAl5kvvn6HrIp489fypBLqGNCA0Sn5kymM7wqzaKM76E66SzkzG0hxFhUf7Tvi3iOS,iv:2QIOOVwZYDyIN1I7NC4AOvr7CuNsR1LZzIsNPdKHj/c=,tag:frJtXeylLdefu5AeVtthoA==,type:str]
+sops:
+    age:
+        - recipient: age1yu47wk9z3j5tspymyda8lw3u5snr66u96f2lzhqfdfmm7xv8xpxqcz9fcv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrMm1mTzVxUE9zZGRyR2NB
+            V1VRbkgyTTJMMGVJanN0RGJwOURNejZKS1MwCklrUjZ5RTdWcTZNNC9KNWgvQ0R4
+            dVJtb2kvYjV5a04yVzJqaG8zKzhzRjAKLS0tIEpHOXpmbHdKZmJCNkxDeDlKUnZh
+            NURtNnR2T2MxaG52cEwvNEYxSUpDWXcK4VfTdWFJ33AwdOphxEfOSne/Aikgx46e
+            YeqjGdQslRCNutQnoJjefyToy/DCgd/wbdT1/Am7WwESA2O3xIzvoA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-28T20:36:04Z"
+    mac: ENC[AES256_GCM,data:p4PsH3iRHWOTADVAaFZhn+VP3IbaCKZNjiFbeqP9sjJfE+DE0ycAfw05IuzbqkDnwJX2J3wX5ufQyO8zmhjjLvR445jPoapwN1KuQO8L+eiPvbF3v7hNc2XISrYHbtnN7v1K2IfWgTqef+kEwFqjnPzMKhBFV+ObMg+CWVWVMVs=,iv:bSvX/jOQWn/HnVg/quokWdO36/01Isd4GrD566HFaQk=,tag:3M/fjgBYfprfe853ColVoQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1