Use keyfiles

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>

flake.lock

@@ -262,11 +262,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1753359848,
+        "lastModified": 1753365453,
-        "narHash": "sha256-sTO5BL/2UxnAv27mEOgRh1zKpe/uBN/rJssBBrjF8Cc=",
+        "narHash": "sha256-ZGYHuyEqpA8RC3pDRTbGb3fJv/qT52wHBnKPygznFyI=",
         "ref": "refs/heads/main",
-        "rev": "cf03864221a2082aa766f79022de0a2284c10e6b",
+        "rev": "821a1bad7b6a0359e362830c8454f66b60980ef6",
-        "revCount": 20,
+        "revCount": 21,
         "type": "git",
         "url": "https://git.karaolidis.com/karaolidis/nix-secrets.git"
       },

hosts/jupiter-vps/configs/wireguard/default.nix

@@ -31,7 +31,7 @@ in
             "10.0.0.2/32"
             "${jupiterPublicIPv4}/32"
           ];
-          publicKey = "l0V4syZrk7HkGNa7l0cq1a4taJcdo8nKGuZt9sq3FgE=";
+          publicKey = builtins.readFile "${inputs.secrets}/hosts/jupiter/wireguard_key.pub";
         }
       ];
     };

hosts/jupiter-vps/default.nix

@@ -30,7 +30,7 @@
 
   environment.impermanence.enable = lib.mkForce false;
 
-  users.users.root.openssh.authorizedKeys.keys = [
+  users.users.root.openssh.authorizedKeys.keyFiles = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com"
+    "${inputs.secrets}/personal/id_ed25519.pub"
   ];
 }

hosts/jupiter/configs/wireguard/default.nix

@@ -42,7 +42,7 @@ in
           {
             name = "jupiter-vps";
             allowedIPs = [ "0.0.0.0/0" ];
-            publicKey = "dRUBz0AZFp30zXqWyTDRe7UyNioc5lV5QE2xYJCc6yU=";
+            publicKey = builtins.readFile "${inputs.secrets}/hosts/jupiter-vps/wireguard_key.pub";
             endpoint = "${jupiterVpsPublicIPv4}:${builtins.toString wireguardPort}";
             persistentKeepalive = 25;
           }

hosts/jupiter/default.nix

@@ -62,7 +62,7 @@
     "v  /mnt/storage/private 0755 root root    - -"
   ];
 
-  users.users.root.openssh.authorizedKeys.keys = [
+  users.users.root.openssh.authorizedKeys.keyFiles = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com"
+    "${inputs.secrets}/personal/id_ed25519.pub"
   ];
 }

hosts/jupiter/users/nick/default.nix

@@ -62,8 +62,8 @@ in
     ];
     linger = true;
     uid = lib.strings.toInt (builtins.readFile ./uid);
-    openssh.authorizedKeys.keys = [
+    openssh.authorizedKeys.keyFiles = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com"
+      "${inputs.secrets}/personal/id_ed25519.pub"
     ];
   };
 

hosts/jupiter/users/storm/configs/console/podman/sish/default.nix

@@ -2,6 +2,7 @@
 {
   config,
   inputs,
+  lib,
   pkgs,
   system,
   ...
@@ -31,9 +32,9 @@ in
             let
               authorizedKeys = pkgs.writeTextFile {
                 name = "authorized_keys";
-                text = ''
+                text = lib.strings.concatStringsSep "\n" [
-                  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com
+                  (builtins.readFile "${inputs.secrets}/personal/id_ed25519.pub")
-                '';
+                ];
               };
             in
             [

hosts/jupiter/users/storm/default.nix

@@ -53,8 +53,8 @@ in
       group = user;
       autoSubUidGidRange = true;
       useDefaultShell = true;
-      openssh.authorizedKeys.keys = [
+      openssh.authorizedKeys.keyFiles = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com"
+        "${inputs.secrets}/personal/id_ed25519.pub"
       ];
     };