1 { pkgs, lib, config, ... }:
4 "Julien Moutinho <julm@sourcephile.fr>" = {
5 uid = "Julien Moutinho <julm@sourcephile.fr>";
8 usage = ["cert" "sign"];
9 passPath = "members/julm/gpg/password";
11 { algo = "rsa4096"; expire = "3y"; usage = ["sign"]; }
12 { algo = "rsa4096"; expire = "3y"; usage = ["encrypt"]; }
13 { algo = "rsa4096"; expire = "3y"; usage = ["auth"]; }
15 backupRecipients = [""];
17 "Julien Moutinho <julm@mermet>" = {
18 uid = "Julien Moutinho <julm@mermet>";
21 usage = ["cert" "sign"];
22 passPath = "members/julm/gpg/password";
24 { algo = "rsa4096"; expire = "3y"; usage = ["sign"]; }
25 { algo = "rsa4096"; expire = "3y"; usage = ["encrypt"]; }
26 { algo = "rsa4096"; expire = "3y"; usage = ["auth"]; }
28 backupRecipients = [""];
30 "root@losurdo.sourcephile.fr" = let srv = "losurdo"; in {
31 uid = "root@${srv}.sourcephile.fr";
34 usage = ["cert" "sign"];
35 passPath = "servers/${srv}/root/key.pass";
37 { algo = "rsa4096"; expire = "0"; usage = ["encrypt"]; }
39 backupRecipients = [""];
40 # This subkey is put into a root/key.gpg, and then on losurdo's Nix store,
41 # to decrypt servers.losurdo.config.security.secrets
42 # Its passphrase in root/key.pass is decrypted and sent by ssh before each call to nix copy.
44 info " generate $PASSWORD_STORE_DIR/servers/${srv}/root/key.gpg"
45 test -s "$PASSWORD_STORE_DIR/servers/${srv}/root/key.gpg" || {
46 ${pkgs.gnupg}/bin/gpg --batch --pinentry-mode loopback --export-secret-keys --armor \
47 --passphrase-fd 3 3< <(${pkgs.gnupg}/bin/gpg --decrypt "$PASSWORD_STORE_DIR/servers/${srv}/root/key.pass.gpg") \
48 --export-options export-minimal @root@${srv}.sourcephile.fr |
49 ${pkgs.gnupg}/bin/gpg --symmetric --batch --pinentry-mode loopback \
50 --passphrase-fd 3 3< <(${pkgs.gnupg}/bin/gpg --decrypt "$PASSWORD_STORE_DIR/servers/${srv}/root/key.pass.gpg") \
51 --output "$PASSWORD_STORE_DIR/servers/${srv}/root/key.gpg"
sourcephile / git / sourcephile-nix.git / blob