{ pkgs, lib, config, ... }: { gnupg.keys = { "Julien Moutinho " = { uid = "Julien Moutinho "; algo = "rsa4096"; expire = "3y"; usage = ["cert" "sign"]; passPath = "members/julm/gpg/password"; subKeys = [ { algo = "rsa4096"; expire = "3y"; usage = ["sign"]; } { algo = "rsa4096"; expire = "3y"; usage = ["encrypt"]; } { algo = "rsa4096"; expire = "3y"; usage = ["auth"]; } ]; backupRecipients = [""]; }; "Julien Moutinho " = { uid = "Julien Moutinho "; algo = "rsa4096"; expire = "3y"; usage = ["cert" "sign"]; passPath = "members/julm/gpg/password"; subKeys = [ { algo = "rsa4096"; expire = "3y"; usage = ["sign"]; } { algo = "rsa4096"; expire = "3y"; usage = ["encrypt"]; } { algo = "rsa4096"; expire = "3y"; usage = ["auth"]; } ]; backupRecipients = [""]; }; "root@losurdo.sourcephile.fr" = let srv = "losurdo"; in { uid = "root@${srv}.sourcephile.fr"; algo = "rsa4096"; expire = "0"; usage = ["cert" "sign"]; passPath = "servers/${srv}/root/key.pass"; subKeys = [ { algo = "rsa4096"; expire = "0"; usage = ["encrypt"]; } ]; backupRecipients = [""]; # This subkey is put into a root/key.gpg, and then on losurdo's Nix store, # to decrypt servers.losurdo.config.security.secrets # Its passphrase in root/key.pass is decrypted and sent by ssh before each call to nix copy. postRun = '' info " generate $PASSWORD_STORE_DIR/servers/${srv}/root/key.gpg" test -s "$PASSWORD_STORE_DIR/servers/${srv}/root/key.gpg" || { ${pkgs.gnupg}/bin/gpg --batch --pinentry-mode loopback --export-secret-keys --armor \ --passphrase-fd 3 3< <(${pkgs.gnupg}/bin/gpg --decrypt "$PASSWORD_STORE_DIR/servers/${srv}/root/key.pass.gpg") \ --export-options export-minimal @root@${srv}.sourcephile.fr | ${pkgs.gnupg}/bin/gpg --symmetric --batch --pinentry-mode loopback \ --passphrase-fd 3 3< <(${pkgs.gnupg}/bin/gpg --decrypt "$PASSWORD_STORE_DIR/servers/${srv}/root/key.pass.gpg") \ --output "$PASSWORD_STORE_DIR/servers/${srv}/root/key.gpg" } ''; }; }; }