From dec790c589444370ae2de52bfbc5e35111eed598 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Wed, 7 Jun 2023 19:48:15 +0200
Subject: [PATCH] chore: update to new agenix-rekey format

---
 flake.lock                                    |  36 +++++-----
 hosts/common/core/net.nix                     |  11 ++-
 hosts/common/core/system.nix                  |   2 +-
 hosts/common/initrd-ssh.nix                   |   9 +--
 hosts/sentinel/acme.nix                       |   6 +-
 hosts/sentinel/caddy.nix                      |   6 +-
 hosts/sentinel/secrets/loki-basic-auth.age    | Bin 415 -> 409 bytes
 hosts/ward/default.nix                        |  39 +++++------
 hosts/ward/promtail.nix                       |  66 +++++++++++++++---
 ...afana.age => loki-basic-auth-password.age} |   0
 hosts/ward/vaultwarden.nix                    |   6 +-
 hosts/zackbiene/esphome.nix                   |   4 +-
 hosts/zackbiene/home-assistant.nix            |  10 +--
 hosts/zackbiene/hostapd.nix                   |   4 +-
 hosts/zackbiene/mosquitto.nix                 |  12 ++--
 hosts/zackbiene/nginx.nix                     |  12 ++--
 hosts/zackbiene/zigbee2mqtt.nix               |  10 +--
 modules/extra.nix                             |   2 +-
 modules/wireguard.nix                         |  20 +++---
 nix/apps/default.nix                          |   1 +
 nix/apps/generate-secrets.nix                 |  39 +++++++++++
 21 files changed, 195 insertions(+), 100 deletions(-)
 rename hosts/ward/secrets/{loki-basic-auth-password-grafana.age => loki-basic-auth-password.age} (100%)
 create mode 100644 nix/apps/generate-secrets.nix

diff --git a/flake.lock b/flake.lock
index a53d157..6af0e0a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -31,12 +31,10 @@
         ]
       },
       "locked": {
-        "lastModified": 1684539260,
-        "narHash": "sha256-lF3+vp2UZwBjzF4pnOKYZrQOCFdnOdtvGmaFIzsaMN4=",
-        "owner": "oddlama",
-        "repo": "agenix-rekey",
-        "rev": "e9a2bad33b7b1634af65cbc809fc31776df41fe5",
-        "type": "github"
+        "lastModified": 1686159246,
+        "narHash": "sha256-6+u3Ed6rsYKJ1gnjt1DoEnxgF6Xmi4qPFUy7OBEiN5E=",
+        "type": "git",
+        "url": "file:///root/projects/agenix-rekey"
       },
       "original": {
         "owner": "oddlama",
@@ -119,11 +117,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1685970051,
-        "narHash": "sha256-F5ZxBD2DeNd+Q0dDKYBhv76kfjVG/X0ccXjSKpa8KdI=",
+        "lastModified": 1686150639,
+        "narHash": "sha256-QHorMn3tgvCE0BM4QlNb/7vuquz11cS2ke1GSfmgiPo=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "29d632d7e8fa86f937153ecdfd7d768411001d2d",
+        "rev": "f1178c6e72b7d8ab2b55990397969324822275eb",
         "type": "github"
       },
       "original": {
@@ -210,11 +208,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1685885003,
-        "narHash": "sha256-+OB0EvZBfGvnlTGg6mtyUCqkMnUp9DkmRUU4d7BZBVE=",
+        "lastModified": 1686142265,
+        "narHash": "sha256-IP0xPa0VYqxCzpqZsg3iYGXarUF+4r2zpkhwdHy9WsM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "607d8fad96436b134424b9935166a7cd0884003e",
+        "rev": "39c7d0a97a77d3f31953941767a0822c94dc01f5",
         "type": "github"
       },
       "original": {
@@ -260,11 +258,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1685384827,
-        "narHash": "sha256-lEEMXGKQY5cUWO9vS08a5VLPbVAJm6xGBTd3Cnfg99c=",
+        "lastModified": 1686092477,
+        "narHash": "sha256-ewXevzxR3FGhI5ip1QX+jCAQW2En9BTwBI9+kGip9DA=",
         "owner": "astro",
         "repo": "microvm.nix",
-        "rev": "3683f43a37568fbc14bdc1c952acb41b0bb09a01",
+        "rev": "c6416c6b9fed22b71f526720cb120b0218c51b62",
         "type": "github"
       },
       "original": {
@@ -348,7 +346,7 @@
     "nixpkgs": {
       "locked": {
         "lastModified": 1685290091,
-        "narHash": "sha256-eJ4hOd5fA8i9uhpPFrpjLAb09wqfB+NH9utHh0PGD4k=",
+        "narHash": "sha256-Shhg4EstYivzF10RuNDUKw3KGQOS5e7S7yHFnWuJQSI=",
         "type": "git",
         "url": "file:///root/projects/nixpkgs-test"
       },
@@ -388,11 +386,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1685970613,
-        "narHash": "sha256-sMbR4zPciUfQ6YHt6GNVxT/yhWJKngvZo8qHzYkaU6E=",
+        "lastModified": 1686050334,
+        "narHash": "sha256-R0mczWjDzBpIvM3XXhO908X5e2CQqjyh/gFbwZk/7/Q=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "a117a1cd2c280bf8d499f26370fddfe1923e75e6",
+        "rev": "6881eb2ae5d8a3516e34714e7a90d9d95914c4dc",
         "type": "github"
       },
       "original": {
diff --git a/hosts/common/core/net.nix b/hosts/common/core/net.nix
index ed1ddb6..20575cc 100644
--- a/hosts/common/core/net.nix
+++ b/hosts/common/core/net.nix
@@ -15,7 +15,16 @@
     ;
 in {
   # TODO needed until https://github.com/NixOS/nixpkgs/issues/236146 is resolved
-  boot.initrd.network.flushBeforeStage2 = true;
+  boot.initrd.systemd = {
+    services.systemd-networkd = {
+      before = ["initrd-switch-root.target"];
+      conflicts = ["initrd-switch-root.target"];
+    };
+    sockets.systemd-networkd = {
+      before = ["initrd-switch-root.target"];
+      conflicts = ["initrd-switch-root.target"];
+    };
+  };
 
   networking = {
     hostName = nodeName;
diff --git a/hosts/common/core/system.nix b/hosts/common/core/system.nix
index ee3643c..3391757 100644
--- a/hosts/common/core/system.nix
+++ b/hosts/common/core/system.nix
@@ -343,7 +343,7 @@
     // lib.optionalAttrs (nodePath != null && lib.pathExists local) {inherit local;};
 
   # Setup secret rekeying parameters
-  rekey = {
+  age.rekey = {
     inherit
       (inputs.self.secretsConfig)
       masterIdentities
diff --git a/hosts/common/initrd-ssh.nix b/hosts/common/initrd-ssh.nix
index 0dbb0fe..ee0122e 100644
--- a/hosts/common/initrd-ssh.nix
+++ b/hosts/common/initrd-ssh.nix
@@ -4,13 +4,14 @@
   nodePath,
   ...
 }: {
-  rekey.secrets.initrd_host_ed25519_key.file = nodePath + "/secrets/initrd_host_ed25519_key.age";
+  # TODO generate script
+  age.secrets.initrd_host_ed25519_key.file = nodePath + "/secrets/initrd_host_ed25519_key.age";
 
   boot.initrd.network.enable = true;
   boot.initrd.network.ssh = {
     enable = true;
     port = 4;
-    hostKeys = [config.rekey.secrets.initrd_host_ed25519_key.path];
+    hostKeys = [config.age.secrets.initrd_host_ed25519_key.path];
   };
 
   # Make sure that there is always a valid initrd hostkey available that can be installed into
@@ -21,8 +22,8 @@
   # for the first time, and the secrets were rekeyed for the the new host identity.
   system.activationScripts.agenixEnsureInitrdHostkey = {
     text = ''
-      [[ -e ${config.rekey.secrets.initrd_host_ed25519_key.path} ]] \
-        || ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${config.rekey.secrets.initrd_host_ed25519_key.path}
+      [[ -e ${config.age.secrets.initrd_host_ed25519_key.path} ]] \
+        || ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${config.age.secrets.initrd_host_ed25519_key.path}
     '';
     deps = ["agenixInstall"];
   };
diff --git a/hosts/sentinel/acme.nix b/hosts/sentinel/acme.nix
index 8020915..180c64c 100644
--- a/hosts/sentinel/acme.nix
+++ b/hosts/sentinel/acme.nix
@@ -1,8 +1,8 @@
 {config, ...}: let
   inherit (config.repo.secrets.local) acme;
 in {
-  rekey.secrets.acme-credentials = {
-    file = ./secrets/acme-credentials.age;
+  age.secrets.acme-credentials = {
+    rekeyFile = ./secrets/acme-credentials.age;
     mode = "440";
     group = "acme";
   };
@@ -11,7 +11,7 @@ in {
     acceptTerms = true;
     defaults = {
       inherit (acme) email;
-      credentialsFile = config.rekey.secrets.acme-credentials.path;
+      credentialsFile = config.age.secrets.acme-credentials.path;
       dnsProvider = "cloudflare";
       dnsPropagationCheck = true;
       reloadServices = ["nginx"];
diff --git a/hosts/sentinel/caddy.nix b/hosts/sentinel/caddy.nix
index faf7307..a3a3cb1 100644
--- a/hosts/sentinel/caddy.nix
+++ b/hosts/sentinel/caddy.nix
@@ -15,8 +15,8 @@ in {
   # TODO     message = "non-deterministic uid detected for: ${name}";
   # TODO   });
 
-  rekey.secrets.loki-basic-auth = {
-    file = ./secrets/loki-basic-auth.age;
+  age.secrets.loki-basic-auth = {
+    rekeyFile = ./secrets/loki-basic-auth.age;
     mode = "440";
     group = "caddy";
   };
@@ -125,7 +125,7 @@ in {
         encode zstd gzip
         skip_log
         basicauth {
-          import ${config.rekey.secrets.loki-basic-auth.path}
+          import ${config.age.secrets.loki-basic-auth.path}
         }
         reverse_proxy {
           to http://${nodes.ward-loki.config.extra.wireguard.proxy-sentinel.ipv4}:${lokiPort}
diff --git a/hosts/sentinel/secrets/loki-basic-auth.age b/hosts/sentinel/secrets/loki-basic-auth.age
index 16d2be20470ec83e3d10e83dc3c2bff74b2ba5d2..50f10466068ef4865d75a23b1ed93941df0be1bf 100644
GIT binary patch
delta 386
zcmV-|0e$|T1DOMmAb&zPVMAt8XEAwpL1sflHb!nnGI?=&cVRO_cu#UzYE@`RcWpIJ
zaAHbnRSHjJI5cT<Mnh6|cSUDdH8(3~S#mXRLU~VaZ9+_WHhN8BXK;5mFGx-=O$seO
zAaH4REpRe5HXwL$Q)M_&AVGLWL3C_)Wk_}}cUo9^S#UQ(Z+~leFh^8zVs>p-Yh*Dm
zVN+>1Z9y?(ZE*@@Nory+RZ3AwHZx^aY&1|tOh`mhbT@5va$!$MS!FRvFKJ0uW<_mA
zHfstkJ|HnIXL4m>b7de@b8QMsW?^h(cM2^nEg*V$W^-mUcX(|}T60KhOLa+3MpG+m
zSUFR9OEof3YI|^XFe_&?OgKtbV@V1dpIP%l0AlcJGTgbgNZKx<B}-347lbVn%EU`}
z<Ws&>cEpqPCGc_UXe}tkE&cfgS@uMfAAdehgD0$i^nbu`oNlYQRs{FIrxpuh^J+>?
gb#$Sx3m&4iOlqN#yEQqU3S!i7_(2~}0Fo7jeOy|Ne*gdg

delta 393
zcmV;40e1eG1D^wsAb)smHDg3}NkLO}GIMBULP9WFQ%posQdDYqOHWZoMo)E6L2NK^
zc4%@{K?*lWQAkQmN?0#AD?&q8Yi&kicvUtycy>fKT5ecLLt|HMD>gVeMKo4yRSGRW
zAaH4REpRe5HXwL$Q)M_&AVG6WF=}T-Y(q0pNNYhdYFKq<F@Jh;Mn)@4Rx~+gFIZ1O
zGhtINNoQALaCQo5N=j@-MowBYLs~aDLTOJqGeu@{VNqviR#H+;Gc!1Mbzx30XE!%C
zNkIxNJ|I15MJ;D?Wnpt=3U*atVRuhbNI7mvFEwd+MmJYZHB~cX3N0-yAahMOZD}$_
zVrFJmLo!D*Lw{^;MtVqMO>RR%W>Qa9O)D=@NKR!$G;w8ONeY10Gbu0iE=1q5g=Q#x
zt^_aB&%h;9qz9OzYX=>*^{d@>&O?>DH5IvjLtJR5DW^@WX+(gYiR#qTGcO(#ZBJTp
n<4bA*X^PF}%mwttSs;;LgS<Zs;4^|XN%!CWK8bu}m;#r{Z2F3|

diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix
index e7977ac..a68f676 100644
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@@ -24,6 +24,7 @@ in {
 
     ./fs.nix
     ./net.nix
+    ./promtail.nix
   ];
 
   boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "r8169"];
@@ -68,7 +69,7 @@ in {
     parentNodeName,
     ...
   }: {
-    rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g";
+    age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g";
 
     extra.wireguard.proxy-sentinel.client.via = "sentinel";
 
@@ -91,14 +92,14 @@ in {
       };
     };
 
-    rekey.secrets.grafana-secret-key = {
-      file = ./secrets/grafana-secret-key.age;
+    age.secrets.grafana-secret-key = {
+      rekeyFile = ./secrets/grafana-secret-key.age;
       mode = "440";
       group = "grafana";
     };
 
-    rekey.secrets.loki-basic-auth-password-grafana = {
-      file = ./secrets/loki-basic-auth-password-grafana.age;
+    age.secrets.loki-basic-auth-password = {
+      rekeyFile = ./secrets/loki-basic-auth-password.age;
       mode = "440";
       group = "grafana";
     };
@@ -116,14 +117,11 @@ in {
           enable_gzip = true;
           http_addr = config.extra.wireguard.proxy-sentinel.ipv4;
           http_port = 3001;
-          # cert_key = /etc/grafana/grafana.key;
-          # cert_file = /etc/grafana/grafana.crt;
-          # protocol = "https"
         };
 
         security = {
           disable_initial_admin_creation = true;
-          secret_key = "$__file{${config.rekey.secrets.grafana-secret-key.path}}";
+          secret_key = "$__file{${config.age.secrets.grafana-secret-key.path}}";
           cookie_secure = true;
           disable_gravatar = true;
           hide_version = true;
@@ -137,7 +135,7 @@ in {
           allow_sign_up = true;
           auto_login = true;
           client_id = "grafana";
-          #client_secret = "$__file{${config.rekey.secrets.grafana-oauth-client-secret.path}}";
+          #client_secret = "$__file{${config.age.secrets.grafana-oauth-client-secret.path}}";
           client_secret = "r6Yk5PPSXFfYDPpK6TRCzXK8y1rTrfcb8F7wvNC5rZpyHTMF"; # TODO temporary test not a real secret
           scopes = "openid email profile";
           login_attribute_path = "prefered_username";
@@ -167,8 +165,8 @@ in {
             url = "https://${lokiDomain}";
             orgId = 1;
             basicAuth = true;
-            basicAuthUser = "grafana";
-            secureJsonData.basicAuthPassword = "$__file{${config.rekey.secrets.loki-basic-auth-password-grafana.path}}";
+            basicAuthUser = "iB6UEjt4so4xWqei";
+            secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.loki-basic-auth-password.path}}";
           }
         ];
       };
@@ -180,13 +178,12 @@ in {
     config,
     ...
   }: {
-    rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq";
+    age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq";
 
     extra.wireguard.proxy-sentinel.client.via = "sentinel";
 
     networking.nftables.firewall = {
       zones = lib.mkForce {
-        #local-vms.interfaces = ["local-vms"];
         proxy-sentinel.interfaces = ["proxy-sentinel"];
         sentinel = {
           parent = "proxy-sentinel";
@@ -204,13 +201,13 @@ in {
       };
     };
 
-    rekey.secrets."kanidm-self-signed.crt" = {
-      file = ./secrets/kanidm-self-signed.crt.age;
+    age.secrets."kanidm-self-signed.crt" = {
+      rekeyFile = ./secrets/kanidm-self-signed.crt.age;
       mode = "440";
       group = "kanidm";
     };
-    rekey.secrets."kanidm-self-signed.key" = {
-      file = ./secrets/kanidm-self-signed.key.age;
+    age.secrets."kanidm-self-signed.key" = {
+      rekeyFile = ./secrets/kanidm-self-signed.key.age;
       mode = "440";
       group = "kanidm";
     };
@@ -221,8 +218,8 @@ in {
       serverSettings = {
         domain = authDomain;
         origin = "https://${config.services.kanidm.serverSettings.domain}";
-        tls_chain = config.rekey.secrets."kanidm-self-signed.crt".path;
-        tls_key = config.rekey.secrets."kanidm-self-signed.key".path;
+        tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
+        tls_key = config.age.secrets."kanidm-self-signed.key".path;
         bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300";
         trust_x_forward_for = true;
       };
@@ -247,7 +244,7 @@ in {
     utils,
     ...
   }: {
-    rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno";
+    age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno";
 
     extra.wireguard.proxy-sentinel.client.via = "sentinel";
 
diff --git a/hosts/ward/promtail.nix b/hosts/ward/promtail.nix
index 09a92e5..819657f 100644
--- a/hosts/ward/promtail.nix
+++ b/hosts/ward/promtail.nix
@@ -1,20 +1,45 @@
 {
-  lib,
   config,
+  lib,
+  nodeName,
+  nodes,
   parentNodeName,
   ...
-}: {
+}: let
+  inherit (nodes.sentinel.config.repo.secrets.local) personalDomain;
+  lokiDomain = "loki.${personalDomain}";
+in {
+  age.secrets.loki-basic-auth-password = {
+    rekeyFile = ./secrets/loki-basic-auth-password.age;
+    file = ./aaa;
+    #file = ./aaa;
+    #generate = "alnum48";
+    mode = "440";
+    group = "promtail";
+  };
+
+  #age.secrets.loki-basic-auth-password = {
+  #  generate = "alnum48";
+  #  mode = "440";
+  #  group = "promtail";
+  #};
+
   services.promtail = {
     enable = true;
     configuration = {
-      server.http_listen_port = 9080;
-      server.grpc_listen_port = 0;
+      server = {
+        http_listen_port = 9080;
+        grpc_listen_port = 0;
+        log_level = "warn";
+      };
 
       clients = [
         {
-          basic_auth.username = "promtail@thalheim.io";
-          basic_auth.password_file = config.sops.secrets.promtail-password.path;
-          url = "http://loki.r/loki/api/v1/push";
+          #basic_auth.username = nodeName;
+          #basic_auth.password_file = config.age.random-secrets.loki-basic-auth-password.path;
+          basic_auth.username = "iB6UEjt4so4xWqei";
+          basic_auth.password_file = config.age.secrets.loki-basic-auth-password.path;
+          url = "https://${lokiDomain}/loki/api/v1/push";
         }
       ];
 
@@ -23,7 +48,7 @@
           job_name = "journal";
           journal = {
             json = true;
-            max_age = "12h";
+            max_age = "24h";
             labels.job = "systemd-journal";
           };
           pipeline_stages = [
@@ -55,7 +80,6 @@
             {
               template = {
                 source = "msg";
-                # FIXME would be cleaner to have this in a match block, but could not get it to work
                 template = "{{if .coredump_exe}}{{.coredump_exe}} core dumped (user: {{.coredump_uid}}/{{.coredump_gid}}, command: {{.coredump_cmdline}}){{else}}{{.msg}}{{end}}";
               };
             }
@@ -83,6 +107,30 @@
               source_labels = ["__journal__hostname"];
               target_label = "host";
             }
+            {
+              source_labels = ["__journal_priority"];
+              target_label = "priority";
+            }
+            {
+              source_labels = ["__journal_priority_keyword"];
+              target_label = "level";
+            }
+            #{
+            #  source_labels = ["__journal__systemd_unit"];
+            #  target_label = "unit";
+            #}
+            {
+              source_labels = ["__journal__systemd_user_unit"];
+              target_label = "user_unit";
+            }
+            {
+              source_labels = ["__journal__boot_id"];
+              target_label = "boot_id";
+            }
+            {
+              source_labels = ["__journal__comm"];
+              target_label = "command";
+            }
           ];
         }
       ];
diff --git a/hosts/ward/secrets/loki-basic-auth-password-grafana.age b/hosts/ward/secrets/loki-basic-auth-password.age
similarity index 100%
rename from hosts/ward/secrets/loki-basic-auth-password-grafana.age
rename to hosts/ward/secrets/loki-basic-auth-password.age
diff --git a/hosts/ward/vaultwarden.nix b/hosts/ward/vaultwarden.nix
index 1ef30ae..64fb243 100644
--- a/hosts/ward/vaultwarden.nix
+++ b/hosts/ward/vaultwarden.nix
@@ -33,7 +33,7 @@
     #SMTP_SECURITY = "force_tls";
     #SMTP_USERNAME={{ vaultwarden_smtp_username }};
     #SMTP_PASSWORD={{ vaultwarden_smtp_password }};
-    #environmentFile = config.rekey.secrets.vaultwarden-env.path;
+    #environmentFile = config.age.secrets.vaultwarden-env.path;
   };
 
   # Replace uses of old name
@@ -58,8 +58,8 @@
     virtualHosts."${config.repo.secrets.local.vaultwarden.domain}" = {
       forceSSL = true;
       #enableACME = true;
-      sslCertificate = config.rekey.secrets."selfcert.crt".path;
-      sslCertificateKey = config.rekey.secrets."selfcert.key".path;
+      sslCertificate = config.age.secrets."selfcert.crt".path;
+      sslCertificateKey = config.age.secrets."selfcert.key".path;
       locations."/" = {
         proxyPass = "http://vaultwarden";
         proxyWebsockets = true;
diff --git a/hosts/zackbiene/esphome.nix b/hosts/zackbiene/esphome.nix
index ee16b8b..b4f9d1c 100644
--- a/hosts/zackbiene/esphome.nix
+++ b/hosts/zackbiene/esphome.nix
@@ -26,8 +26,8 @@
     virtualHosts."${config.repo.secrets.local.esphome.domain}" = {
       forceSSL = true;
       #enableACME = true;
-      sslCertificate = config.rekey.secrets."selfcert.crt".path;
-      sslCertificateKey = config.rekey.secrets."selfcert.key".path;
+      sslCertificate = config.age.secrets."selfcert.crt".path;
+      sslCertificateKey = config.age.secrets."selfcert.key".path;
       locations."/" = {
         proxyPass = "http://esphome";
         proxyWebsockets = true;
diff --git a/hosts/zackbiene/home-assistant.nix b/hosts/zackbiene/home-assistant.nix
index 4dbd9ae..d6afc7d 100644
--- a/hosts/zackbiene/home-assistant.nix
+++ b/hosts/zackbiene/home-assistant.nix
@@ -89,14 +89,14 @@ in {
     extraPackages = python3Packages: with python3Packages; [psycopg2];
   };
 
-  rekey.secrets."home-assistant-secrets.yaml" = {
-    file = ./secrets/home-assistant-secrets.yaml.age;
+  age.secrets."home-assistant-secrets.yaml" = {
+    rekeyFile = ./secrets/home-assistant-secrets.yaml.age;
     owner = "hass";
   };
 
   systemd.services.home-assistant = {
     preStart = lib.mkBefore ''
-      ln -sf ${config.rekey.secrets."home-assistant-secrets.yaml".path} ${config.services.home-assistant.configDir}/secrets.yaml
+      ln -sf ${config.age.secrets."home-assistant-secrets.yaml".path} ${config.services.home-assistant.configDir}/secrets.yaml
       touch -a ${config.services.home-assistant.configDir}/{automations,scenes,scripts,manual}.yaml
     '';
   };
@@ -118,8 +118,8 @@ in {
       serverAliases = ["192.168.1.21"]; # TODO remove later
       forceSSL = true;
       #enableACME = true;
-      sslCertificate = config.rekey.secrets."selfcert.crt".path;
-      sslCertificateKey = config.rekey.secrets."selfcert.key".path;
+      sslCertificate = config.age.secrets."selfcert.crt".path;
+      sslCertificateKey = config.age.secrets."selfcert.key".path;
       locations."/" = {
         proxyPass = "http://homeassistant";
         proxyWebsockets = true;
diff --git a/hosts/zackbiene/hostapd.nix b/hosts/zackbiene/hostapd.nix
index 947c999..0996dfa 100644
--- a/hosts/zackbiene/hostapd.nix
+++ b/hosts/zackbiene/hostapd.nix
@@ -8,7 +8,7 @@
   disabledModules = ["services/networking/hostapd.nix"];
 
   # Associates each known client to a unique password
-  rekey.secrets.wifi-clients.file = ./secrets/wifi-clients.age;
+  age.secrets.wifi-clients.rekeyFile = ./secrets/wifi-clients.age;
 
   services.hostapd = {
     enable = true;
@@ -22,7 +22,7 @@
         macAcl = "allow";
         apIsolate = true;
         authentication = {
-          saePasswordsFile = config.rekey.secrets.wifi-clients.path;
+          saePasswordsFile = config.age.secrets.wifi-clients.path;
           saeAddToMacAllow = true;
           enableRecommendedPairwiseCiphers = true;
         };
diff --git a/hosts/zackbiene/mosquitto.nix b/hosts/zackbiene/mosquitto.nix
index 11cc642..9e3f964 100644
--- a/hosts/zackbiene/mosquitto.nix
+++ b/hosts/zackbiene/mosquitto.nix
@@ -3,14 +3,14 @@
   config,
   ...
 }: {
-  rekey.secrets.mosquitto-pw-zigbee2mqtt = {
-    file = ./secrets/mosquitto-pw-zigbee2mqtt.age;
+  age.secrets.mosquitto-pw-zigbee2mqtt = {
+    rekeyFile = ./secrets/mosquitto-pw-zigbee2mqtt.age;
     mode = "440";
     owner = "zigbee2mqtt";
     group = "mosquitto";
   };
-  rekey.secrets.mosquitto-pw-home_assistant = {
-    file = ./secrets/mosquitto-pw-home_assistant.age;
+  age.secrets.mosquitto-pw-home_assistant = {
+    rekeyFile = ./secrets/mosquitto-pw-home_assistant.age;
     mode = "440";
     owner = "hass";
     group = "mosquitto";
@@ -24,11 +24,11 @@
         acl = ["pattern readwrite #"];
         users = {
           zigbee2mqtt = {
-            passwordFile = config.rekey.secrets.mosquitto-pw-zigbee2mqtt.path;
+            passwordFile = config.age.secrets.mosquitto-pw-zigbee2mqtt.path;
             acl = ["readwrite #"];
           };
           home_assistant = {
-            passwordFile = config.rekey.secrets.mosquitto-pw-home_assistant.path;
+            passwordFile = config.age.secrets.mosquitto-pw-home_assistant.path;
             acl = ["readwrite #"];
           };
         };
diff --git a/hosts/zackbiene/nginx.nix b/hosts/zackbiene/nginx.nix
index c1abe4e..816818d 100644
--- a/hosts/zackbiene/nginx.nix
+++ b/hosts/zackbiene/nginx.nix
@@ -3,18 +3,18 @@
   config,
   ...
 }: {
-  rekey.secrets."selfcert.crt" = {
-    file = ./secrets/selfcert.crt.age;
+  age.secrets."selfcert.crt" = {
+    rekeyFile = ./secrets/selfcert.crt.age;
     mode = "440";
     group = "nginx";
   };
-  rekey.secrets."selfcert.key" = {
-    file = ./secrets/selfcert.key.age;
+  age.secrets."selfcert.key" = {
+    rekeyFile = ./secrets/selfcert.key.age;
     mode = "440";
     group = "nginx";
   };
-  rekey.secrets."dhparams.pem" = {
-    file = ./secrets/dhparams.pem.age;
+  age.secrets."dhparams.pem" = {
+    rekeyFile = ./secrets/dhparams.pem.age;
     mode = "440";
     group = "nginx";
   };
diff --git a/hosts/zackbiene/zigbee2mqtt.nix b/hosts/zackbiene/zigbee2mqtt.nix
index 7f72959..c50dddd 100644
--- a/hosts/zackbiene/zigbee2mqtt.nix
+++ b/hosts/zackbiene/zigbee2mqtt.nix
@@ -3,8 +3,8 @@
   config,
   ...
 }: {
-  rekey.secrets."mosquitto-pw-zigbee2mqtt.yaml" = {
-    file = ./secrets/mosquitto-pw-zigbee2mqtt.yaml.age;
+  age.secrets."mosquitto-pw-zigbee2mqtt.yaml" = {
+    rekeyFile = ./secrets/mosquitto-pw-zigbee2mqtt.yaml.age;
     mode = "440";
     owner = "zigbee2mqtt";
     group = "mosquitto";
@@ -22,7 +22,7 @@
       mqtt = {
         server = "mqtt://localhost:1883";
         user = "zigbee2mqtt";
-        password = "!${config.rekey.secrets."mosquitto-pw-zigbee2mqtt.yaml".path} password";
+        password = "!${config.age.secrets."mosquitto-pw-zigbee2mqtt.yaml".path} password";
       };
       # TODO once 1.30.3 is out
       # frontend.host = "/run/zigbee2mqtt/zigbee2mqtt.sock";
@@ -41,8 +41,8 @@
     virtualHosts."${config.repo.secrets.local.zigbee2mqtt.domain}" = {
       forceSSL = true;
       #enableACME = true;
-      sslCertificate = config.rekey.secrets."selfcert.crt".path;
-      sslCertificateKey = config.rekey.secrets."selfcert.key".path;
+      sslCertificate = config.age.secrets."selfcert.crt".path;
+      sslCertificateKey = config.age.secrets."selfcert.key".path;
       locations."/".proxyPass = "http://zigbee2mqtt";
       # TODO dynamic definitions for the "local" network, IPv6
       extraConfig = ''
diff --git a/modules/extra.nix b/modules/extra.nix
index d3015ca..df22176 100644
--- a/modules/extra.nix
+++ b/modules/extra.nix
@@ -58,7 +58,7 @@ in {
 
       # SSL config
       sslCiphers = "EECDH+AESGCM:EDH+AESGCM:!aNULL";
-      sslDhparam = config.rekey.secrets."dhparams.pem".path;
+      sslDhparam = config.age.secrets."dhparams.pem".path;
       commonHttpConfig = ''
         error_log syslog:server=unix:/dev/log;
         access_log syslog:server=unix:/dev/log;
diff --git a/modules/wireguard.nix b/modules/wireguard.nix
index 71469e1..3a3c307 100644
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@@ -152,19 +152,21 @@
       (genAttrs wgCfg.server.openFirewallRules (_: {allowedUDPPorts = [wgCfg.server.port];}))
     );
 
-    rekey.secrets =
+    age.secrets =
       concatAttrs (map
         (other: {
           ${peerPresharedKeySecret nodeName other} = {
-            file = peerPresharedKeyPath nodeName other;
+            rekeyFile = peerPresharedKeyPath nodeName other;
             owner = "systemd-network";
+            # TODO gen func
           };
         })
         neededPeers)
       // {
         ${peerPrivateKeySecret nodeName} = {
-          file = peerPrivateKeyPath nodeName;
+          rekeyFile = peerPrivateKeyPath nodeName;
           owner = "systemd-network";
+          # TODO gen func
         };
       };
 
@@ -176,7 +178,7 @@
       };
       wireguardConfig =
         {
-          PrivateKeyFile = config.rekey.secrets.${peerPrivateKeySecret nodeName}.path;
+          PrivateKeyFile = config.age.secrets.${peerPrivateKeySecret nodeName}.path;
         }
         // optionalAttrs isServer {
           ListenPort = wgCfg.server.port;
@@ -190,7 +192,7 @@
           in {
             wireguardPeerConfig = {
               PublicKey = builtins.readFile (peerPublicKeyPath serverNode);
-              PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName serverNode}.path;
+              PresharedKeyFile = config.age.secrets.${peerPresharedKeySecret nodeName serverNode}.path;
               AllowedIPs = serverAllowedIPs serverNode;
               Endpoint = "${snCfg.server.host}:${toString snCfg.server.port}";
             };
@@ -202,7 +204,7 @@
           in {
             wireguardPeerConfig = {
               PublicKey = builtins.readFile (peerPublicKeyPath peerName);
-              PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName peerName}.path;
+              PresharedKeyFile = config.age.secrets.${peerPresharedKeySecret nodeName peerName}.path;
               AllowedIPs = map (net.cidr.make 128) ips;
               # Connections to external peers should always be kept alive
               PersistentKeepalive = 25;
@@ -215,7 +217,7 @@
           in {
             wireguardPeerConfig = {
               PublicKey = builtins.readFile (peerPublicKeyPath clientNode);
-              PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName clientNode}.path;
+              PresharedKeyFile = config.age.secrets.${peerPresharedKeySecret nodeName clientNode}.path;
               AllowedIPs = map (net.cidr.make 128) clientCfg.addresses;
             };
           })
@@ -229,7 +231,7 @@
               in
                 {
                   PublicKey = builtins.readFile (peerPublicKeyPath wgCfg.client.via);
-                  PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName wgCfg.client.via}.path;
+                  PresharedKeyFile = config.age.secrets.${peerPresharedKeySecret nodeName wgCfg.client.via}.path;
                   Endpoint = "${snCfg.server.host}:${toString snCfg.server.port}";
                   # Access to the whole network is routed through our entry node.
                   # TODO this should add any routedAddresses on ANY server in the network, right?
@@ -414,6 +416,6 @@ in {
   };
 
   config = mkIf (cfg != {}) (mergeToplevelConfigs
-    ["assertions" "rekey" "networking" "systemd"]
+    ["assertions" "age" "networking" "systemd"]
     (mapAttrsToList configForNetwork cfg));
 }
diff --git a/nix/apps/default.nix b/nix/apps/default.nix
index 700fdbc..59b92ed 100644
--- a/nix/apps/default.nix
+++ b/nix/apps/default.nix
@@ -13,6 +13,7 @@
   apps = [
     ./draw-graph.nix
     ./format-secrets.nix
+    ./generate-secrets.nix
     ./generate-wireguard-keys.nix
     ./show-wireguard-qr.nix
   ];
diff --git a/nix/apps/generate-secrets.nix b/nix/apps/generate-secrets.nix
new file mode 100644
index 0000000..2bb3bd4
--- /dev/null
+++ b/nix/apps/generate-secrets.nix
@@ -0,0 +1,39 @@
+{
+  self,
+  pkgs,
+  ...
+} @ inputs: let
+  inherit
+    (pkgs.lib)
+    assertMsg
+    removePrefix
+    hasPrefix
+    concatStringsSep
+    filterAttrs
+    escapeShellArg
+    flatten
+    mapAttrsToList
+    ;
+
+  inherit (self.extraLib) rageEncryptArgs;
+
+  flakeDir = toString self.sourceInfo.outPath;
+  relativeToFlake = x: let
+    xFile = toString x;
+  in
+    assert assertMsg (hasPrefix flakeDir xFile) "${xFile} must be a subpath of ${flakeDir}";
+      "." + removePrefix flakeDir xFile;
+
+  x = nodeName: nodeCfg:
+    mapAttrsToList (_: s: ''
+      echo ${escapeShellArg (relativeToFlake s.file)}
+    '') (filterAttrs (_: s: s.generate != null) nodeCfg.config.rekey.secrets);
+in
+  pkgs.writeShellScript "generate-secrets" ''
+    set -euo pipefail
+    if [[ ! -e flake.nix ]] ; then
+      echo "this script must be executed from your flake's root directory." >&2;
+      exit 1
+    fi
+    ${concatStringsSep "\n" (flatten (mapAttrsToList x self.nodes))}
+  ''