Remove git crypt

Start move to /boot kernel mount
x-os: prepare booting from unencrypted /boot partition
Move to systemd-boot
Remove all unencrypted secrets

hosts/biolimo/.gitattributes

@@ -1 +0,0 @@
-secrets/** filter=git-crypt-4406E80E13CD656C diff=git-crypt-4406E80E13CD656C

hosts/biolimo/base.nix

@@ -1,28 +0,0 @@
-{ config, pkgs, lib, ... }:
-with lib;
-let
-  psCfg = config.pub-solar;
-  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
-in
-{
-  imports = [
-    ./configuration.nix
-  ];
-
-  config = {
-    pub-solar.x-os.keyfile = "/etc/nixos/hosts/biolimo/secrets/keyfile.bin";
-
-    hardware.cpu.intel.updateMicrocode = true;
-
-    networking.firewall.allowedTCPPorts = [
-      5000
-    ];
-
-    home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
-      "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
-      "sway/config.d/10-autostart.conf".source = ./.config/sway/config.d/autostart.conf;
-      "sway/config.d/10-input-defaults.conf".source = ./.config/sway/config.d/input-defaults.conf;
-      "sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
-    };
-  };
-}

hosts/biolimo/biolimo.nix

@@ -10,8 +10,6 @@ in
   ];
 
   config = {
-    pub-solar.x-os.keyfile = "/etc/nixos/hosts/biolimo/secrets/keyfile.bin";
-
     hardware.cpu.intel.updateMicrocode = true;
 
     networking.firewall.allowedTCPPorts = [ 5000 ];

hosts/chocolatebar/.gitattributes

@@ -1 +0,0 @@
-secrets/** filter=git-crypt-4406E80E13CD656C diff=git-crypt-4406E80E13CD656C

hosts/chocolatebar/base.nix

@@ -1,31 +0,0 @@
-{ config, pkgs, lib, ... }:
-with lib;
-let
-  psCfg = config.pub-solar;
-  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
-in
-{
-  imports = [
-    ./configuration.nix
-    ./virtualisation
-  ];
-
-  config = {
-    pub-solar.x-os.keyfile = "keyfile-chocolatebar.bin";
-
-    pub-solar.virtualisation.isolateGPU = "rx550x";
-
-    hardware.cpu.amd.updateMicrocode = true;
-
-    hardware.opengl.extraPackages = with pkgs; [
-      rocm-opencl-icd
-      rocm-opencl-runtime
-    ];
-
-    home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
-      "sway/config.d/10-autostart.conf".source = ./.config/sway/config.d/autostart.conf;
-      "sway/config.d/10-input-defaults.conf".source = ./.config/sway/config.d/input-defaults.conf;
-      "sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
-    };
-  };
-}

hosts/chocolatebar/chocolatebar.nix

@@ -11,8 +11,6 @@ in
   ];
 
   config = {
-    pub-solar.x-os.keyfile = "/etc/nixos/hosts/chocolatebar/secrets/keyfile.bin";
-
     pub-solar.virtualisation.isolateGPU = "rx550x";
 
     hardware.cpu.amd.updateMicrocode = true;

hosts/chocolatebar/hardware-configuration.nix

@@ -22,7 +22,7 @@
 
   boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/afcde41f-9811-4ac8-bb7b-a683844acc5c";
 
-  fileSystems."/boot/efi" =
+  fileSystems."/boot" =
     {
       device = "/dev/disk/by-uuid/12FD-62A8";
       fsType = "vfat";

modules/x-os/boot.nix

@@ -3,41 +3,19 @@
 let
   cfg = config.pub-solar.x-os;
 in
-with lib; {
+{
-  options = {
-    pub-solar.x-os.keyfile = mkOption {
-      type = types.str;
-      description = "Keyfile location";
-    };
-  };
-
   config = {
     # Enable plymouth for better experience of booting
     boot.plymouth.enable = true;
 
-    # Use Keyfile to unlock the root partition to avoid keying in twice.
+    # Mount / luks device in initrd
     # Allow fstrim to work on it.
-    age.secrets.luksKeyFile.file = "${self}/secrets/${cfg.keyfile}";
     boot.initrd = {
-      secrets = { "/keyfile.bin" = "/run/secrets/${cfg.keyfile}"; };
       luks.devices."cryptroot" = {
-        keyFile = "/keyfile.bin";
         allowDiscards = true;
-        fallbackToPassword = true;
       };
     };
 
-    # Use GRUB with encrypted /boot under EFI env.
+    boot.loader.systemd-boot.enable = true;
-    boot.loader = {
-      efi.efiSysMountPoint = "/boot/efi";
-
-      grub = {
-        enable = true;
-        version = 2;
-        device = "nodev";
-        efiSupport = true;
-        enableCryptodisk = true;
-      };
-    };
   };
 }

secrets/.gitattributes

@@ -1,4 +0,0 @@
-* filter=git-crypt diff=git-crypt
-.gitattributes !filter !diff
-secrets.nix !filter !diff
-README.md !filter !diff

secrets/mopidy.conf

@@ -0,0 +1,44 @@
+age-encryption.org/v1
+-> ssh-rsa kFDS0A
+pgJUXnYT0UgB7h8dWOBCIO6OuXwpjmBuQpJBXnI2Zh5X2fiGQVyrrcrm8VSWLHOd
+za9SME+PxcGXDGgwaGpCl8tOh93WRUC0RtNTBmoiyzrfkbQtm9gfnt51JpHscuTc
+wzZ9cxMvtKSNGsCuK5oeX9ZxVgXH5QFomwvADXoy14HacgEOzLTPU6vrPrOonGAG
+kDqYDzf87V2BfPttzONoScsVsFV26EQntxDx5/8Hja4ceOvgBwm2GczUzpgfIRCA
+To+az2B1Y0h/BWMqzRAhobuN/UIQcZAKro4uf8SbpKqPQrON+k1tAE+lrMUFLx1A
+2ZayulT/Partcm6L8Yb0JAn24eXFla52XQ6JyukSbtoqZxEQIcjbM34+KFKMftIA
+M8taZIG2JWyFdHBPO4RAMyGbNpQN5hsDvJWGIJePj4bAxW7GX9JJiT7gg1iCKce3
+SINdaBt4O3RJ49wTGqJtMSJSlfzLf7s4zHx5oaozAEt84h97A2Yt/8Lg1Wmc2Aji
+Q4XG6w8OQ/Fk8E/EeSZ27udMHF94TfQ9mzbKdMJRclLDlKKlxeYA6gea4QYb6GLi
+8tY6qnDpF9jwV7ehehM9KYhJcCLw7MYNwGI6oPmTagZCRhXDYULbmK5gfkspcrZ1
+zZn5yOCwt+MA3U2NfpxNOMs0LvaGU7HOruzyD9DLp+4
+-> ssh-ed25519 TnSWKQ SWZZJeUCYeSkYwIKmrsMa/MUkNK7xIn+213hy6X51Uk
+FDzM+HzDh+5+9RI+gjTPKNT74DPSvxA+CKJpHXSMX5c
+-> ssh-rsa 8daibg
+XthUstyN7tDd/vAw3y6knQWNI1M2GEKGDzvmOXFMgwxUcBUNPZmPnZvTfmUXY81Z
+iF13Lruwid0/4Pb9dcYyyifzoqnNb6SvnzczoUSpqQc6m+6BLX4kSTIN1Pulwt8A
+kWrOekvKy9J7Z2QsW6QKfxB4xaAc+BA9kHOgWWpLTyx2GOm0ksLjUnsd3Zo/xXsc
+JpjuSNcsUM9mCP00RjamX1SwrAc/tRnoOSOD6jmED5M0Xfb7bE2AORUQ3Em8B4iG
+CgaTEXFppZN96+BHOumOP1wAbH7uI0EdQP/SvR+qelCH35C0pSWZ4AuyvT5kvoYL
+CyK6GQ8rVnDrBaWQIj4TPhpB1xVxKd01AZX9ITdhPdTATJFwCcVxoWgCTtjNGaIc
+4GldFh0+nXUUV9spzxFbAhiJwy+PHfNfuJ1gyYMrgLY4mQPhA6ntPeWqZOb20cYZ
+ABl7eHN9AAQnibw6EufkgH/U9v81HlWjbLWedAHNPGAldDF5uNrY+FRiqXWT2Ivb
+9CkU/pUFAAcZs7GwEHTVz2dWsuxthS/P/DhN1YshDmY17gTBEf+40SUATsD1wBV0
+tdmbU3i79djbfXXvazR+hi7qDtKo+zJKCDORSq66J70njl0pwN/QIKGQnKt5sYCm
+3kPTZHrR6ys82MhTFk/C1G4aJjQScTz4buA5UH+0hsE
+-> ssh-ed25519 2Ca8Kg eqyr8Yr3rrWlhCd+TmKsnywFdp1mwt3jZwuJzO0TwzM
+mcfYZGTAebrZY9Ool8sPn25wPiwe6StBUzdVAyEErAE
+-> ssh-rsa 2ggJWw
+h00c7evck2bHux9EhMjLQa1f3O3tReLd65LDJB28jH7SbpT6t8Gxfk9tamGFHg4Z
+lGxkzZjK9xnroBpZv5ikuP+tD7A6A2saDXDnnAw+wHUGv0UO5yzr0HPIvwE1bVR5
+GOW1iqPMHKB2v6NeTaBG1g5TohSYEDDINkQv+Q4NyPhdpX9bGd3biWiBAa1gy3Xp
+XmDwtUfBg9IN+EeQTpC/tc4C1pLd3k7E+5pZDQebfTlvXZ83SH05BpBnpakPWNty
+Pf3s/iMwWBiJ+8GiwQ7c6FjTrr9ImJe8nD6mknWGpsMEQ9wB4Bd9l5RTjpTW9wCo
+DNtN8Mo0SGgFXjj/5XO0kMDhDike/GLr6wfD0HVgRP9MtcatvEaezp4RY6NIknjy
+F49KFsZWhzqwU2c4VX3ayFGJHcn/TT6o2QL3qZoI6x23ZFHQlXtQjXfhTkXk2qJt
+565cgrWzLYV7y+DB5fwaG/+Twlnr8rMQOPwyEnrWylh+AY3H/2/M1qQz2b2UQapl
+
+-> }L0d&,o-grease QVMP gPkF4&,`
+YaavYxfymQIl4xRnz1AZxLAY7+r2R9Mftt9AIk11bEymVtCWhsWtSbnhsq9q+fjm
+yYwVUyIh4eeH4oOdz3ssnmB3gg
+--- 5VOiRneXGtTtik3m0OJY8zV8Sboh18DIB4eM07M+1Lo
+ö™:üŠØþI{ˆzþ)ƒô½-tÈ«½©jT»0rE™ÚYæg4wFA³SÖ÷9RÐ
…çë
Q¡5<C2A1>c{ºÈz–j…lÁRAØãàÛH”
L	y£ø²W•6¢¢l>¸–ߪ}­m¤Ý¿óÆbѱ“ô6*ÎËg"ßãÈè}Xˆí>W¬œÛÇ<C39B>ÕTÉÞ­™é¼Ì#
mÍi@êiö:°zõ愲jbc(ƦŸýìùô{ô™¨ª¯©âwã(ÖθÈäyÔ§`iÌó_ïC-`ŽP‘ô³²e«¶ç<C2B6>CÈ»tSÆ5Ž·e÷Zp%þQ´B¿Êh4yžC°dY¿«<C2BF>—Lˆ<Nw½µýÆ<>„ÊVñ4ù/ð:•+Ÿãx5ÚÞÁ8_V F6ð½)a>….
}É‘^h¿óÖ®îÍ<C3AE>ø.Ÿ’<C5B8>»ËË¿GÑà”›ÿ~ÝŒd¢EoZ=|×C•O
ö”x7›,Nƒ•ïú¹PÖ䥈%*I%®kÎ[<5B>ØÐ|-<2D>ÈžT¦úe~3¥6ËÞ!C"Öai/kDmì]<5D>íJ÷Û>ü¬n^»OýÚ—MãÌíü‚SÁ°7„¼»<C2BC>1P\ý€ú?x\;B¸#u”BŽ$hѵ:¶Ë

secrets/secrets.nix

@@ -5,8 +5,8 @@ let
   biolimo-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZzg8pfVtFonx/IvO2MKG5uVF/sMJAOt1Ifm9Vds2eA root@biolimo";
   biolimo-user = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDoYNvXWunQYFORRjcYH1F98+zr20U79ROh+gmaC7AY/x3yf4y8uyMayF56VgQLVNwgEchT5t4dNb9qo2+1oUnjiKrKAVfQMN6WMMMEr4F4WT784uvBx5Uo6vmhgAa+xoo62c4TV2Uf49ZiPd+zAApBHW1F/whPtunPF28Wfr9g+ozSidhnAr+3nkfJh331tz9s+wgQ39AFzFWftQ60Guulpfj8SaVyxyv/yZZAuFpXNzN0Cz4fWBIWFOsib6Z8y+SlUCzSzOguZ7FygHjwlvOxoISsASAuf0OfUKHxVshiL5F5AX1ddmUgXbUKUTp/3Iunr74pfOQC8TXzZHqhrlFzYDmK5J9E6eADSpgx++bCCaHycl73BWeertCBZSHBXeb3Db9HX+mxwpfP3alVAt4ZqQb3YD/VB7XGDvHbmLn+wSfecO2qA9PxiA0yX7e2BZLN9r3G3bRNSk0GpnYM0i84FE9IipiKKnWVjj7J0UPQmz7rzAn2Lki1CnX9PDdxZneqTxgpBomHJt4H+vXMw13scA4xxEDBvfS5KkjbEJqWLbfklCoER6nV3NPLZ6CBl0Xe/VQBSkqEuUEIXih/oa8emDOGUODNF75ck5NJmKiGg6AFZoeiDa7PZMIxhhOq4vsR2Ty43rztUJ0CMX7iSIk3Eql7kqNdvrJaJ7z0GBsiw== ben@biolimo";
 
-  chocolatebar-host = "";
+  chocolatebar-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINZT3QrKugNTWNOwYziQnxrT5zFqWQDafWjScDuIpMhN root@chocolatebar";
-  chocolatebar-user = "";
+  chocolatebar-user = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDwyNsGCMuyI9x2IxYEbYIL6oYsEfe1wqhHaRxSnK9oc10ge1LJni5o7g6XgryoQpCD9YenImcCxwkKblmlLQ2327uoVC2PUo07li1uT0eIPk0TQoxwp6besFs7/LEzZlgWQsc3gkEXmjk/E0mu0U6z2fkqciJ/ZxWYt9fLP6jBG47U9878rSaZ7k7Ilv6oRA3suArH189k1nerk/tonS4EWXeHZxHh/Eu0tqwmxN/6+g2GicYn6b+MbFQVdQAkctqT5Yz9USm9UKzbaAuZ799u0dJzagHm9JJZOr8r11ENtAkY9kAzRzm3u/ACiSdVzyLdjAK6m0dIPhp3OhedzuHiI6/wRll60tYtQTH1XwUpVbtir3+DT+jwZgO1zH3yL4iNh79kuUo+UEg1ZmGkSZRzSS2vb5qr0J5aSJmCd5sNB7a01PTtSlQPOqSF9PB+UmcLDF7JoKFub0KT/gRZ5neZkXTYQ/Y05qtaaFVlOVISijnm+sLUvKBv6OW8oYXIHBk= ben@chocolatebar";
 
   allKeys = [
     bbcom
@@ -34,5 +34,10 @@ let
 in
 {
   "keyfile-biolimo.bin".publicKeys = biolimoKeys;
-  "keyfile-chocolatebar.bin".publicKeys = biolimoKeys;
+
+  "keyfile-chocolatebar.bin".publicKeys = chocolatebarKeys;
+  "crypto_keyfile-chocolatebar.bin".publicKeys = chocolatebarKeys;
+  "hdd_keyfile-chocolatebar.bin".publicKeys = chocolatebarKeys;
+
+  "mopidy.conf".publicKeys = allKeys;
 }

users/ben/.gitattributes

@@ -1 +0,0 @@
-secrets/** filter=git-crypt-4406E80E13CD656C diff=git-crypt-4406E80E13CD656C

users/ben/home.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, self, ... }:
 with lib;
 let
   psCfg = config.pub-solar;
@@ -50,5 +50,6 @@ in
     # xdg.configFile."wallpaper.jpg".source = ./assets/wallpaper.jpg;
   };
 
-  services.mopidy.configuration = mkIf config.pub-solar.audio.enable (builtins.readFile ./secrets/mopidy.conf);
+  age.secrets.mopidyConf.file = "${self}/secrets/mopidy.conf";
+  services.mopidy.extraConfigFiles = [ "/run/secrets/mopidy.conf" ];
 }