backwards: Add secrets for ssh machine (root) key

hosts/backwards/modules/ssh/default.nix

@@ -1,6 +1,8 @@
 { lib, config, ... }:
 let
   enabled = config.mod.ssh.enable;
+
+  rootSSHKeyPath = "/etc/ssh";
 in
 {
   options = {
@@ -20,6 +22,11 @@ in
       openssh = {
         enable = true;
         ports = [ 1122 ];
+
+        hostKeys = [{
+          path = "${rootSSHKeyPath}/root.backwards";
+          type = "ed25519";
+        }];
       };
     };
 
@@ -28,5 +35,16 @@ in
         allowedTCPPorts = [ 1122 ];
       };
     };
+
+    age.secrets = {
+      "root.backwards" = {
+        file = ../../../../secrets/backwards/root.backwards.age;
+        path = "${rootSSHKeyPath}/root.backwards";
+      };
+      "root.backwards.pub" = {
+        file = ../../../../secrets/backwards/root.backwards.pub.age;
+        path = "${rootSSHKeyPath}/root.backwards.pub";
+      };
+    };
   };
 }

secrets/backwards/root.backwards.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 Pu0HWg SsaAxjzGm2Q7rwXGUniBIBFFwnjg/hhy9+c6ZaplCGk
+awhDZ95EJOqz31KAtajWx95t22bhOWmDlMYfKEr9aiI
+-> ssh-ed25519 +oNaHQ QMsREm+h/zLGAxFlGwA85+TVrkRZB96lZQg9Wxnt0zE
+qRxhWfoB/tJW3DCefigcmuptEsUNCm1MPHWJVwbbPr8
+--- GSqVz4fYWPpvi7wq+MC6PXW/HAGnDB3T2YGEPePsqkY
+H(<28><><EFBFBD>8<EFBFBD><38>/<2F>~<7E>!<21>V:<19><><12>ju<6A><75><EFBFBD><EFBFBD><EFBFBD>OD<4F><44><EFBFBD>Io<49><6F><<3C><><EFBFBD>f<EFBFBD>G<EFBFBD>b<EFBFBD><62>/<2F>հ<EFBFBD><D5B0>솘<EFBFBD>
<01> <20>U<EFBFBD>R<EFBFBD><52>(R_Sy~\><3E><>f<EFBFBD><66>;k<><6B>v/<2F><14>B(<28><>I<EFBFBD><49>!<21><><EFBFBD>?<3F><><EFBFBD><EFBFBD><EFBFBD>uq<><71>Ȣ<EFBFBD>0VlP<>h<EFBFBD><68>K<EFBFBD><4B><EFBFBD>j<6A>ҩ?+5l<35><6C>><3E><><EFBFBD><EFBFBD><EFBFBD>Ai
<01>hx !Y<><59><05>]C<0E>MN𽙺<4E><F0BD99BA><EFBFBD>'<27><02>aGʺ<47><CABA><EFBFBD><EFBFBD>Dl<44>ކn,rW	<09><>ĕ<EFBFBD>7<EFBFBD>V<EFBFBD>M<EFBFBD><4D><EFBFBD><EFBFBD>2+<2B>#3y<33>I<EFBFBD>j<sK<73><4B><EFBFBD><EFBFBD>]y<0B>R<EFBFBD>'<27>G1<47><J<0E>e<EFBFBD><65><EFBFBD><EFBFBD>x<EFBFBD>⃐<EFBFBD>2Ӡ<<04><>=Դ<>3<EFBFBD>t<EFBFBD>'<1A>B)<29>@<40>ާ<EFBFBD>ٷ<EFBFBD><D9B7><EFBFBD>rd<72>Rp<52>	<09><><EFBFBD><EFBFBD><EFBFBD>y<EFBFBD>X<EFBFBD><1E><>@<05><18>A<EFBFBD>><3E>Ow<4F><77>7<>Tz<54><7A>:!"<22>2<EFBFBD><17>ı<EFBFBD><C4B1>	<09>|<7C><><EFBFBD>

secrets/backwards/root.backwards.pub.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 Pu0HWg P3gzWhc5giZhfHFAPsx3xj3h5geZm4ry5Wznr0m4rGM
+Pl+9HcagLawy3yJXbfq2IPw0agHgIA1WoaIZEz7a1eY
+-> ssh-ed25519 +oNaHQ 36FMdDGTlM/3RM8rTMjvAAYzqF65KiyDbczveRb9tXo
+qlAhrXJeCmoqIP5pGep3cvAATL+Lzj2H2NiisQWGTww
+--- zswHAYFu5pwVD8Z5zxgGdRerFHvzcirEwLeMvE1LDWQ
+<EFBFBD>Hm<11>던VY#:'<27>dIj=<3D><>Ϭ!<21>F
<01> $:٦<><D9A6><EFBFBD>%<08><1C>.n<><6E><05>{<7B>vN<76><1A>՜<EFBFBD>P<EFBFBD>R<15><><EFBFBD>@O4<4F>(<28>6<EFBFBD><36> <20>#P<><50><EFBFBD><EFBFBD>O<EFBFBD><07><>𴑊X<><58>w5ۂ5<DB82><35><EFBFBD><EFBFBD><1F>vop`<60><>(o<>-<2D><>,<2C>T<>Wv

secrets/secrets.nix

@@ -1,6 +1,7 @@
 let
   # see `modules/age/default.nix` where these are defined
   pinwheel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoI7Q4zT2AGXU+i8fLmzcNLdfMkEnfHYh4PmaEmo2QW root@pinwheel";
+  backwards = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBcTK3CUtTsgavuLlbfOqCbHYLtUrIKqnSqYmtzGCZnv root.backwards";
   sombrero = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO/NltCo1L+X1OIBfIKzfrbxLpCOerQ4vTIs+QPTXkf/ root@sombrero";
   tadpole = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDbyj/vYafqpJH33jFz5HV+gwCiEIJTpxKrEFrBWx73A root@tadpole";
   alex = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTgiHYcdhS87pPnduLunZVEgLVj4EtbG9XVSZP1l5s5 alex";
@@ -26,6 +27,9 @@ in {
   "pinwheel/work-staging-ovpn.age".publicKeys = [ pinwheel alex ];
   "pinwheel/work-production-ovpn.age".publicKeys = [ pinwheel alex ];
 
+  "backwards/root.backwards.age".publicKeys = [ backwards alex ];
+  "backwards/root.backwards.pub.age".publicKeys = [ backwards alex ];
+
   "sombrero/syncthing-cert.age".publicKeys = [ sombrero alex ];
   "sombrero/syncthing-key.age".publicKeys = [ sombrero alex ];
   "sombrero/alex.sombrero-github.com.age".publicKeys = [ sombrero alex ];