fix(restic): convert secrets to rekeyFile, use adminUser.uid

[johnae]

No description provided.

[claude]

Claude finished @johnae's task —— View job

---

Code Review Complete

Review Checklist

• Examine changes in profiles/restic-backup.nix
• Review secret file structure and security implications
• Check for consistency across hosts
• Assess code quality and best practices
• Identify potential bugs or issues
• Evaluate security considerations
• Review test coverage

---

Review Summary

This PR converts restic backup secrets from using file to rekeyFile attributes and replaces the hardcoded UID 1337 with a dynamic adminUser.uid reference. This is a good change that improves maintainability and security.

✅ Strengths

1. Improved Security & Flexibility: Using rekeyFile with agenix-rekey provides better secret management with automatic re-encryption capabilities when keys change.

2. Dynamic UID Management: Replacing hardcoded 1337 with adminUser.uid makes the configuration more flexible and portable across different systems (especially important for Darwin vs NixOS where UIDs differ: 501 vs 1337).

3. Consistent Implementation: The change is applied consistently across all four secret definitions (restic-env, restic-pw, restic-local-env, restic-local-pw).

4. Proper String Conversion: Using toString to convert the UID to a string is the correct approach for the owner attribute.

🔍 Observations

1. Secret Files: The PR adds 28 new rekeyed secret files for various hosts (antares, cygnus, eris, icarus, neptune, orion, sirius). These are properly age-encrypted files stored in the secrets/rekeyed/<hostname>/ structure.

2. Configuration Alignment: The change aligns with the existing codebase pattern where other modules (like users/profiles/accounts.nix) already use rekeyFile.

3. Master Identity Setup: The repository has proper agenix-rekey configuration with master identities and extra encryption pubkeys defined in flake/configurations.nix.

⚠️ Minor Considerations

1. Migration Path: Ensure that existing deployments can handle the transition from file to rekeyFile. The agenix-rekey tool should handle this automatically, but it's worth verifying.

2. Documentation: Consider documenting the rekeying process if not already done, especially for team members who might need to add new secrets or hosts.

❌ No Issues Found

• No bugs detected
• No performance concerns (this is configuration-only change)
• No security vulnerabilities introduced

📝 Test Coverage

Since this is a NixOS configuration change, traditional unit tests don't apply. However, you should verify:

• The configuration evaluates correctly: nix flake check
• Secrets decrypt properly on target hosts
• Restic backups continue to work after deployment

Conclusion

This is a well-executed refactoring that improves the codebase. The changes are minimal, focused, and follow established patterns in the repository. Approved 👍