Reorganize secrets and ssh keys

The agenix tools needs to read the secrets from a standalone file, but
we also need the same information for the SSH keys.

m/common/ssh.nix

@@ -1,5 +1,9 @@
-{ ... }:
+{ lib, ... }:
 
+let
+  keys = import ../../keys.nix;
+  hostsKeys = lib.mapAttrs (name: value: { publicKey = value; }) keys.hosts;
+in
 {
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;
@@ -11,13 +15,7 @@
       ProxyCommand nc -X connect -x localhost:23080 %h %p
   '';
 
-  programs.ssh.knownHosts = {
-    "hut".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO7jIp6JRnRWTMDsTB/aiaICJCl4x8qmKMPSs4lCqP1";
-    "owl1".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqMEXO0ApVsBA6yjmb0xP2kWyoPDIWxBB0Q3+QbHVhv";
-    "owl2".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHurEYpQzNHqWYF6B9Pd7W8UPgF3BxEg0BvSbsA7BAdK";
-    "eudy".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+WYPRRvZupqLAG0USKmd/juEPmisyyJaP8hAgYwXsG";
-    "koro".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImiTFDbxyUYPumvm8C4mEnHfuvtBY1H8undtd6oDd67";
-
+  programs.ssh.knownHosts = hostsKeys // {
     "gitlab-internal.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3";
     "bscpm03.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2NuSUPsEhqz1j5b4Gqd+MWFnRqyqY57+xMvBUqHYUS";
   };

m/hut/ceph.nix

@@ -11,14 +11,14 @@
   # modprobe command.
   boot.kernelModules = [ "ceph" ];
 
-  age.secrets."secrets/ceph-user".file = ./secrets/ceph-user.age;
+  age.secrets.cephUser.file = ../../secrets/ceph-user.age;
 
   fileSystems."/ceph" = {
     fsType = "ceph";
     device = "user@9c8d06e0-485f-4aaf-b16b-06d6daf1232b.cephfs=/";
     options = [
       "mon_addr=10.0.40.40"
-      "secretfile=${config.age.secrets."secrets/ceph-user".path}"
+      "secretfile=${config.age.secrets.cephUser.path}"
     ];
   };
 }

m/hut/gitlab-runner.nix

@@ -1,15 +1,15 @@
 { pkgs, lib, config, ... }:
 
 {
-  age.secrets."secrets/ovni-token".file = ./secrets/ovni-token.age;
-  age.secrets."secrets/nosv-token".file = ./secrets/nosv-token.age;
+  age.secrets.ovniToken.file = ../../secrets/ovni-token.age;
+  age.secrets.nosvToken.file = ../../secrets/nosv-token.age;
 
   services.gitlab-runner = {
     enable = true;
     settings.concurrent = 5;
     services = {
       ovni-shell = {
-        registrationConfigFile = config.age.secrets."secrets/ovni-token".path;
+        registrationConfigFile = config.age.secrets.ovniToken.path;
         executor = "shell";
         tagList = [ "nix" "xeon" ];
         environmentVariables = {
@@ -17,7 +17,7 @@
         };
       };
       ovni-docker = {
-        registrationConfigFile = config.age.secrets."secrets/ovni-token".path;
+        registrationConfigFile = config.age.secrets.ovniToken.path;
         dockerImage = "debian:stable";
         tagList = [ "docker" "xeon" ];
         registrationFlags = [ "--docker-network-mode host" ];
@@ -27,7 +27,7 @@
         };
       };
       nosv-docker = {
-        registrationConfigFile = config.age.secrets."secrets/nosv-token".path;
+        registrationConfigFile = config.age.secrets.nosvToken.path;
         dockerImage = "debian:stable";
         tagList = [ "docker" "xeon" ];
         registrationFlags = [

m/hut/secrets/ceph-user.age

@@ -1,11 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 CAWG4Q 35Ak+Mep9k5KnDLF1ywDbMD4l4mRFg6D0et19tqXxAw
-Wgr+CX4rzrPmUszSidtLAVSvgD80F2dqtd92hGZIFwo
--> ssh-ed25519 MSF3dg OVFvpkAyWTowtxsafstX31H/hJpNZmnOCbvqMIN0+AQ
-VxjRcQmp+BadEh2y0PB96EeizIl3tTQpVu0CWHmsc1s
--> ssh-ed25519 HY2yRg MJSQIpre9m0XnojgXuKQ/+hVBZNrZNGZqplwhqicpjI
-CLkE52iqpoqSnbzisNjQgxTfNqKeaRl5ntcw1d+ZDyQ
--> m$8`De%~-grease '85p}`by
-52zMpprONcawWDDtzHdWNwFoYXErPUnVjhSONbUBpDlqAmJmD1LcAnsU
---- 0vZOPyXQIMMGTwgFfvm8Sn8O7vjrsjGUEy5m/BASCyc
-<EFBFBD>|<04><><EFBFBD>)<29><><EFBFBD><EFBFBD><EFBFBD>*_<>D<EFBFBD>US`<06><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>r <20>s<EFBFBD><73>N<EFBFBD><4E>[֌^e+A1<><31>G.<2E>#<23><><EFBFBD>m<EFBFBD><6D>W<57> <20>5<0C><><EFBFBD><EFBFBD>(