UGA-Innovation-Factory/athenix
3
1
Fork 0
Code Issues Pull Requests Actions Projects Releases Wiki Activity

feat: Use age for env secret managment
Some checks failed
CI / Flake Check (push) Has been cancelled
Details
CI / Evaluate Key Configurations (nix-builder) (push) Has been cancelled
Details
CI / Evaluate Key Configurations (nix-desktop1) (push) Has been cancelled
Details
CI / Evaluate Key Configurations (nix-laptop1) (push) Has been cancelled
Details
CI / Evaluate Artifacts (installer-iso-nix-laptop1) (push) Has been cancelled
Details
CI / Evaluate Artifacts (lxc-nix-builder) (push) Has been cancelled
Details
CI / Build and Publish Documentation (push) Has been cancelled
Details
CI / Format Check (push) Has been cancelled
Details

Browse Source
This commit is contained in:
UGA Innovation Factory
2026-01-30 20:54:31 +00:00
parent dd19d1488a
commit 23da829033
12 changed files with 382 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
secrets/README.md
View File

@@ -78,29 +78,48 @@ age -R secrets/nix-builder/ssh_host_ed25519_key.pub \
-o secrets/nix-builder/ssh_host_key.age < /etc/ssh/ssh_host_ed25519_key
```
### 4. Using ragenix CLI (Recommended)
### 4. Creating and Editing Secrets
The `ragenix` CLI tool simplifies secret management. The `secrets/secrets.nix` file **automatically discovers** hosts and their keys from the directory structure:
**For new secrets**, use the helper script (automatically determines recipients):
```bash
cd secrets/
# Create a host-specific secret
./create-secret.sh usda-dash/database-url.age <<< "postgresql://..."
# Create a global secret
echo "shared-api-key" | ./create-secret.sh global/api-key.age
# From a file
./create-secret.sh nix-builder/ssh-key.age < ~/.ssh/id_ed25519
```
The script automatically includes the correct recipients:
- **Host-specific**: that host's keys + global keys + admin keys
- **Global**: all host keys + admin keys
**To edit existing secrets**, use `ragenix`:
```bash
# Install ragenix
nix shell github:yaxitech/ragenix
# Edit a secret (creates if doesn't exist)
# Recipients are automatically determined based on the path:
# - secrets/global/*.age -> encrypted for ALL hosts + admins
# - secrets/{hostname}/*.age -> encrypted for that host + global keys + admins
ragenix -e secrets/global/example.age
# Edit an existing secret (you must have a decryption key)
ragenix -e secrets/global/existing-secret.age
# Re-key all secrets after adding/removing hosts
# Re-key all secrets after adding new hosts
ragenix -r
```
The `secrets.nix` file automatically:
- **Discovers hosts** from directory names in `secrets/`
- **Reads age public keys** from `.age.pub` files in each directory
- **Generates recipient lists** based on secret location (global vs host-specific)
- **Includes admin keys** from `secrets/admins/*.age.pub` for editing
**Why create with `age` first?** Ragenix requires the `.age` file to exist before editing. The `secrets/secrets.nix` configuration auto-discovers recipients from the directory structure, but ragenix doesn't support wildcard patterns for creating new files.
**Recipient management** is automatic:
- **Global secrets** (`secrets/global/*.age`): encrypted for ALL hosts + admins
- **Host secrets** (`secrets/{hostname}/*.age`): encrypted for that host + global keys + admins
- **Admin keys** from `secrets/admins/*.age.pub` allow editing from your workstation
After creating new .age files with `age`, use `ragenix -r` to re-key all secrets with the updated recipient configuration.
To add admin keys for editing secrets:
```bash