UGA-Innovation-Factory/athenix
3
1
Fork 0
Code Issues Pull Requests Actions Projects Releases Wiki Activity

Add SSH-to-age conversion activation script for reliable secret decryption
Some checks failed
CI / Flake Check (push) Has been cancelled
Details
CI / Evaluate Key Configurations (nix-builder) (push) Has been cancelled
Details
CI / Evaluate Key Configurations (nix-desktop1) (push) Has been cancelled
Details
CI / Evaluate Key Configurations (nix-laptop1) (push) Has been cancelled
Details
CI / Evaluate Artifacts (installer-iso-nix-laptop1) (push) Has been cancelled
Details
CI / Evaluate Artifacts (lxc-nix-builder) (push) Has been cancelled
Details
CI / Build and Publish Documentation (push) Has been cancelled
Details
CI / Format Check (push) Has been cancelled
Details

Browse Source
This commit is contained in:
UGA Innovation Factory
2026-01-30 21:48:57 +00:00
parent e3bae02f58
commit 31c829f502
1 changed files with 22 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
sw/secrets.nix
View File

@@ -191,8 +191,28 @@ in
# Auto-discovered secrets with default permissions
age.secrets = applicableSecrets // cfg.secrets.extraSecrets;
# Configure identity paths for decryption based on discovered public keys
age.identityPaths = identityPaths;
# Generate age identity files from SSH host keys at boot
# This is needed because age can't reliably use OpenSSH private keys directly
system.activationScripts.convertSshToAge = {
deps = [ ];
text = ''
mkdir -p /etc/age
if [ -f /etc/ssh/ssh_host_ed25519_key ] && ! [ -f /etc/age/ssh_host_ed25519.age ]; then
${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key > /etc/age/ssh_host_ed25519.age
chmod 600 /etc/age/ssh_host_ed25519.age
fi
if [ -f /etc/ssh/ssh_host_rsa_key ] && ! [ -f /etc/age/ssh_host_rsa.age ]; then
${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i /etc/ssh/ssh_host_rsa_key > /etc/age/ssh_host_rsa.age 2>/dev/null || true
chmod 600 /etc/age/ssh_host_rsa.age 2>/dev/null || true
fi
'';
};
# Add the converted age keys to identity paths (in addition to auto-discovered ones)
age.identityPaths = identityPaths ++ [
"/etc/age/ssh_host_ed25519.age"
"/etc/age/ssh_host_rsa.age"
];
# Optional: Add assertion to warn if no secrets found
warnings =