From 31c829f502769c76311a06fcddc895f0dc0a0f88 Mon Sep 17 00:00:00 2001
From: UGA Innovation Factory <engr-ugaif@uga.edu>
Date: Fri, 30 Jan 2026 21:48:57 +0000
Subject: [PATCH] Add SSH-to-age conversion activation script for reliable
 secret decryption

---
 sw/secrets.nix | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/sw/secrets.nix b/sw/secrets.nix
index 16ec398..8fd1410 100644
--- a/sw/secrets.nix
+++ b/sw/secrets.nix
@@ -191,8 +191,28 @@ in
     # Auto-discovered secrets with default permissions
     age.secrets = applicableSecrets // cfg.secrets.extraSecrets;
 
-    # Configure identity paths for decryption based on discovered public keys
-    age.identityPaths = identityPaths;
+    # Generate age identity files from SSH host keys at boot
+    # This is needed because age can't reliably use OpenSSH private keys directly
+    system.activationScripts.convertSshToAge = {
+      deps = [ ];
+      text = ''
+        mkdir -p /etc/age
+        if [ -f /etc/ssh/ssh_host_ed25519_key ] && ! [ -f /etc/age/ssh_host_ed25519.age ]; then
+          ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key > /etc/age/ssh_host_ed25519.age
+          chmod 600 /etc/age/ssh_host_ed25519.age
+        fi
+        if [ -f /etc/ssh/ssh_host_rsa_key ] && ! [ -f /etc/age/ssh_host_rsa.age ]; then
+          ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i /etc/ssh/ssh_host_rsa_key > /etc/age/ssh_host_rsa.age 2>/dev/null || true
+          chmod 600 /etc/age/ssh_host_rsa.age 2>/dev/null || true
+        fi
+      '';
+    };
+
+    # Add the converted age keys to identity paths (in addition to auto-discovered ones)
+    age.identityPaths = identityPaths ++ [
+      "/etc/age/ssh_host_ed25519.age"
+      "/etc/age/ssh_host_rsa.age"
+    ];
 
     # Optional: Add assertion to warn if no secrets found
     warnings =