feat: USDA-dash now uses encrypted .env files

fleet/fs.nix

@@ -62,7 +62,9 @@ in
           '';
           example = "32G";
         };
-    };  };  };
+      };
+    };
+  };
 
   config = lib.mkMerge [
     {

secrets.nix

@@ -54,27 +54,10 @@ let
     in
     lenStr >= lenSuffix && lib.substring (lenStr - lenSuffix) lenSuffix str == suffix;
 
-  hasPrefix =
-    prefix: str:
-    let
-      lenPrefix = lib.stringLength prefix;
-    in
-    lib.stringLength str >= lenPrefix && lib.substring 0 lenPrefix str == prefix;
-
   nameValuePair = name: value: { inherit name value; };
 
   secretsPath = ./secrets;
 
-  # Helper to convert SSH public key content to age public key
-  sshToAge =
-    sshPubKey:
-    let
-      # This is a simple check - in practice, use ssh-to-age tool
-      # For now, we'll just use the keys as-is if they look like age keys
-      trimmed = lib.replaceStrings [ "\n" ] [ "" ] sshPubKey;
-    in
-    if lib.substring 0 4 trimmed == "age1" then trimmed else null; # Will need manual conversion with ssh-to-age
-
   # Read all directories in secrets/
   secretDirs = if lib.pathExists secretsPath then lib.readDir secretsPath else { };
 
@@ -181,22 +164,23 @@ let
 
   # Generate wildcard rules for each directory to allow creating new secrets
   wildcardRules = lib.listToAttrs (
-    lib.concatMap (
+    lib.concatMap (dir: [
-      dir:
-      [
       # Match with and without .age extension for ragenix compatibility
       (nameValuePair "secrets/${dir}/*" {
-          publicKeys = let
+        publicKeys =
+          let
             recipients = getRecipients "secrets/${dir}/dummy.age";
-          in unique (lib.filter (k: k != null && k != "") recipients);
+          in
+          unique (lib.filter (k: k != null && k != "") recipients);
       })
       (nameValuePair "secrets/${dir}/*.age" {
-          publicKeys = let
+        publicKeys =
+          let
             recipients = getRecipients "secrets/${dir}/dummy.age";
-          in unique (lib.filter (k: k != null && k != "") recipients);
+          in
+          unique (lib.filter (k: k != null && k != "") recipients);
       })
-      ]
+    ]) (lib.filter (d: d != "admins") directories)
-    ) (lib.filter (d: d != "admins") directories)
   );
 
 in

secrets/secrets.nix

@@ -54,27 +54,10 @@ let
     in
     lenStr >= lenSuffix && lib.substring (lenStr - lenSuffix) lenSuffix str == suffix;
 
-  hasPrefix =
-    prefix: str:
-    let
-      lenPrefix = lib.stringLength prefix;
-    in
-    lib.stringLength str >= lenPrefix && lib.substring 0 lenPrefix str == prefix;
-
   nameValuePair = name: value: { inherit name value; };
 
   secretsPath = ./secrets;
 
-  # Helper to convert SSH public key content to age public key
-  sshToAge =
-    sshPubKey:
-    let
-      # This is a simple check - in practice, use ssh-to-age tool
-      # For now, we'll just use the keys as-is if they look like age keys
-      trimmed = lib.replaceStrings [ "\n" ] [ "" ] sshPubKey;
-    in
-    if lib.substring 0 4 trimmed == "age1" then trimmed else null; # Will need manual conversion with ssh-to-age
-
   # Read all directories in secrets/
   secretDirs = if lib.pathExists secretsPath then lib.readDir secretsPath else { };
 

sw/secrets.nix

@@ -195,7 +195,10 @@ in
     # This is needed because age can't reliably use OpenSSH private keys directly
     # Must run before agenix tries to decrypt secrets
     system.activationScripts.convertSshToAge = {
-      deps = [ "users" "groups" ];
+      deps = [
+        "users"
+        "groups"
+      ];
       text = ''
         mkdir -p /etc/age
         if [ -f /etc/ssh/ssh_host_ed25519_key ]; then