From d7922247d2d7e2bf633c19e7362dbf42cd0eb1b4 Mon Sep 17 00:00:00 2001
From: UGA Innovation Factory <engr-ugaif@uga.edu>
Date: Fri, 30 Jan 2026 21:51:19 +0000
Subject: [PATCH] Fix activation script to always regenerate age keys

---
 sw/secrets.nix | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/sw/secrets.nix b/sw/secrets.nix
index 8fd1410..95862ff 100644
--- a/sw/secrets.nix
+++ b/sw/secrets.nix
@@ -193,15 +193,16 @@ in
 
     # Generate age identity files from SSH host keys at boot
     # This is needed because age can't reliably use OpenSSH private keys directly
+    # Must run before agenix tries to decrypt secrets
     system.activationScripts.convertSshToAge = {
-      deps = [ ];
+      deps = [ "users" "groups" ];
       text = ''
         mkdir -p /etc/age
-        if [ -f /etc/ssh/ssh_host_ed25519_key ] && ! [ -f /etc/age/ssh_host_ed25519.age ]; then
-          ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key > /etc/age/ssh_host_ed25519.age
-          chmod 600 /etc/age/ssh_host_ed25519.age
+        if [ -f /etc/ssh/ssh_host_ed25519_key ]; then
+          ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key > /etc/age/ssh_host_ed25519.age || true
+          chmod 600 /etc/age/ssh_host_ed25519.age 2>/dev/null || true
         fi
-        if [ -f /etc/ssh/ssh_host_rsa_key ] && ! [ -f /etc/age/ssh_host_rsa.age ]; then
+        if [ -f /etc/ssh/ssh_host_rsa_key ]; then
           ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i /etc/ssh/ssh_host_rsa_key > /etc/age/ssh_host_rsa.age 2>/dev/null || true
           chmod 600 /etc/age/ssh_host_rsa.age 2>/dev/null || true
         fi