UGA-Innovation-Factory/athenix
3
1
Fork 0
Code Issues Pull Requests Actions Projects Releases Wiki Activity

fix: Convert ssh keys to age keys
All checks were successful
CI / Format Check (push) Successful in 2s
Details
CI / Flake Check (push) Successful in 1m42s
Details
CI / Evaluate Key Configurations (nix-builder) (push) Successful in 14s
Details
CI / Evaluate Key Configurations (nix-desktop1) (push) Successful in 7s
Details
CI / Evaluate Key Configurations (nix-laptop1) (push) Successful in 8s
Details
CI / Evaluate Artifacts (installer-iso-nix-laptop1) (push) Successful in 20s
Details
CI / Evaluate Artifacts (lxc-nix-builder) (push) Successful in 13s
Details
CI / Build and Publish Documentation (push) Successful in 11s
Details

Browse Source
This commit is contained in:
UGA Innovation Factory
2026-01-30 19:41:34 +00:00
parent 862ae2c864
commit dd19d1488a
12 changed files with 416 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
secrets/README.md
View File

@@ -55,6 +55,14 @@ Or from SSH host key:
cat /etc/ssh/ssh_host_ed25519_key.pub > secrets/nix-builder/ssh_host_ed25519_key.pub
```
**Then convert SSH keys to age format:**
```bash
cd secrets/
./update-age-keys.sh
```
This creates `.age.pub` files that `secrets.nix` uses for ragenix recipient configuration.
### 3. Encrypt Secrets
Encrypt a secret for specific hosts:
@@ -72,37 +80,35 @@ age -R secrets/nix-builder/ssh_host_ed25519_key.pub \
### 4. Using ragenix CLI (Recommended)
The `ragenix` CLI tool simplifies secret management:
The `ragenix` CLI tool simplifies secret management. The `secrets/secrets.nix` file **automatically discovers** hosts and their keys from the directory structure:
```bash
# Install ragenix
nix shell github:yaxitech/ragenix
# Edit a secret (creates if doesn't exist)
# Recipients are automatically determined based on the path:
# - secrets/global/*.age -> encrypted for ALL hosts + admins
# - secrets/{hostname}/*.age -> encrypted for that host + global keys + admins
ragenix -e secrets/global/example.age
# Re-key secrets after adding/removing hosts
# Re-key all secrets after adding/removing hosts
ragenix -r
```
Create a `secrets.nix` file in the repository root to define recipients:
```nix
# secrets.nix
let
# System public keys (age format)
nix-builder = "age1...";
usda-dash = "age1...";
# User keys for editing secrets
admin = "age1...";
allHosts = [ nix-builder usda-dash ];
in
{
"secrets/global/example.age".publicKeys = allHosts ++ [ admin ];
"secrets/nix-builder/ssh_host_key.age".publicKeys = [ nix-builder admin ];
"secrets/usda-dash/ssh_host_key.age".publicKeys = [ usda-dash admin ];
}
The `secrets.nix` file automatically:
- **Discovers hosts** from directory names in `secrets/`
- **Reads age public keys** from `.age.pub` files in each directory
- **Generates recipient lists** based on secret location (global vs host-specific)
- **Includes admin keys** from `secrets/admins/*.age.pub` for editing
To add admin keys for editing secrets:
```bash
# Generate personal age key
age-keygen -o ~/.config/age/personal.key
# Extract public key and add to secrets
grep "public key:" ~/.config/age/personal.key | cut -d: -f2 | tr -d ' ' > secrets/admins/your-name.age.pub
```
## Using Secrets in Configuration