feat: use a separate passphraseless ssh key for agenix

2026-03-23 18:01:25 +01:00 · 2023-05-25 02:52:57 +08:00
parent 2c3df9ba1e
commit 2baeb2e284
5 changed files with 18 additions and 15 deletions
--- a/secrets/REAME.md
+++ b/secrets/REAME.md
@@ -50,9 +50,10 @@ Pretend you want to add a new secret file `xxx.age`, then:
  ```
 3. or you can also encrypt an existing file to `xxx.age` by command:
  ```shell
-  agenix -e ./encrypt/xxx.age < /path/to/xxx
+  cat /path/to/xxx | agenix -e ./encrypt/xxx.age
  ```

+the agenix use `~/.ssh/id_ed25519.pub` or `~/.ssh/id_rsa.pub` as encrypt key by default, you need to pass `--identity /path/to/key` to use a custom `/path/to/key.pub` for enctypt.

 ## Deploy Secrets

--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -9,7 +9,10 @@
    agenix.packages."${pkgs.system}".default 
  ];

-  # # wireguard config used with `wg-quick up wg-business`  
+  # if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
+  age.identityPaths = [ "/home/ryan/.ssh/juliet-age" ];
+
+  # wireguard config used with `wg-quick up wg-business`  
  age.secrets."wg-business.conf" = {
    # wether secrets are symlinked to age.secrets.<name>.path
    symlink = true;
--- a/secrets/encrypt/smb-credentials.age
+++ b/secrets/encrypt/smb-credentials.age
@@ -1,11 +1,10 @@
 age-encryption.org/v1
-> ssh-ed25519 YVM6Sg vO0DYm8iol7IBG6rscZq/LQpRHh54+DdOFUR01b6yR0
-gqEePw0Fvo2uDAcwEObd7PLjA2vU6e6JhGGVoGULazA
-> ssh-ed25519 Q4ARMQ fyGN9P+rvYJ8Qk5Iiyjn++Ml/XiVMvk62EshD9JOvDA
-ikPmvDRZwhkHAZ2U8R10QgpJlTTynHI5Vm50xxQiKT8
-> b[1(F-grease 23C oS"65TE ~50zBiB
-eMwvm36CT7qLNS6gXVezB3m8pCKyTbKfuCq3vgi/D4DQXfDq4IdAANp0o6DKuaTX
-gQOZK5zIELG4bHS9SQRW4H7eAjJBUgA
--- 1p8fRawaLk8WpQHYAE7sD016F6bo4agn2UxDuUtZzmI
-g·ógs=kî›½+nN½"±äóoÃ¡/=^÷Z§Ÿ<~ÑÓŽk˜i Gw3ó<33>Ñ”=(Aˆm	
-úß¼¶<C2BC>êU#’à
+-> ssh-ed25519 epfRpA jNJBiC/XF/yZK+l5KoQiP9Q4Fd3DmkDy+g4NqFsoe3I
+k1lFpYcTki0wjwFBDoAwRNZED1bbZI563fFs6wF6cQI
+-> ssh-ed25519 Q4ARMQ A5e3ifhn8G+XS16KqT0xtSZVwfE6IXgfN4mP0sr+wQ0
+dKHy5WGc8OxFhlDNEd/ZXPbDcvC7JcFChyK3vkquKjo
+-> b9bIm-grease
+Y+K1G8OK/DI2E0cCD27xOPeneAZ/hFkw8bvNBZRYmQ0kTLf017wNDrLcIbyYTjpa
+/HrKBATlWanuLhzhUFWyBxaJMCqtP35j5TPRCTh7
+--- rSOSvyrgXuiNAx8P3gDV7VaTcbOzwnufTnjhVvsMS7k
+3¤&'§6ažè¢(Ï@OÃÒ2ì'ÕÓ<C393>§h&S¹UèãøûÃ…Ù[@¹h=ðFØäzÌ¨ë¢_ä¿D<C2BF>ÿe‡LE{dñ ìs¨%³K’
--- a/secrets/encrypt/wg-business.conf.age
+++ b/secrets/encrypt/wg-business.conf.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,11 +1,11 @@
 # This file is not imported into your NixOS configuration. It is only used for the agenix CLI.

 let
-  # get user's ssh public key by command:
-  #     cat ~/.ssh/id_ed25519.pub
+  # get my ssh public key for agenix by command:
+  #     cat ~/.ssh/juliet-age.pub
  # if you do not have one, you can generate it by command:
  #     ssh-keygen -t ed25519
-  ryan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj";
+  ryan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7FbSWehHoOWCZMDEHLiPCa1ZJ5c6hYMzhKdXssPpE9 ryan@juliet-age";
  users = [ ryan ];

  # get system's ssh public key by command: