From 2baeb2e28457fd6ac41f741c62a892f54bb1e9b1 Mon Sep 17 00:00:00 2001
From: ryan4yin <xiaoyin_c@qq.com>
Date: Thu, 25 May 2023 02:52:57 +0800
Subject: [PATCH] feat: use a separate passphraseless ssh key for agenix

---
 secrets/REAME.md                     |   3 ++-
 secrets/default.nix                  |   5 ++++-
 secrets/encrypt/smb-credentials.age  |  19 +++++++++----------
 secrets/encrypt/wg-business.conf.age | Bin 780 -> 676 bytes
 secrets/secrets.nix                  |   6 +++---
 5 files changed, 18 insertions(+), 15 deletions(-)
diff --git a/secrets/REAME.md b/secrets/REAME.md
index 4f432103..9a092fd8 100644
--- a/secrets/REAME.md
+++ b/secrets/REAME.md
@@ -50,9 +50,10 @@ Pretend you want to add a new secret file `xxx.age`, then:
   ```
 3. or you can also encrypt an existing file to `xxx.age` by command:
   ```shell
-  agenix -e ./encrypt/xxx.age < /path/to/xxx
+  cat /path/to/xxx | agenix -e ./encrypt/xxx.age
   ```
 
+the agenix use `~/.ssh/id_ed25519.pub` or `~/.ssh/id_rsa.pub` as encrypt key by default, you need to pass `--identity /path/to/key` to use a custom `/path/to/key.pub` for enctypt.
 
 ## Deploy Secrets
 
diff --git a/secrets/default.nix b/secrets/default.nix
index f4a26805..294296cc 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -9,7 +9,10 @@
     agenix.packages."${pkgs.system}".default 
   ];
 
-  # # wireguard config used with `wg-quick up wg-business`  
+  # if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
+  age.identityPaths = [ "/home/ryan/.ssh/juliet-age" ];
+
+  # wireguard config used with `wg-quick up wg-business`  
   age.secrets."wg-business.conf" = {
     # wether secrets are symlinked to age.secrets.<name>.path
     symlink = true;
diff --git a/secrets/encrypt/smb-credentials.age b/secrets/encrypt/smb-credentials.age
index 140d25ed..ec70dcd7 100644
--- a/secrets/encrypt/smb-credentials.age
+++ b/secrets/encrypt/smb-credentials.age
@@ -1,11 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 YVM6Sg vO0DYm8iol7IBG6rscZq/LQpRHh54+DdOFUR01b6yR0
-gqEePw0Fvo2uDAcwEObd7PLjA2vU6e6JhGGVoGULazA
--> ssh-ed25519 Q4ARMQ fyGN9P+rvYJ8Qk5Iiyjn++Ml/XiVMvk62EshD9JOvDA
-ikPmvDRZwhkHAZ2U8R10QgpJlTTynHI5Vm50xxQiKT8
--> b[1(F-grease 23C oS"65TE ~50zBiB
-eMwvm36CT7qLNS6gXVezB3m8pCKyTbKfuCq3vgi/D4DQXfDq4IdAANp0o6DKuaTX
-gQOZK5zIELG4bHS9SQRW4H7eAjJBUgA
---- 1p8fRawaLk8WpQHYAE7sD016F6bo4agn2UxDuUtZzmI
-g·ógs=kî›½+nN½"±äóoÃ¡/=^÷Z§Ÿ<~ÑÓŽk˜i Gw3óÑ”=(Aˆm	
-úß¼¶êU#’à
\ No newline at end of file
+-> ssh-ed25519 epfRpA jNJBiC/XF/yZK+l5KoQiP9Q4Fd3DmkDy+g4NqFsoe3I
+k1lFpYcTki0wjwFBDoAwRNZED1bbZI563fFs6wF6cQI
+-> ssh-ed25519 Q4ARMQ A5e3ifhn8G+XS16KqT0xtSZVwfE6IXgfN4mP0sr+wQ0
+dKHy5WGc8OxFhlDNEd/ZXPbDcvC7JcFChyK3vkquKjo
+-> b9bIm-grease
+Y+K1G8OK/DI2E0cCD27xOPeneAZ/hFkw8bvNBZRYmQ0kTLf017wNDrLcIbyYTjpa
+/HrKBATlWanuLhzhUFWyBxaJMCqtP35j5TPRCTh7
+--- rSOSvyrgXuiNAx8P3gDV7VaTcbOzwnufTnjhVvsMS7k
+3¤&'§6ažè¢(Ï@OÃÒ2ì'ÕÓ§h&S¹UèãøûÃ…Ù[@¹h=ðFØäzÌ¨ë¢_ä¿Dÿe‡LE{dñ ìs¨%³K’
\ No newline at end of file
diff --git a/secrets/encrypt/wg-business.conf.age b/secrets/encrypt/wg-business.conf.age
index 76829f37fa0339c2d24df02fa93b150c0f54a8c5..dfb15e4fbd42ae0e7479f326f380683e1328b198 100644
GIT binary patch
delta 651
zcmV;60(AY12BZa$C4XgbW>RoLAVN}1S$ab`HA-$dT6cFdS9o(pHfA+BNlRmJVoET2
zYi)3PcX=>oGInW23Tk0Ta87zmHaJa5S5!+`NoQ<hOJO%tW_UMBRBUT;dT3{DNlJNR
zSwv1_3N1b$b8~1dWn?lnH8D9LQ8YnPO;I3iIb%moGf^{0LVtBbN-<_rQD#<eFmfwt
zbWk=pc2jvaHc&KWICV}{OEXmpX>~G9G<RfrMK^FzOm1RwFJfg$WI1AHH$qiXZ&xr(
zX)8oDHCZ+<PgYS1Ej}PLFk>xea%Ew2Wguv3HEAGpBqJblBXKNlAWkd_V?|42Z%ua!
zEiEk|Hga-TW`9C>PB2zEGj3KzNOo~=PH<F4R8CWGZcI#BIWTiYR7_W7a#wIc3cJV7
z5(AYRyYyi~$})zYqIx%eaKDw6X8+kLca8uoO4!^MS(nNPnT~3BLE~8q`TegFY39Eu
zbll{P`NNlI=k{YS(LfApHw}|x`$`^hdp}Nzq&%ILTYq*&lax<yG{BYI)+lHyfb;LI
zjPdj5Gh3J>a+jGU>3Zps6>VmDTmyLKy5_a3g2v!}bGpu5ZOj%uH4h6<)_+*x*_Yo@
zuMK;CA|tm=%!FtZ@UbTA1!08awa0tL8Tp)FeOZ|tlE`w*LTJ2JdX_^QFYb@6N&-J;
z-T~A0e}5i&p$CF^`_E0vV~(TXI}2y<G_4#g54aQFdLQA5sPptzDIm<h)o$QUkuKIZ
z{dIv#pI#ZmN5!9kTV5$FEPK>q6lfe5w8Bt~mfog^D_b4|)@*k!Gb>u<@BVLs{ysS+
l;g~t$I4_Ws_vRN<8qra+I^+2WA7iO4LcJ4!%mj9(z>nKP43z)?

delta 755
zcmV<P0u2461&jueC4X5~O*T_!AXH&5RAEngT2f0wV@FOkQgvfNY%5_fZe%oSW@}V7
zWI=FDXiIHJaZ^=I3Uo+wRzWLDG*mTjQ+iQ3QD{dmO>;v^aY;*VO-xgEW@JlbYimws
zOjSxn3N1b$b8~1dWn?lnH8D9LQ8YnPO;I2-VPtDGD`j+4a(_)jO-Oe`WMWi7Q#dbc
zWn@WEH8Oc@GG$IvQgt;mHE2N!RC!KDF>P%#W@=-1QATfPa7Z{;GD~iHGj~EVV>o15
zL3DU!ZZAV`b4pnXEj}P^Vpc6@a%Ew2Wgt;pY#>@YTnc(qVpnT(cQZ;yPdQ99Z(~tK
zRxx;LD>XGrGJkMSH%v8VcR_7oX;gVmVl`o9RBbRcL|IKlcyViOWjIT0IAlQzVNh;i
zPgpW9Rxx*BPh)XcS!YdhHbZK7NkUmxX)!}#Vlqm4Gh{J#aye=<GB{*IX>C$=G%s*P
z3N0-yATLaHLQzk7G)h@3M?*41G*3fKRZDVec419%a(`NBLwIIsa%xF$NH}e1Q3~~3
z{GGQ#x^?k77PD%UdY<v?&d3Uep>UHBa(kB(Uk-5-fOP1=QCB7?%xST8(|rN(07v2{
z1-g})#n{gt0)t-TzApr{7X@05jCfrx&@m&EE2%hc-EsY|E@Hd}Y%a}1re1E0@m=6P
zcbSSLcz=kcvrw1R^Wc3!YN47D8Qo;%EUKQA($3nizJ|-4QJZ}B&FyuTr~GZLu%`^h
znflXdlp2QW`%?P|bMFuSHrNAMO0!o`zOlS^EzxU5kl&9oKo`bNGwrK3bQ}n;Q@#Zw
zOvi@V3dd@Z=9!u~wVEKIkQe=<{M;FWVVx7YRBUIu_;QzJgm5PakUV|~I+uUtg9kC=
zv&-roBS>T^ru$454xOz5H%{YhXR@%E1+i&JsiktJHYLvcOA!YWGk~ZwccjQOktZ<(
ljJ%?-2qP@I_;l=IO*!$OpU$P!FnvYcvRJq^uW^8YOCLUVE`R_4

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index eaa72db6..23237f8f 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,11 +1,11 @@
 # This file is not imported into your NixOS configuration. It is only used for the agenix CLI.
 
 let
-  # get user's ssh public key by command:
-  #     cat ~/.ssh/id_ed25519.pub
+  # get my ssh public key for agenix by command:
+  #     cat ~/.ssh/juliet-age.pub
   # if you do not have one, you can generate it by command:
   #     ssh-keygen -t ed25519
-  ryan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj";
+  ryan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7FbSWehHoOWCZMDEHLiPCa1ZJ5c6hYMzhKdXssPpE9 ryan@juliet-age";
   users = [ ryan ];
 
   # get system's ssh public key by command:
