diff --git a/AGENTS.md b/AGENTS.md index e109cf4..356feab 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -99,7 +99,11 @@ Each service file in `services/` follows this structure: - **git-crypt**: `secrets/` directory and `usb-secrets/usb-secrets-key*` are encrypted (see `.gitattributes`) - **agenix**: secrets declared in `modules/age-secrets.nix`, decrypted at runtime to `/run/agenix/` - **Identity**: USB drive at `/mnt/usb-secrets/usb-secrets-key` -- **Encrypting new secrets**: The agenix encryption key is in `usb-secrets/usb-secrets-key` (SSH private key, git-crypt encrypted). To create a new secret: derive the age public key with `ssh-keygen -y -f usb-secrets/usb-secrets-key | ssh-to-age`, then encrypt with `age -r -o secrets/.age`. +- **Encrypting new secrets**: The agenix identity is an SSH private key at `usb-secrets/usb-secrets-key` (git-crypt encrypted). To encrypt a new secret, use the SSH public key directly with `age -R`: + ```bash + age -R <(ssh-keygen -y -f usb-secrets/usb-secrets-key) -o secrets/.age /path/to/plaintext + ``` +- **DO NOT use `ssh-to-age`**. Using `ssh-to-age` to derive a native age public key and then encrypting with `age -r age1...` produces `X25519` recipient stanzas. The SSH private key identity on the server can only decrypt `ssh-ed25519` stanzas. This mismatch causes `age: error: no identity matched any of the recipients` at deploy time. Always use `age -R` with the SSH public key directly. - Never read or commit plaintext secrets. Never log secret values. ### Important Patterns diff --git a/secrets/ci-deploy-key.age b/secrets/ci-deploy-key.age index da1e327..5c52818 100644 Binary files a/secrets/ci-deploy-key.age and b/secrets/ci-deploy-key.age differ diff --git a/secrets/coturn-auth-secret.age b/secrets/coturn-auth-secret.age index d70dd04..6c2046b 100644 Binary files a/secrets/coturn-auth-secret.age and b/secrets/coturn-auth-secret.age differ diff --git a/secrets/git-crypt-key-dotfiles.age b/secrets/git-crypt-key-dotfiles.age index 1483fad..2547cfe 100644 Binary files a/secrets/git-crypt-key-dotfiles.age and b/secrets/git-crypt-key-dotfiles.age differ diff --git a/secrets/gitea-runner-token.age b/secrets/gitea-runner-token.age index 8f687a8..3c9d38e 100644 Binary files a/secrets/gitea-runner-token.age and b/secrets/gitea-runner-token.age differ diff --git a/secrets/matrix-reg-token.age b/secrets/matrix-reg-token.age index e5a7398..e2e7405 100644 Binary files a/secrets/matrix-reg-token.age and b/secrets/matrix-reg-token.age differ diff --git a/secrets/murmur-password-env.age b/secrets/murmur-password-env.age index 615f912..825b10e 100644 Binary files a/secrets/murmur-password-env.age and b/secrets/murmur-password-env.age differ