From ec2afd9e927a521edfb68ad9eb3e0e8391d12156 Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Thu, 12 Jun 2025 07:40:53 -0700
Subject: use a dedicated SSH key for agenix

The key is still stored in 1password, and we add a script to
synchronize the key to the host.

The existing keys have been rekeyed with the new key.
---
 docs/secrets.org                          | 14 ++++++++------
 flake.nix                                 |  9 +++++++++
 nix/users/fcuny/secrets.nix               |  2 +-
 secrets/secrets.nix                       | 13 ++++++++++---
 secrets/users/fcuny/anthropic-api-key.age | 11 ++++++-----
 secrets/users/fcuny/llm.age               | 11 +++++++----
 6 files changed, 41 insertions(+), 19 deletions(-)

diff --git a/docs/secrets.org b/docs/secrets.org
index 04452dc..10d4e9b 100644
--- a/docs/secrets.org
+++ b/docs/secrets.org
@@ -2,14 +2,16 @@
 
 ** SSH keys
 
-Get the ssh key from 1password with the following command:
-#+begin_src sh
-  op read "op://Private/nixos/private key?ssh-format=openssh" > ~/.ssh/nixos
-  op read "op://Private/nixos/public key?ssh-format=openssh" > ~/.ssh/nixos.pub
+Start by synchronizing the SSH key by running `sync-ssh-key` in the repository.
+
+Then, to create or edit a secret:
+#+begin_src
+  cd (git rev-parse --show-toplevel)/secrets
+  agenix -i ~/.ssh/agenix -e users/fcuny/llm.age
 #+end_src
 
-To create or edit a secret:
+And to rekey a secret:
 #+begin_src
   cd (git rev-parse --show-toplevel)/secrets
-  agenix -i ~/.ssh/nixos -e users/fcuny/llm.age
+  agenix -i ~/.ssh/agenix -r
 #+end_src
diff --git a/flake.nix b/flake.nix
index 0b1a537..fcbb262 100644
--- a/flake.nix
+++ b/flake.nix
@@ -63,6 +63,7 @@
         system:
         import nixpkgs {
           inherit system;
+          config.allowUnfree = true;
           overlays = overlays;
         };
 
@@ -182,6 +183,14 @@
                   echo "> darwin-rebuild build was successful ✅"
                   echo "> macOS config was successfully applied 🚀"
                 '')
+                (pkgs.writeScriptBin "sync-agenix-key" ''
+                  set -e
+                  echo "> Copying agenix SSH key from 1password ..."
+                  mkdir -p ~/.ssh
+                  ${pkgs._1password-cli}/bin/op --account my.1password.com read "op://Private/agenix/private key?ssh-format=openssh" > ~/.ssh/agenix
+                  ${pkgs._1password-cli}/bin/op --account my.1password.com read "op://Private/agenix/public key" > ~/.ssh/agenix.pub
+                  echo "> agenix SSH key copied successfully 🔐"
+                '')
               ]
             else
               [ ];
diff --git a/nix/users/fcuny/secrets.nix b/nix/users/fcuny/secrets.nix
index 0b6f7b6..1f6c351 100644
--- a/nix/users/fcuny/secrets.nix
+++ b/nix/users/fcuny/secrets.nix
@@ -1,7 +1,7 @@
 { config, ... }:
 {
   age = {
-    identityPaths = [ "${config.home.homeDirectory}/.ssh/nixos" ];
+    identityPaths = [ "${config.home.homeDirectory}/.ssh/agenix" ];
     secretsDir = "${config.home.homeDirectory}/.local/share/agenix";
 
     secrets = {
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 883ef91..d824ce1 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,9 +1,16 @@
 let
   users = {
-    fcuny = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi";
+    fcunyNixOs = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi";
+    fcunyAgenix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdyJepi/NyO6d9eP8m48Ga/gdjB5ENHRXYM1ZqFZR8t";
   };
 in
 {
-  "users/fcuny/llm.age".publicKeys = [ users.fcuny ];
-  "users/fcuny/anthropic-api-key.age".publicKeys = [ users.fcuny ];
+  "users/fcuny/llm.age".publicKeys = [
+    users.fcunyNixOs
+    users.fcunyAgenix
+  ];
+  "users/fcuny/anthropic-api-key.age".publicKeys = [
+    users.fcunyNixOs
+    users.fcunyAgenix
+  ];
 }
diff --git a/secrets/users/fcuny/anthropic-api-key.age b/secrets/users/fcuny/anthropic-api-key.age
index 9928518..e655eaf 100644
--- a/secrets/users/fcuny/anthropic-api-key.age
+++ b/secrets/users/fcuny/anthropic-api-key.age
@@ -1,6 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 9Ia8+w Q6ksvKOR40oiVtNAp9Sa1iCfdef0ntgJ6cRnnSnbWzM
-h/i6oBh/E3iUAm1TCruFb5LUGTt3enbFhUcEuxkZ9TY
---- 6uwnMUvrqZaUdXIX7NaYpAzFDB4imIjuoKFPjCKnG/w
-�����'L�dz�Vs�0G|ei"ە3*x���ɫ�uܴ�綳
4�#ᑪ�xƙJ�C(���ɒ:d��=17�$��m<��덷@�W'���#6z!���fe2�
-.��6R��A��0N�Q�Tkj��(ԉ)
\ No newline at end of file
+-> ssh-ed25519 9Ia8+w Uuyac8BHIeels3jbOew49uzdZHAKiy4OfzZNVvqHigI
+SVrFSS1UIAhds24sVNtcUmSj4pF4ann2sS1Z7uLwlRA
+-> ssh-ed25519 pFjJaA Z9ToZUj5+pEF81kDEodCgxeM6Uc2euzMELgfLheX6WY
+S0Qa3gowL0TlQwLIUjhJDuSQwUQhVGKgKgYzer4ekxI
+--- rBr7v8PZV8+s1BXxgpn84FjnNiKU50GeF/uwJuNwsKc
+V�w
���6�K�5kU`�KVpC?�M�ZDH��KfGr
Yi��Vpf�����Ð����YIH�Z=��ݥ"yb}XK��]�s�w	`��2��4��[��'�wX�g��M=���X\��&��3�f&�����Щ'�5����~
\ No newline at end of file
diff --git a/secrets/users/fcuny/llm.age b/secrets/users/fcuny/llm.age
index 780fe5b..79223f8 100644
--- a/secrets/users/fcuny/llm.age
+++ b/secrets/users/fcuny/llm.age
@@ -1,5 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 9Ia8+w Bir55Uqpbc9LiWfeuhcrl5FluYT7WGKtY0SdSvS0w1o
-SjAYkn0OrDGIgd4yK709Wc+Y7d3LaSHWQAdSe9qkUr8
---- 5p8VDC+lrVMyXPaWdNDPWrONSjsC36LsLeNJoMqmSN4
-7
=3��WDz$y�Y���fWg�L� ��9WS4!�������߱s�|�e�aIk����@��Z��;_ޫ��z�h1�
ߗq�8,�]�B�v�����P��JP�&��q�0Cr��FT��J�{�(2���t*�%������QE��K�a��҄�^��Q�p��A��gH,���~�H�/T�u�����ܡ���/��PR����=mfζ���w���R�mY{JC
\ No newline at end of file
+-> ssh-ed25519 9Ia8+w rPwEMJ053pckVlIcqi9YgxsPr0QIx0dl5fc9G6T1uGk
+OAp6qxJcD2ayFkTkLHbeZVSAZBdQ1JaFUO8HBtosofA
+-> ssh-ed25519 pFjJaA 9HAEvPfZ7JOHpHSY/x51olksv+QQrpFp7m4FEJNV6HU
+S8aZtFVVVxQ901Fy7WD6sFk3IwSfEMDop/VuS8+JeJg
+--- /VxaMyxHya7Z+3NjaPIvd6eTZ9QygAgfMx/Azjbt/Ck
+� �I)���?����=
��K?R�V�)q��C������j����e0��R<|3fnYv8&e�C7����2��"Ϸ2���f38.F�5�ާ���,�	3�~[J��L��v,N���AF��:�5�Cr��%
+�Fx0^ć��#`e���BO#���_2C8�%K*�7����8}=�-#�I.�_[X�SY�?\u�,��o�{��� �7?��[�ugX�嬾��i��V2?J��)��
\ No newline at end of file
-- 
cgit v1.2.3