From be8a70645220298b40be1b44e0888e9f54c0ce89 Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Fri, 16 Jan 2026 18:58:03 -0800
Subject: simplify secrets management with dynamic public key generation

---
 README.org | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

(limited to 'README.org')

diff --git a/README.org b/README.org
index 4a693e7..d36768a 100644
--- a/README.org
+++ b/README.org
@@ -59,18 +59,29 @@ nix run github:nix-community/nixos-anywhere -- --flake .#rivendell --build-on re
 Update records through the [[https://dash.cloudflare.com/2c659eeaf2ae9a0206c589c706b3748e/fcuny.net][console]].
 
 * Secrets
-Start by synchronizing the SSH key by running =sync-ssh-key= in the repository. Then, to create or edit a secret:
+Get the identity under =secrets/identity.txt= with:
 #+begin_src sh
 cd (git rev-parse --show-toplevel)/secrets
-agenix -i ~/.ssh/agenix -e users/fcuny/llm.age
+age-plugin-yubikey --list --slot 1 > identity.txt
 #+end_src
 
-And to rekey a secret:
+To create or edit a secret:
 #+begin_src sh
 cd (git rev-parse --show-toplevel)/secrets
-agenix -i ~/.ssh/agenix -r
+agenix -i identity.txt -e users/fcuny/llm.age
 #+end_src
 
+And to rekey the secrets:
+#+begin_src sh
+cd (git rev-parse --show-toplevel)/secrets
+agenix -i identity.txt -r
+#+end_src
+
+You can validate that the file is correct with:
+#+begin_src sh
+cd (git rev-parse --show-toplevel)/secrets
+nix eval --file secrets.nix
+#+end_src
 * Network
 ** Wireguard
 *** New host
-- 
cgit v1.2.3