From ec2afd9e927a521edfb68ad9eb3e0e8391d12156 Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Thu, 12 Jun 2025 07:40:53 -0700
Subject: use a dedicated SSH key for agenix

The key is still stored in 1password, and we add a script to
synchronize the key to the host.

The existing keys have been rekeyed with the new key.
---
 docs/secrets.org | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

(limited to 'docs/secrets.org')

diff --git a/docs/secrets.org b/docs/secrets.org
index 04452dc..10d4e9b 100644
--- a/docs/secrets.org
+++ b/docs/secrets.org
@@ -2,14 +2,16 @@
 
 ** SSH keys
 
-Get the ssh key from 1password with the following command:
-#+begin_src sh
-  op read "op://Private/nixos/private key?ssh-format=openssh" > ~/.ssh/nixos
-  op read "op://Private/nixos/public key?ssh-format=openssh" > ~/.ssh/nixos.pub
+Start by synchronizing the SSH key by running `sync-ssh-key` in the repository.
+
+Then, to create or edit a secret:
+#+begin_src
+  cd (git rev-parse --show-toplevel)/secrets
+  agenix -i ~/.ssh/agenix -e users/fcuny/llm.age
 #+end_src
 
-To create or edit a secret:
+And to rekey a secret:
 #+begin_src
   cd (git rev-parse --show-toplevel)/secrets
-  agenix -i ~/.ssh/nixos -e users/fcuny/llm.age
+  agenix -i ~/.ssh/agenix -r
 #+end_src
-- 
cgit v1.2.3