Add agenix secrets management

Phase 3: Encrypted secrets - Add secrets module with agenix integration - Create secrets/secrets.nix template for key definitions - Installer generates SSH key if missing - Installer creates personalized secrets.nix with user's key - Full documentation in docs/SECRETS.md Features: - Secrets encrypted with age using SSH keys - Decrypted automatically at system activation - Safe to commit .age files to git - Support for WiFi passwords, API keys, service credentials Usage: agenix -e secrets/my-secret.age age.secrets.my-secret.file = ./secrets/my-secret.age; Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-15 02:56:25 -05:00
parent 6686a9f6b6
commit 5a52b3c159
6 changed files with 297 additions and 0 deletions
--- a/installer/install.sh
+++ b/installer/install.sh
@@ -271,6 +271,53 @@ download_wallpapers() {
    echo ""
 }

+setup_secrets() {
+    local secrets_dir="$HOME/.config/nomarchy/secrets"
+    mkdir -p "$secrets_dir"
+
+    echo -e "${BLUE}Setting up secrets management...${NC}"
+
+    # Check for SSH key
+    if [ ! -f "$HOME/.ssh/id_ed25519.pub" ]; then
+        echo -e "${YELLOW}No SSH key found. Generating one...${NC}"
+        ssh-keygen -t ed25519 -f "$HOME/.ssh/id_ed25519" -N "" -C "${username}@${hostname_input}"
+    fi
+
+    local user_key
+    user_key=$(cat "$HOME/.ssh/id_ed25519.pub")
+
+    # Create secrets.nix template
+    cat > "$secrets_dir/secrets.nix" << EOF
+# Nomarchy Secrets Configuration
+# Generated on $(date)
+#
+# To add a secret:
+#   1. Add it to this file with the keys below
+#   2. Run: agenix -e secrets/<name>.age
+#   3. Reference in your NixOS config
+
+let
+  # Your SSH public key (for encrypting)
+  user = "${user_key}";
+
+  # Host SSH key - add after first boot:
+  # Run: ssh-keyscan localhost 2>/dev/null | grep ed25519
+  # host = "ssh-ed25519 AAAA...";
+
+  allKeys = [ user ];
+  # After adding host key: allKeys = [ user host ];
+in {
+  # Example secrets (uncomment to use):
+  # "wifi-password.age".publicKeys = allKeys;
+  # "api-key.age".publicKeys = allKeys;
+}
+EOF
+
+    echo -e "${GREEN}Secrets directory created at ${secrets_dir}${NC}"
+    echo -e "${YELLOW}After first boot, add your host's SSH key to secrets.nix${NC}"
+    echo ""
+}
+
 show_summary() {
    echo -e "${BOLD}Configuration Summary${NC}"
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
@@ -347,6 +394,7 @@ main() {
    generate_config
    setup_flake
    download_wallpapers
+    setup_secrets
    apply_config

    echo ""