skills for everythingAgent Skill
2/7/2026rekey-secrets
Re-encrypt all secrets after modifying .age files or changing host keys
I
iamruinous
6GitHub Stars
1Views
npx skills add iamruinous/nix-config
SKILL.md
| Name | rekey-secrets |
| Description | Re-encrypt all secrets after modifying .age files or changing host keys |
name: rekey-secrets description: Re-encrypt all secrets after modifying .age files or changing host keys compatibility: Requires agenix, agenix-helper metadata: author: ruinous.ai version: "1.0" domain: secrets
Rekey Secrets
Re-encrypt all secrets after modifying .age files or when host keys change.
When to use:
- After creating or updating any
.agefile - After adding a new host to
secrets.nix - After rotating host SSH keys
Prerequisites
# Unlock agenix before rekeying
just unlock
Steps
-
Rekey all secrets:
just rekey -
Stage and verify rekeyed files:
git add secrets/ ls secrets/nixos/*/ -
Lock agenix when done:
agenix-helper lock
Where Rekeyed Secrets Go
After agenix rekey -a, encrypted secrets are stored in:
secrets/nixos/<hostname>/<hash>-<secret_name>.age
Troubleshooting
Rekey fails with host errors
- Check that all hosts in
secrets.nixhave valid keys - Verify host public keys are correct in the repository
Permission denied
# Ensure agenix is unlocked
just unlock
Example
# Unlock, rekey, and stage
just unlock
just rekey
git add secrets/
Post-Rekey Checklist
- Ran
just unlockbefore starting - All secrets rekeyed successfully (
just rekey) -
secrets/nixos/contains updated files - Staged changes (
git add secrets/) - No errors in output
- Ran
agenix-helper lockwhen done
Skills Info
Original Name:rekey-secretsAuthor:iamruinous
Download