From 9cc678853b7a3de827ffed5e6c66daff5fc814fd Mon Sep 17 00:00:00 2001
From: autonomic-bot <maxf.account@proton.me>
Date: Wed, 27 May 2026 17:24:38 +0100
Subject: [PATCH] 1c/W4: add sops.age.keyFile for bootstrap age key (recovery
 key on clones; host-derived on cc-ci)

cc-ci /var/lib/sops-nix/key.txt provisioned = host-derived age key (pub == &host recipient), so
adding keyFile is safe (sops-install-secrets aborts if a configured keyFile is missing).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 modules/secrets.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/modules/secrets.nix b/modules/secrets.nix
index 0ebc24c..bd7ae90 100644
--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -9,6 +9,13 @@
     defaultSopsFile = ../secrets/secrets.yaml;
     # Decrypt using the host's SSH host key (converted to an age identity by sops-nix).
     age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    # Phase-1c: also accept a bootstrap age key at a fixed path — THE one out-of-band secret,
+    # provisioned to the host before the first rebuild. On the canonical cc-ci this holds the
+    # host-derived age identity (== the sshKeyPaths recipient, no new exposure); on a fresh/cloned
+    # host (e.g. the throwaway-VM rebuild) it holds the off-box recovery key, so a host whose SSH
+    # host key is NOT a sops recipient can still decrypt every secret. NOTE: sops-install-secrets
+    # aborts activation if this file is set but missing, so it must exist before `nixos-rebuild`.
+    age.keyFile = "/var/lib/sops-nix/key.txt";
     # Do not also look for a GPG key.
     gnupg.sshKeyPaths = [ ];