From 85ccfc622e397a014d08e3bdcfb4356be25ceec8 Mon Sep 17 00:00:00 2001
From: Ivan Malison <IvanMalison@gmail.com>
Date: Fri, 13 Feb 2026 04:38:14 -0800
Subject: [PATCH] nixos: allow agenix to decrypt tailscale authkey via user ssh
 key

---
 nixos/tailscale.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/nixos/tailscale.nix b/nixos/tailscale.nix
index 2cd5a418..37ae62be 100644
--- a/nixos/tailscale.nix
+++ b/nixos/tailscale.nix
@@ -10,6 +10,14 @@ makeEnable config "myModules.tailscale" true {
   # Optional: unattended enrollment using a pre-auth key stored in agenix.
   #
   # Plaintext content "DISABLED" means "do nothing".
+  #
+  # This secret is encrypted to your "kanivan" SSH keys, so we include your
+  # user SSH key as an identity for decryption.
+  age.identityPaths = lib.mkDefault [
+    "/etc/ssh/ssh_host_ed25519_key"
+    "/home/imalison/.ssh/id_ed25519"
+  ];
+
   age.secrets.tailscale-authkey = {
     file = ./secrets/tailscale-authkey.age;
     owner = "root";