fix: Fail the CI if formatting fails

.gitea/workflows/ci.yml

@@ -26,18 +26,23 @@ jobs:
   format-check:
     name: Format Check
     runs-on: [self-hosted, nix-builder]
+    timeout-minutes: 5
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
       - name: Check formatting
+        timeout-minutes: 3
         run: |
-          nix fmt **/*.nix
-          if ! git diff --quiet; then
+          set -euo pipefail
+          echo "Checking code formatting..."
+          output=$(nix fmt **/*.nix 2>&1)
+          if [ -n "$output" ]; then
             echo "::error::Code is not formatted. Please run 'nix fmt **/*.nix' locally."
-            git diff
+            echo "$output"
             exit 1
           fi
+          echo "All files are properly formatted"
 
   eval-configs:
     name: Evaluate Key Configurations

flake.lock

@@ -239,6 +239,24 @@
       "inputs": {
         "systems": "systems_4"
       },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_4": {
+      "inputs": {
+        "systems": "systems_5"
+      },
       "locked": {
         "lastModified": 1681202837,
         "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
@@ -636,6 +654,7 @@
         "nixos-wsl": "nixos-wsl",
         "nixpkgs": "nixpkgs_2",
         "nixpkgs-old-kernel": "nixpkgs-old-kernel",
+        "usda-vision": "usda-vision",
         "vscode-server": "vscode-server"
       }
     },
@@ -720,6 +739,21 @@
         "type": "github"
       }
     },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "treefmt-nix": {
       "inputs": {
         "nixpkgs": [
@@ -742,13 +776,34 @@
         "type": "github"
       }
     },
-    "vscode-server": {
+    "usda-vision": {
       "inputs": {
         "flake-utils": "flake-utils_3",
         "nixpkgs": [
           "nixpkgs"
         ]
       },
+      "locked": {
+        "lastModified": 1769814438,
+        "narHash": "sha256-DEZrmqpqbrd996W5p1r4GA1C8Jmo31n3N642ccS0deY=",
+        "ref": "refs/heads/main",
+        "rev": "78bfcf02612817a2cee1edbf92deeac9bf657613",
+        "revCount": 126,
+        "type": "git",
+        "url": "https://git.factory.uga.edu/MODEL/usda-vision.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.factory.uga.edu/MODEL/usda-vision.git"
+      }
+    },
+    "vscode-server": {
+      "inputs": {
+        "flake-utils": "flake-utils_4",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
       "locked": {
         "lastModified": 1753541826,
         "narHash": "sha256-foGgZu8+bCNIGeuDqQ84jNbmKZpd+JvnrL2WlyU4tuU=",

flake.nix

@@ -59,6 +59,12 @@
       url = "github:nix-community/NixOS-WSL/main";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    # USDA Vision Dashboard application
+    usda-vision = {
+      url = "git+https://git.factory.uga.edu/MODEL/usda-vision.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs =

fleet/common.nix

@@ -14,17 +14,141 @@ let
   # Import all hardware modules so they're available for enabling
   hwTypes = import ../hw { inherit inputs; };
   hwModules = lib.attrValues hwTypes;
+
+  # User account submodule definition
+  userSubmodule = lib.types.submodule {
+    options = {
+      enable = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "Whether this user account is enabled on this system.";
+      };
+      isNormalUser = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = "Whether this is a normal user account (vs system user).";
+      };
+      description = lib.mkOption {
+        type = lib.types.nullOr lib.types.str;
+        default = null;
+        description = "Full name or description of the user (GECOS field).";
+        example = "John Doe";
+      };
+      extraGroups = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+        description = "Additional groups for the user (wheel, docker, etc.).";
+      };
+      hashedPassword = lib.mkOption {
+        type = lib.types.str;
+        default = "!";
+        description = "Hashed password for the user account. Default '!' means locked.";
+      };
+      extraPackages = lib.mkOption {
+        type = lib.types.listOf lib.types.package;
+        default = [ ];
+        description = "Additional system packages available to this user.";
+      };
+      excludePackages = lib.mkOption {
+        type = lib.types.listOf lib.types.package;
+        default = [ ];
+        description = "System packages to exclude for this user.";
+      };
+      homePackages = lib.mkOption {
+        type = lib.types.listOf lib.types.package;
+        default = [ ];
+        description = "Packages to install in the user's home-manager profile.";
+      };
+      extraImports = lib.mkOption {
+        type = lib.types.listOf lib.types.path;
+        default = [ ];
+        description = "Additional home-manager modules to import for this user.";
+      };
+      external = lib.mkOption {
+        type = lib.types.nullOr (
+          lib.types.oneOf [
+            lib.types.path
+            (lib.types.submodule {
+              options = {
+                url = lib.mkOption {
+                  type = lib.types.str;
+                  description = "Git repository URL to fetch user configuration from.";
+                };
+                rev = lib.mkOption {
+                  type = lib.types.str;
+                  description = "Git commit hash, tag, or branch to fetch.";
+                };
+                submodules = lib.mkOption {
+                  type = lib.types.bool;
+                  default = false;
+                  description = "Whether to fetch Git submodules.";
+                };
+              };
+            })
+          ]
+        );
+        default = null;
+        description = "External dotfiles repository (user.nix + optional nixos.nix).";
+      };
+      opensshKeys = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+        description = "SSH public keys for the user (authorized_keys).";
+      };
+      shell = lib.mkOption {
+        type = lib.types.nullOr (
+          lib.types.enum [
+            "bash"
+            "zsh"
+            "fish"
+            "tcsh"
+          ]
+        );
+        default = "bash";
+        description = "Default shell for the user.";
+      };
+      editor = lib.mkOption {
+        type = lib.types.nullOr (
+          lib.types.enum [
+            "vim"
+            "neovim"
+            "emacs"
+            "nano"
+            "code"
+          ]
+        );
+        default = "neovim";
+        description = "Default text editor for the user (sets EDITOR).";
+      };
+      useZshTheme = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = "Whether to apply the system Zsh theme (Oh My Posh).";
+      };
+      useNvimPlugins = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = "Whether to apply the system Neovim configuration.";
+      };
+    };
+  };
 in
 {
   imports = [
     ./fs.nix
     ./boot.nix
     ./user-config.nix
-    ./fleet-option.nix
     ../sw
     inputs.vscode-server.nixosModules.default
     inputs.nixos-wsl.nixosModules.default
-  ] ++ hwModules;
+  ]
+  ++ hwModules;
+
+  options.athenix.users = lib.mkOption {
+    type = lib.types.attrsOf userSubmodule;
+    default = { };
+    description = "User accounts configuration. Set enable=true for users that should exist on this system.";
+  };
 
   options.athenix = {
     forUser = lib.mkOption {

fleet/default.nix

@@ -150,7 +150,8 @@ let
 
       # Hardware-specific external modules
       hwSpecificModules =
-        lib.optional (hostType == "nix-lxc") "${inputs.nixpkgs.legacyPackages.${system}.path}/nixos/modules/virtualisation/proxmox-lxc.nix";
+        lib.optional (hostType == "nix-lxc")
+          "${inputs.nixpkgs.legacyPackages.${system}.path}/nixos/modules/virtualisation/proxmox-lxc.nix";
 
       allModules =
         userNixosModules
@@ -158,6 +159,8 @@ let
           ./common.nix
           overrideModule
           { networking.hostName = hostName; }
+          # Set athenix.host.name for secrets and other modules to use
+          { athenix.host.name = hostName; }
           {
             # Inject user definitions from flake-parts level
             config.athenix.users = lib.mapAttrs (_: user: lib.mapAttrs (_: lib.mkDefault) user) users;

fleet/fs.nix

@@ -17,42 +17,51 @@ let
 in
 {
   options.athenix = {
-    host.filesystem = {
-      device = lib.mkOption {
-        type = lib.types.nullOr lib.types.str;
-        default = null;
+    host = {
+      name = lib.mkOption {
+        type = lib.types.str;
         description = ''
-          The main disk device to use for automated partitioning and installation.
-
-          When set, enables disko for declarative disk management with:
-          - 1GB EFI boot partition
-          - Optional swap partition (see swapSize)
-          - Root partition using remaining space
-
-          Leave null for systems that don't need disk partitioning (containers, WSL).
-        '';
-        example = "/dev/nvme0n1";
-      };
-      useSwap = lib.mkOption {
-        type = lib.types.bool;
-        default = true;
-        description = ''
-          Whether to create and use a swap partition.
-          Disable for systems with ample RAM or SSDs where swap is undesirable.
+          Fleet-assigned hostname for this system.
+          Used for secrets discovery and other host-specific configurations.
         '';
       };
-      swapSize = lib.mkOption {
-        type = lib.types.nullOr lib.types.str;
-        default = null;
-        description = ''
-          Size of the swap partition (e.g., "16G", "32G").
+      filesystem = {
+        device = lib.mkOption {
+          type = lib.types.nullOr lib.types.str;
+          default = null;
+          description = ''
+            The main disk device to use for automated partitioning and installation.
 
-          Recommended sizes:
-          - 8-16GB for desktops with 16GB+ RAM
-          - 32GB for laptops (enables hibernation)
-          - Match RAM size for systems <8GB RAM
-        '';
-        example = "32G";
+            When set, enables disko for declarative disk management with:
+            - 1GB EFI boot partition
+            - Optional swap partition (see swapSize)
+            - Root partition using remaining space
+
+            Leave null for systems that don't need disk partitioning (containers, WSL).
+          '';
+          example = "/dev/nvme0n1";
+        };
+        useSwap = lib.mkOption {
+          type = lib.types.bool;
+          default = true;
+          description = ''
+            Whether to create and use a swap partition.
+            Disable for systems with ample RAM or SSDs where swap is undesirable.
+          '';
+        };
+        swapSize = lib.mkOption {
+          type = lib.types.nullOr lib.types.str;
+          default = null;
+          description = ''
+            Size of the swap partition (e.g., "16G", "32G").
+
+            Recommended sizes:
+            - 8-16GB for desktops with 16GB+ RAM
+            - 32GB for laptops (enables hibernation)
+            - Match RAM size for systems <8GB RAM
+          '';
+          example = "32G";
+        };
       };
     };
   };

hw/nix-lxc.nix

@@ -47,6 +47,9 @@ in
     disko.enableConfig = lib.mkForce false; # No disk management in container
     console.enable = true;
 
+    # Set timezone to fix /etc/localtime for Docker containers
+    time.timeZone = lib.mkDefault "America/New_York";
+
     # Allow getty to work in containers
     systemd.services."getty@".unitConfig.ConditionPathExists = [
       ""

inventory.nix

@@ -129,8 +129,8 @@
         };
         "usda-dash".external = {
           url = "https://git.factory.uga.edu/MODEL/usda-dash-config.git";
-          rev = "dab32f5884895cead0fae28cb7d88d17951d0c12";
-          submodules = true;
+          rev = "ce2700b0196e106f7c013bbcee851a5f96b146a3";
+          submodules = false;
         };
       };
       overrides = {

lib/default.nix

@@ -1,4 +1,8 @@
-{ ... }:
+{
+  lib,
+  ...
+}:
 {
   mkFleet = import ./mkFleet.nix;
+  macCaseBuilder = import ./macCaseBuilder.nix { inherit lib; };
 }

lib/macCaseBuilder.nix

@@ -0,0 +1,33 @@
+{ lib }:
+let
+  # Default MAC address to station number mapping
+  defaultHostmap = {
+    "00:e0:4c:46:0b:32" = "1";
+    "00:e0:4c:46:07:26" = "2";
+    "00:e0:4c:46:05:94" = "3";
+    "00:e0:4c:46:07:11" = "4";
+    "00:e0:4c:46:08:02" = "5";
+    "00:e0:4c:46:08:5c" = "6";
+  };
+
+  # macCaseBuilder: builds a shell case statement from a hostmap
+  # Parameters:
+  #   varName: the shell variable to assign
+  #   prefix: optional string to prepend to the value (default: "")
+  #   hostmap: optional attribute set to use (default: built-in hostmap)
+  #
+  # Example:
+  #   macCaseBuilder { varName = "STATION"; prefix = "nix-"; }
+  #   # Generates case statements like: 00:e0:4c:46:0b:32) STATION=nix-1 ;;
+  builder =
+    {
+      varName,
+      prefix ? "",
+      hostmap ? defaultHostmap,
+    }:
+    lib.concatStringsSep "\n" (
+      lib.mapAttrsToList (mac: val: "      ${mac}) ${varName}=${prefix}${val} ;;") hostmap
+    );
+in
+# Export the builder function with hostmap as an accessible attribute
+lib.setFunctionArgs builder { } // { hostmap = defaultHostmap; }

parts/lib.nix

@@ -1,5 +1,8 @@
 # Library functions for flake-parts
 { inputs, ... }:
 {
-  flake.lib = import ../lib { inherit inputs; };
+  flake.lib = import ../lib {
+    inherit inputs;
+    lib = inputs.nixpkgs.lib;
+  };
 }

secrets.nix

@@ -0,0 +1,187 @@
+# ============================================================================
+# Agenix Secret Recipients Configuration (Auto-Generated)
+# ============================================================================
+# This file automatically discovers hosts and their public keys from the
+# secrets/ directory structure and generates recipient configurations.
+#
+# Directory structure:
+#   secrets/{hostname}/*.pub  -> SSH/age public keys for that host
+#   secrets/global/*.pub      -> Keys accessible to all hosts
+#
+# Usage:
+#   ragenix -e secrets/global/example.age     # Edit/create secret
+#   ragenix -r                                # Re-key all secrets
+#
+# To add admin keys for editing secrets, create secrets/admins/*.pub files
+# with your personal age public keys (generated with: age-keygen)
+
+let
+  lib = builtins;
+
+  # Helper functions not in builtins
+  filterAttrs =
+    pred: set:
+    lib.listToAttrs (
+      lib.filter (item: pred item.name item.value) (
+        lib.map (name: {
+          inherit name;
+          value = set.${name};
+        }) (lib.attrNames set)
+      )
+    );
+
+  concatLists = lists: lib.foldl' (acc: list: acc ++ list) [ ] lists;
+
+  unique =
+    list:
+    let
+      go =
+        acc: remaining:
+        if remaining == [ ] then
+          acc
+        else if lib.elem (lib.head remaining) acc then
+          go acc (lib.tail remaining)
+        else
+          go (acc ++ [ (lib.head remaining) ]) (lib.tail remaining);
+    in
+    go [ ] list;
+
+  hasSuffix =
+    suffix: str:
+    let
+      lenStr = lib.stringLength str;
+      lenSuffix = lib.stringLength suffix;
+    in
+    lenStr >= lenSuffix && lib.substring (lenStr - lenSuffix) lenSuffix str == suffix;
+
+  nameValuePair = name: value: { inherit name value; };
+
+  secretsPath = ./secrets;
+
+  # Read all directories in secrets/
+  secretDirs = if lib.pathExists secretsPath then lib.readDir secretsPath else { };
+
+  # Filter to only directories (excludes files)
+  isDirectory = name: type: type == "directory";
+  directories = lib.filter (name: isDirectory name secretDirs.${name}) (lib.attrNames secretDirs);
+
+  # Read public keys from a directory and convert to age format
+  readHostKeys =
+    dirName:
+    let
+      dirPath = secretsPath + "/${dirName}";
+      files = if lib.pathExists dirPath then lib.readDir dirPath else { };
+
+      # Prefer .age.pub files (pre-converted), fall back to .pub files
+      agePubFiles = filterAttrs (name: type: type == "regular" && hasSuffix ".age.pub" name) files;
+
+      sshPubFiles = filterAttrs (
+        name: type: type == "regular" && hasSuffix ".pub" name && !(hasSuffix ".age.pub" name)
+      ) files;
+
+      # Read age public keys (already in correct format)
+      ageKeys = lib.map (
+        name:
+        let
+          content = lib.readFile (dirPath + "/${name}");
+          # Trim whitespace/newlines
+          trimmed = lib.replaceStrings [ "\n" " " "\r" "\t" ] [ "" "" "" "" ] content;
+        in
+        trimmed
+      ) (lib.attrNames agePubFiles);
+
+      # For SSH keys, just include them as-is (user needs to convert with ssh-to-age)
+      # Or they can run the update-age-keys.sh script
+      sshKeys =
+        if (lib.length (lib.attrNames sshPubFiles)) > 0 then
+          lib.trace "Warning: ${dirName} has unconverted SSH keys. Run secrets/update-age-keys.sh" [ ]
+        else
+          [ ];
+    in
+    lib.filter (k: k != null && k != "") (ageKeys ++ sshKeys);
+
+  # Build host key mappings: { hostname = [ "age1..." "age2..." ]; }
+  hostKeys = lib.listToAttrs (
+    lib.map (dir: nameValuePair dir (readHostKeys dir)) (
+      lib.filter (d: d != "global" && d != "admins") directories
+    )
+  );
+
+  # Global keys that all hosts can use
+  globalKeys = if lib.elem "global" directories then readHostKeys "global" else [ ];
+
+  # Admin keys for editing secrets
+  adminKeys = if lib.elem "admins" directories then readHostKeys "admins" else [ ];
+
+  # All host keys combined
+  allHostKeys = concatLists (lib.attrValues hostKeys);
+
+  # Find all .age files in the secrets directory
+  findSecrets =
+    dir:
+    let
+      dirPath = secretsPath + "/${dir}";
+      files = if lib.pathExists dirPath then lib.readDir dirPath else { };
+      ageFiles = filterAttrs (name: type: type == "regular" && hasSuffix ".age" name) files;
+    in
+    lib.map (name: "secrets/${dir}/${name}") (lib.attrNames ageFiles);
+
+  # Generate recipient list for a secret based on its location
+  getRecipients =
+    secretPath:
+    let
+      # Extract directory name from path: "secrets/nix-builder/foo.age" -> "nix-builder"
+      pathParts = lib.split "/" secretPath;
+      dirName = lib.elemAt pathParts 2;
+    in
+    if dirName == "global" then
+      # Global secrets: all hosts + admins
+      allHostKeys ++ globalKeys ++ adminKeys
+    else if hostKeys ? ${dirName} then
+      # Host-specific secrets: that host + global keys + admins
+      hostKeys.${dirName} ++ globalKeys ++ adminKeys
+    else
+      # Fallback: just admins
+      adminKeys;
+
+  # Find all secrets across all directories
+  allSecrets = concatLists (lib.map findSecrets directories);
+
+  # Generate the configuration
+  secretsConfig = lib.listToAttrs (
+    lib.map (
+      secretPath:
+      let
+        recipients = getRecipients secretPath;
+        # Remove duplicates and empty keys
+        uniqueRecipients = unique (lib.filter (k: k != null && k != "") recipients);
+      in
+      nameValuePair secretPath {
+        publicKeys = uniqueRecipients;
+      }
+    ) allSecrets
+  );
+
+  # Generate wildcard rules for each directory to allow creating new secrets
+  wildcardRules = lib.listToAttrs (
+    lib.concatMap (dir: [
+      # Match with and without .age extension for ragenix compatibility
+      (nameValuePair "secrets/${dir}/*" {
+        publicKeys =
+          let
+            recipients = getRecipients "secrets/${dir}/dummy.age";
+          in
+          unique (lib.filter (k: k != null && k != "") recipients);
+      })
+      (nameValuePair "secrets/${dir}/*.age" {
+        publicKeys =
+          let
+            recipients = getRecipients "secrets/${dir}/dummy.age";
+          in
+          unique (lib.filter (k: k != null && k != "") recipients);
+      })
+    ]) (lib.filter (d: d != "admins") directories)
+  );
+
+in
+secretsConfig // wildcardRules

secrets/DESIGN.md

@@ -0,0 +1,174 @@
+# Athenix Secrets System Design
+
+## Overview
+
+The Athenix secrets management system integrates ragenix (agenix) with automatic host discovery based on the repository's fleet inventory structure. It provides a seamless workflow for managing encrypted secrets across all systems.
+
+## Architecture
+
+### Auto-Discovery Module (`sw/secrets.nix`)
+
+**Purpose**: Automatically load and configure secrets at system deployment time.
+
+**Features**:
+- Discovers `.age` encrypted files from `secrets/` directories
+- Loads global secrets from `secrets/global/` on ALL systems
+- Loads host-specific secrets from `secrets/{hostname}/` on matching hosts
+- Auto-configures decryption keys based on `.pub` files in directories
+- Supports custom secret configuration via `default.nix` in each directory
+
+**Key Behaviors**:
+- Secrets are decrypted to `/run/agenix/{name}` at boot
+- Identity paths include: system SSH keys + global keys + host-specific keys
+- Host-specific secrets override global secrets with the same name
+
+### Dynamic Recipients Configuration (`secrets/secrets.nix`)
+
+**Purpose**: Generate ragenix recipient configuration from directory structure.
+
+**Features**:
+- Automatically discovers hosts from `secrets/` subdirectories
+- Reads age public keys from `.age.pub` files (converted from SSH keys)
+- Generates recipient lists based on secret location:
+  - `secrets/global/*.age` → ALL hosts + admins
+  - `secrets/{hostname}/*.age` → that host + global keys + admins
+- Supports admin keys in `secrets/admins/` for secret editing
+
+**Key Behaviors**:
+- No manual recipient list maintenance required
+- Adding a new host = create directory + add .pub key + run `update-age-keys.sh`
+- Works with ragenix CLI: `ragenix -e`, `ragenix -r`
+
+## Workflow
+
+### Adding a New Host
+
+1. **Capture SSH host key**:
+   ```bash
+   # From the running system
+   cat /etc/ssh/ssh_host_ed25519_key.pub > secrets/new-host/ssh_host_ed25519_key.pub
+   ```
+
+2. **Convert to age format**:
+   ```bash
+   cd secrets/
+   ./update-age-keys.sh
+   ```
+
+3. **Re-key existing secrets** (if needed):
+   ```bash
+   ragenix -r
+   ```
+
+### Creating a New Secret
+
+1. **Choose location**:
+   - `secrets/global/` → all systems can decrypt
+   - `secrets/{hostname}/` → only that host can decrypt
+
+2. **Create/edit secret**:
+   ```bash
+   ragenix -e secrets/global/my-secret.age
+   ```
+   
+3. **Recipients are auto-determined** from `secrets.nix`:
+   - Global secrets: all host keys + admin keys
+   - Host-specific: that host + global keys + admin keys
+
+### Cross-Host Secret Management
+
+Any Athenix host can manage secrets for other hosts because:
+- All public keys are in the repository (`*.age.pub` files)
+- `secrets/secrets.nix` auto-generates recipient lists
+- Hosts decrypt using their own private keys (not shared)
+
+Example: From `nix-builder`, create a secret for `usda-dash`:
+```bash
+ragenix -e secrets/usda-dash/database-password.age
+# Encrypted for usda-dash's public key + admins
+# usda-dash will decrypt using its private key at /etc/ssh/ssh_host_ed25519_key
+```
+
+## Directory Structure
+
+```
+secrets/
+├── secrets.nix              # Auto-generated recipient config
+├── update-age-keys.sh       # Helper to convert SSH → age keys
+├── README.md                # User documentation
+├── DESIGN.md                # This file
+│
+├── global/                  # Secrets for ALL hosts
+│   ├── *.pub                # SSH public keys
+│   ├── *.age.pub            # Age public keys (generated)
+│   ├── *.age                # Encrypted secrets
+│   └── default.nix          # Optional: custom secret config
+│
+├── {hostname}/              # Host-specific secrets
+│   ├── *.pub
+│   ├── *.age.pub
+│   ├── *.age
+│   └── default.nix
+│
+└── admins/                  # Admin keys for editing
+    └── *.age.pub
+```
+
+## Security Model
+
+1. **Public keys in git**: Safe to commit (only public keys, `.age.pub` and `.pub`)
+2. **Private keys on hosts**: Never leave the system (`/etc/ssh/ssh_host_*_key`, `/etc/age/identity.key`)
+3. **Encrypted secrets in git**: Safe to commit (`.age` files)
+4. **Decrypted secrets**: Only in memory/tmpfs (`/run/agenix/*`)
+
+## Integration Points
+
+### With NixOS Configuration
+
+```nix
+# Access decrypted secrets in any NixOS module
+config.age.secrets.my-secret.path  # => /run/agenix/my-secret
+
+# Example usage
+services.myapp.passwordFile = config.age.secrets.database-password.path;
+```
+
+### With Inventory System
+
+The system automatically matches `secrets/{hostname}/` to hostnames from `inventory.nix`. No manual configuration needed.
+
+### With External Modules
+
+External user/system modules can reference secrets:
+```nix
+# In external module
+{ config, ... }:
+{
+  programs.git.extraConfig.credential.helper = 
+    "store --file ${config.age.secrets.git-credentials.path}";
+}
+```
+
+## Advantages
+
+1. **Zero manual recipient management**: Just add directories and keys
+2. **Cross-host secret creation**: Any host can manage secrets for others
+3. **Automatic host discovery**: Syncs with inventory structure
+4. **Flexible permission model**: Global vs host-specific + custom configs
+5. **Version controlled**: All public data in git, auditable history
+6. **Secure by default**: Private keys never shared, secrets encrypted at rest
+
+## Limitations
+
+1. **Requires age key conversion**: SSH keys must be converted to age format (automated by script)
+2. **Bootstrap chicken-egg**: Need initial host key before encrypting secrets (capture from first boot or generate locally)
+3. **No secret rotation automation**: Must manually re-key with `ragenix -r`
+4. **Git history contains old encrypted versions**: Rotating keys doesn't remove old ciphertexts from history
+
+## Future Enhancements
+
+- Auto-run `update-age-keys.sh` in pre-commit hook
+- Integrate with inventory.nix to auto-generate host directories
+- Support for multiple identity types per host
+- Automated secret rotation scheduling
+- Integration with hardware security modules (YubiKey, etc.)

secrets/README.md

@@ -0,0 +1,250 @@
+# Secrets Management with Agenix
+
+This directory contains age-encrypted secrets for Athenix hosts. Secrets are automatically loaded based on directory structure.
+
+## Directory Structure
+
+```
+secrets/
+├── global/              # Secrets installed on ALL systems
+│   ├── default.nix      # Optional: Custom config for global secrets
+│   └── example.age      # Decrypted to /run/agenix/example on all hosts
+├── nix-builder/         # Secrets only for nix-builder host
+│   ├── default.nix      # Optional: Custom config for nix-builder secrets
+│   └── ssh_host_ed25519_key.age
+└── usda-dash/           # Secrets only for usda-dash host
+    └── ssh_host_ed25519_key.age
+```
+
+## How It Works
+
+1. **Global secrets** (`./secrets/global/*.age`) are installed on every system
+2. **Host-specific secrets** (`./secrets/{hostname}/*.age`) are only installed on matching hosts
+3. Only `.age` encrypted files are loaded; `.pub` public keys are ignored
+4. Secrets are decrypted at boot to `/run/agenix/{secret-name}` with mode `0400` and owner `root:root`
+5. **Custom configurations** can be defined in `default.nix` files within each directory
+
+## Creating Secrets
+
+### 1. Generate Age Keys
+
+For a new host, generate an age identity:
+```bash
+# On the target system
+mkdir -p /etc/age
+age-keygen -o /etc/age/identity.key
+chmod 600 /etc/age/identity.key
+```
+
+Or use SSH host keys (automatically done by Athenix):
+```bash
+# Get the age public key from SSH host key
+nix shell nixpkgs#ssh-to-age -c sh -c 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+```
+
+### 2. Store Public Keys
+
+Save the public key to `secrets/{hostname}/` for reference:
+```bash
+# Example for nix-builder
+echo "age1..." > secrets/nix-builder/identity.pub
+```
+
+Or from SSH host key:
+```bash
+cat /etc/ssh/ssh_host_ed25519_key.pub > secrets/nix-builder/ssh_host_ed25519_key.pub
+```
+
+**Then convert SSH keys to age format:**
+```bash
+cd secrets/
+./update-age-keys.sh
+```
+
+This creates `.age.pub` files that `secrets.nix` uses for ragenix recipient configuration.
+
+### 3. Encrypt Secrets
+
+Encrypt a secret for specific hosts:
+```bash
+# For a single host
+age -r age1publickey... -o secrets/nix-builder/my-secret.age <<< "secret value"
+
+# For multiple hosts (recipient list)
+age -R recipients.txt -o secrets/global/shared-secret.age < plaintext-file
+
+# Using SSH public keys
+age -R secrets/nix-builder/ssh_host_ed25519_key.pub \
+    -o secrets/nix-builder/ssh_host_key.age < /etc/ssh/ssh_host_ed25519_key
+```
+
+### 4. Creating and Editing Secrets
+
+**For new secrets**, use the helper script (automatically determines recipients):
+
+```bash
+cd secrets/
+
+# Create a host-specific secret
+./create-secret.sh usda-dash/database-url.age <<< "postgresql://..."
+
+# Create a global secret
+echo "shared-api-key" | ./create-secret.sh global/api-key.age
+
+# From a file
+./create-secret.sh nix-builder/ssh-key.age < ~/.ssh/id_ed25519
+```
+
+The script automatically includes the correct recipients:
+- **Host-specific**: that host's keys + global keys + admin keys
+- **Global**: all host keys + admin keys
+
+**To edit existing secrets**, use `ragenix`:
+
+```bash
+# Install ragenix
+nix shell github:yaxitech/ragenix
+
+# Edit an existing secret (you must have a decryption key)
+ragenix -e secrets/global/existing-secret.age
+
+# Re-key all secrets after adding new hosts
+ragenix -r
+```
+
+**Why create with `age` first?** Ragenix requires the `.age` file to exist before editing. The `secrets/secrets.nix` configuration auto-discovers recipients from the directory structure, but ragenix doesn't support wildcard patterns for creating new files.
+
+**Recipient management** is automatic:
+- **Global secrets** (`secrets/global/*.age`): encrypted for ALL hosts + admins
+- **Host secrets** (`secrets/{hostname}/*.age`): encrypted for that host + global keys + admins
+- **Admin keys** from `secrets/admins/*.age.pub` allow editing from your workstation
+
+After creating new .age files with `age`, use `ragenix -r` to re-key all secrets with the updated recipient configuration.
+
+To add admin keys for editing secrets:
+```bash
+# Generate personal age key
+age-keygen -o ~/.config/age/personal.key
+
+# Extract public key and add to secrets
+grep "public key:" ~/.config/age/personal.key | cut -d: -f2 | tr -d ' ' > secrets/admins/your-name.age.pub
+```
+
+## Using Secrets in Configuration
+
+Secrets are automatically loaded. Reference them in your NixOS configuration:
+
+```nix
+# Example: Using a secret for a service
+services.myservice = {
+  enable = true;
+  passwordFile = config.age.secrets.my-password.path;  # /run/agenix/my-password
+};
+
+# Example: Setting up SSH host key from secret
+services.openssh = {
+  hostKeys = [{
+    path = config.age.secrets.ssh_host_ed25519_key.path;
+    type = "ed25519";
+  }];
+};
+```
+
+## Custom Secret Configuration
+
+For secrets needing custom permissions, use `athenix.sw.secrets.extraSecrets`:
+
+```nix
+# In inventory.nix or host config
+athenix.sw.secrets.extraSecrets = {
+  "nginx-cert" = {
+    file = ./secrets/custom/cert.age;
+    mode = "0440";
+    owner = "nginx";
+    group = "nginx";
+  };
+};
+```
+
+### Using default.nix in Secret Directories
+
+Alternatively, create a `default.nix` file in the secret directory to configure all secrets in that directory:
+
+```nix
+# secrets/global/default.nix
+{
+  "example" = {
+    mode = "0440";        # Custom file mode (default: "0400")
+    owner = "nginx";      # Custom owner (default: "root")
+    group = "nginx";      # Custom group (default: "root")
+    path = "/run/secrets/example";  # Custom path (default: /run/agenix/{name})
+  };
+  
+  "api-key" = {
+    mode = "0400";
+    owner = "myservice";
+    group = "myservice";
+  };
+}
+```
+
+The `default.nix` file should return an attribute set where:
+- **Keys** are secret names (without the `.age` extension)
+- **Values** are configuration objects with optional fields:
+  - `mode` - File permissions (string, e.g., `"0440"`)
+  - `owner` - File owner (string, e.g., `"nginx"`)
+  - `group` - File group (string, e.g., `"nginx"`)
+  - `path` - Custom installation path (string, e.g., `"/custom/path"`)
+  
+Secrets not listed in `default.nix` will use default settings.
+
+## Security Best Practices
+
+1. **Never commit unencrypted secrets** - Only `.age` and `.pub` files belong in this directory
+2. **Use host-specific secrets** when possible - Limit exposure by using hostname directories
+3. **Rotate secrets regularly** - Re-encrypt with new keys periodically
+4. **Backup age identity keys** - Store `/etc/age/identity.key` securely offline
+5. **Use SSH keys** - Leverage existing SSH host keys for age encryption when possible
+6. **Pin to commits** - When using external secrets modules, always use `rev = "commit-hash"`
+
+## Converting SSH Keys to Age Format
+
+```bash
+# Convert SSH public key to age public key
+nix shell nixpkgs#ssh-to-age -c ssh-to-age < secrets/nix-builder/ssh_host_ed25519_key.pub
+
+# Convert SSH private key to age identity (for editing secrets)
+nix shell nixpkgs#ssh-to-age -c ssh-to-age -private-key -i ~/.ssh/id_ed25519
+```
+
+## Disabling Automatic Secrets
+
+To disable automatic secret loading:
+
+```nix
+# In inventory.nix or host config
+athenix.sw.secrets.enable = false;
+```
+
+## Troubleshooting
+
+### Secret not found
+- Ensure the `.age` file exists in `secrets/global/` or `secrets/{hostname}/`
+- Check `hostname` matches directory name: `echo $HOSTNAME` on the target system
+- Run `nix flake check` to verify secrets are discovered
+
+### Permission denied
+- Verify secret permissions in `/run/agenix/`
+- Check if custom permissions are needed (use `extraSecrets`)
+- Ensure the service user/group has access to the secret file
+
+### Age decrypt failed
+- Verify the host's age identity exists: `ls -l /etc/age/identity.key`
+- Check that the secret was encrypted with the host's public key
+- Confirm SSH host key hasn't changed (would change derived age key)
+
+## References
+
+- [ragenix GitHub](https://github.com/yaxitech/ragenix)
+- [agenix upstream](https://github.com/ryantm/agenix)
+- [age encryption tool](https://age-encryption.org/)

secrets/admins/temp-admin.age.pub

@@ -0,0 +1 @@
+age14emzyraytqzmre58c452t07rtcj87cwqwmd9z3gj7upugtxk8s3sda5tju

secrets/create-secret.sh

@@ -0,0 +1,121 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Create a new age-encrypted secret with auto-determined recipients
+# Usage: ./create-secret.sh <path> [content]
+#   path: relative to secrets/ (e.g., "usda-dash/my-secret.age" or "global/shared.age")
+#   content: stdin if not provided
+
+SECRETS_DIR="$(cd "$(dirname "$0")" && pwd)"
+
+if [ $# -lt 1 ]; then
+    echo "Usage: $0 <path> [content]" >&2
+    echo "Examples:" >&2
+    echo "  $0 usda-dash/database-url.age <<< 'postgresql://...'" >&2
+    echo "  $0 global/api-key.age < secret-file.txt" >&2
+    echo "  echo 'secret' | $0 nix-builder/token.age" >&2
+    exit 1
+fi
+
+SECRET_PATH="$1"
+shift
+
+# Extract directory from path (e.g., "usda-dash/file.age" -> "usda-dash")
+SECRET_DIR="$(dirname "$SECRET_PATH")"
+SECRET_FILE="$(basename "$SECRET_PATH")"
+
+# Ensure .age extension
+if [[ ! "$SECRET_FILE" =~ \.age$ ]]; then
+    echo "Error: Secret file must have .age extension" >&2
+    exit 1
+fi
+
+TARGET_FILE="$SECRETS_DIR/$SECRET_PATH"
+
+# Ensure target directory exists
+mkdir -p "$(dirname "$TARGET_FILE")"
+
+# Collect recipient keys
+RECIPIENTS=()
+
+if [ "$SECRET_DIR" = "global" ]; then
+    echo "Creating global secret (encrypted for all hosts + admins)..." >&2
+    
+    # Add all host keys
+    for host_dir in "$SECRETS_DIR"/*/; do
+        host_name="$(basename "$host_dir")"
+        # Skip non-host directories
+        if [ "$host_name" = "admins" ] || [ "$host_name" = "global" ]; then
+            continue
+        fi
+        
+        # Add all .age.pub files from this host
+        while IFS= read -r -d '' key_file; do
+            RECIPIENTS+=("$key_file")
+        done < <(find "$host_dir" -maxdepth 1 -name "*.age.pub" -print0)
+    done
+    
+    # Add global keys
+    while IFS= read -r -d '' key_file; do
+        RECIPIENTS+=("$key_file")
+    done < <(find "$SECRETS_DIR/global" -maxdepth 1 -name "*.age.pub" -print0 2>/dev/null || true)
+    
+else
+    echo "Creating host-specific secret for $SECRET_DIR..." >&2
+    
+    # Check if host directory exists
+    if [ ! -d "$SECRETS_DIR/$SECRET_DIR" ]; then
+        echo "Error: Host directory $SECRET_DIR does not exist" >&2
+        echo "Create it first: mkdir -p secrets/$SECRET_DIR" >&2
+        exit 1
+    fi
+    
+    # Add this host's keys
+    while IFS= read -r -d '' key_file; do
+        RECIPIENTS+=("$key_file")
+    done < <(find "$SECRETS_DIR/$SECRET_DIR" -maxdepth 1 -name "*.age.pub" -print0)
+    
+    # Add global keys (so global hosts can also decrypt)
+    while IFS= read -r -d '' key_file; do
+        RECIPIENTS+=("$key_file")
+    done < <(find "$SECRETS_DIR/global" -maxdepth 1 -name "*.age.pub" -print0 2>/dev/null || true)
+fi
+
+# Add admin keys (for editing from workstations)
+if [ -d "$SECRETS_DIR/admins" ]; then
+    while IFS= read -r -d '' key_file; do
+        RECIPIENTS+=("$key_file")
+    done < <(find "$SECRETS_DIR/admins" -maxdepth 1 -name "*.age.pub" -print0 2>/dev/null || true)
+fi
+
+# Check if we have any recipients
+if [ ${#RECIPIENTS[@]} -eq 0 ]; then
+    echo "Error: No recipient keys found!" >&2
+    echo "Run ./update-age-keys.sh first to generate .age.pub files" >&2
+    exit 1
+fi
+
+echo "Found ${#RECIPIENTS[@]} recipient key(s):" >&2
+for key in "${RECIPIENTS[@]}"; do
+    echo "  - $(basename "$key")" >&2
+done
+
+# Create recipient list file (temporary)
+RECIPIENT_LIST=$(mktemp)
+trap "rm -f $RECIPIENT_LIST" EXIT
+
+for key in "${RECIPIENTS[@]}"; do
+    cat "$key" >> "$RECIPIENT_LIST"
+done
+
+# Encrypt the secret
+if [ $# -gt 0 ]; then
+    # Content provided as argument
+    echo "$@" | age -R "$RECIPIENT_LIST" -o "$TARGET_FILE"
+else
+    # Content from stdin
+    age -R "$RECIPIENT_LIST" -o "$TARGET_FILE"
+fi
+
+echo "✓ Created $TARGET_FILE" >&2
+echo "  Edit with: ragenix -e secrets/$SECRET_PATH" >&2

secrets/global/hunter_halloran_key.age.pub

@@ -0,0 +1 @@
+age1udmpqkedupd33gyut85ud3nvppydzeg04kkuneymkvxcjjej244s4v8xjc

secrets/nix-builder/default.nix

@@ -0,0 +1,10 @@
+# Host-specific secret configuration for nix-builder
+{
+  # SSH host key should be readable by sshd
+  ssh_host_ed25519_key = {
+    mode = "0600";
+    owner = "root";
+    group = "root";
+    path = "/etc/ssh/ssh_host_ed25519_key";
+  };
+}

secrets/nix-builder/ssh_host_ed25519_key.age.pub

@@ -0,0 +1 @@
+age1u5tczg2sx90n03uuz9h549f4h3h7sq5uehhqpampzs7vj8ew7y6s2mjwz0

secrets/secrets.nix

@@ -0,0 +1,176 @@
+# ============================================================================
+# Agenix Secret Recipients Configuration (Auto-Generated)
+# ============================================================================
+# This file automatically discovers hosts and their public keys from the
+# secrets/ directory structure and generates recipient configurations.
+#
+# Directory structure:
+#   secrets/{hostname}/*.pub  -> SSH/age public keys for that host
+#   secrets/global/*.pub      -> Keys accessible to all hosts
+#
+# Usage:
+#   ragenix -e secrets/global/example.age     # Edit/create secret
+#   ragenix -r                                # Re-key all secrets
+#
+# To add admin keys for editing secrets, create secrets/admins/*.pub files
+# with your personal age public keys (generated with: age-keygen)
+
+let
+  lib = builtins;
+
+  # Helper functions not in builtins
+  filterAttrs =
+    pred: set:
+    lib.listToAttrs (
+      lib.filter (item: pred item.name item.value) (
+        lib.map (name: {
+          inherit name;
+          value = set.${name};
+        }) (lib.attrNames set)
+      )
+    );
+
+  concatLists = lists: lib.foldl' (acc: list: acc ++ list) [ ] lists;
+
+  unique =
+    list:
+    let
+      go =
+        acc: remaining:
+        if remaining == [ ] then
+          acc
+        else if lib.elem (lib.head remaining) acc then
+          go acc (lib.tail remaining)
+        else
+          go (acc ++ [ (lib.head remaining) ]) (lib.tail remaining);
+    in
+    go [ ] list;
+
+  hasSuffix =
+    suffix: str:
+    let
+      lenStr = lib.stringLength str;
+      lenSuffix = lib.stringLength suffix;
+    in
+    lenStr >= lenSuffix && lib.substring (lenStr - lenSuffix) lenSuffix str == suffix;
+
+  nameValuePair = name: value: { inherit name value; };
+
+  secretsPath = ./secrets;
+
+  # Read all directories in secrets/
+  secretDirs = if lib.pathExists secretsPath then lib.readDir secretsPath else { };
+
+  # Filter to only directories (excludes files)
+  isDirectory = name: type: type == "directory";
+  directories = lib.filter (name: isDirectory name secretDirs.${name}) (lib.attrNames secretDirs);
+
+  # Read public keys from a directory and convert to age format
+  readHostKeys =
+    dirName:
+    let
+      dirPath = secretsPath + "/${dirName}";
+      files = if lib.pathExists dirPath then lib.readDir dirPath else { };
+
+      # Prefer .age.pub files (pre-converted), fall back to .pub files
+      agePubFiles = filterAttrs (name: type: type == "regular" && hasSuffix ".age.pub" name) files;
+
+      sshPubFiles = filterAttrs (
+        name: type: type == "regular" && hasSuffix ".pub" name && !(hasSuffix ".age.pub" name)
+      ) files;
+
+      # Read age public keys (already in correct format)
+      ageKeys = lib.map (
+        name:
+        let
+          content = lib.readFile (dirPath + "/${name}");
+          # Trim whitespace/newlines
+          trimmed = lib.replaceStrings [ "\n" " " "\r" "\t" ] [ "" "" "" "" ] content;
+        in
+        trimmed
+      ) (lib.attrNames agePubFiles);
+
+      # For SSH keys, just include them as-is (user needs to convert with ssh-to-age)
+      # Or they can run the update-age-keys.sh script
+      sshKeys =
+        if (lib.length (lib.attrNames sshPubFiles)) > 0 then
+          lib.trace "Warning: ${dirName} has unconverted SSH keys. Run secrets/update-age-keys.sh" [ ]
+        else
+          [ ];
+    in
+    lib.filter (k: k != null && k != "") (ageKeys ++ sshKeys);
+
+  # Build host key mappings: { hostname = [ "age1..." "age2..." ]; }
+  hostKeys = lib.listToAttrs (
+    lib.map (dir: nameValuePair dir (readHostKeys dir)) (
+      lib.filter (d: d != "global" && d != "admins") directories
+    )
+  );
+
+  # Global keys that all hosts can use
+  globalKeys = if lib.elem "global" directories then readHostKeys "global" else [ ];
+
+  # Admin keys for editing secrets
+  adminKeys = if lib.elem "admins" directories then readHostKeys "admins" else [ ];
+
+  # All host keys combined
+  allHostKeys = concatLists (lib.attrValues hostKeys);
+
+  # Find all .age files in the secrets directory
+  findSecrets =
+    dir:
+    let
+      dirPath = secretsPath + "/${dir}";
+      files = if lib.pathExists dirPath then lib.readDir dirPath else { };
+      ageFiles = filterAttrs (name: type: type == "regular" && hasSuffix ".age" name) files;
+    in
+    lib.map (name: "secrets/${dir}/${name}") (lib.attrNames ageFiles);
+
+  # Generate recipient list for a secret based on its location
+  getRecipients =
+    secretPath:
+    let
+      # Extract directory name from path: "secrets/nix-builder/foo.age" -> "nix-builder"
+      pathParts = lib.split "/" secretPath;
+      dirName = lib.elemAt pathParts 2;
+    in
+    if dirName == "global" then
+      # Global secrets: all hosts + admins
+      allHostKeys ++ globalKeys ++ adminKeys
+    else if hostKeys ? ${dirName} then
+      # Host-specific secrets: that host + global keys + admins
+      hostKeys.${dirName} ++ globalKeys ++ adminKeys
+    else
+      # Fallback: just admins
+      adminKeys;
+
+  # Find all secrets across all directories
+  allSecrets = concatLists (lib.map findSecrets directories);
+
+  # Generate the configuration
+  secretsConfig = lib.listToAttrs (
+    lib.map (
+      secretPath:
+      let
+        recipients = getRecipients secretPath;
+        # Remove duplicates and empty keys
+        uniqueRecipients = unique (lib.filter (k: k != null && k != "") recipients);
+      in
+      nameValuePair secretPath {
+        publicKeys = uniqueRecipients;
+      }
+    ) allSecrets
+  );
+
+in
+secretsConfig
+// {
+  # Export helper information for debugging
+  _meta = {
+    hostKeys = hostKeys;
+    globalKeys = globalKeys;
+    adminKeys = adminKeys;
+    allHostKeys = allHostKeys;
+    discoveredSecrets = allSecrets;
+  };
+}

secrets/update-age-keys.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+# ============================================================================
+# Update Age Keys from SSH Public Keys
+# ============================================================================
+# This script converts SSH public keys to age format for use with ragenix.
+# Run this after adding new SSH .pub files to create corresponding .age.pub files.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+cd "$SCRIPT_DIR"
+
+echo "Converting SSH public keys to age format..."
+
+# Find all .pub files that are SSH keys (not already .age.pub)
+find . -name "*.pub" -not -name "*.age.pub" -type f | while read -r pubkey; do
+    # Check if it's an SSH key
+    if grep -q "^ssh-" "$pubkey" 2>/dev/null || grep -q "^ecdsa-" "$pubkey" 2>/dev/null; then
+        age_key=$(nix shell nixpkgs#ssh-to-age -c ssh-to-age < "$pubkey" 2>/dev/null || true)
+        
+        if [ -n "$age_key" ]; then
+            # Create .age.pub file with the age key
+            age_file="${pubkey%.pub}.age.pub"
+            echo "$age_key" > "$age_file"
+            echo "✓ Converted: $pubkey -> $age_file"
+        else
+            echo "⚠ Skipped: $pubkey (conversion failed)"
+        fi
+    fi
+done
+
+echo ""
+echo "Done! Age public keys have been generated."
+echo "You can now use ragenix to manage secrets:"
+echo "  ragenix -e secrets/global/my-secret.age"
+echo "  ragenix -r  # Re-key all secrets with updated keys"

secrets/usda-dash/default.nix

@@ -0,0 +1,8 @@
+# Host-specific secret configuration for usda-dash
+{
+  usda-vision-azure-env = {
+    mode = "0600";
+    owner = "root";
+    group = "root";
+  };
+}

secrets/usda-dash/ssh_host_ed25519_key.age.pub

@@ -0,0 +1 @@
+age1lr24yvk7rdfh5wkle7h32jpxqxm2e8vk85mc4plv370u2sh4yfmszaaejx

secrets/usda-dash/ssh_host_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHI73LOEK2RgfjhZWpryntlLbx0LouHrhQ6v0vZu4Etr root@usda-dash

sw/default.nix

@@ -26,6 +26,7 @@ in
     ./gc.nix
     ./updater.nix
     ./update-ref.nix
+    ./secrets.nix
     ./desktop
     ./headless
     ./builders

sw/secrets.nix

@@ -0,0 +1,230 @@
+# ============================================================================
+# Automatic Secret Management with Agenix
+# ============================================================================
+# This module automatically loads age-encrypted secrets from ./secrets based on
+# the hostname. Secrets are organized by directory:
+#   - ./secrets/global/          -> Installed on ALL systems
+#   - ./secrets/{hostname}/      -> Installed only on matching host
+#
+# Secret files should be .age encrypted files. Public keys (.pub) are ignored.
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+with lib;
+
+let
+  cfg = config.athenix.sw;
+  secretsPath = ../secrets;
+
+  # Get the fleet-assigned hostname (avoids issues with LXC empty hostnames)
+  hostname = config.athenix.host.name;
+
+  # Read all directories in ./secrets
+  secretDirs = if builtins.pathExists secretsPath then builtins.readDir secretsPath else { };
+
+  # Filter to only directories (excludes files)
+  isDirectory = name: type: type == "directory";
+  directories = lib.filterAttrs isDirectory secretDirs;
+
+  # Read secrets from a specific directory
+  readSecretsFromDir =
+    dirName:
+    let
+      dirPath = secretsPath + "/${dirName}";
+      files = builtins.readDir dirPath;
+
+      # Check if there's a default.nix with custom secret configurations
+      hasDefaultNix = files ? "default.nix";
+      customConfigs = if hasDefaultNix then import (dirPath + "/default.nix") else { };
+
+      # Only include .age files (exclude .pub public keys and other files)
+      secretFiles = lib.filterAttrs (name: type: type == "regular" && lib.hasSuffix ".age" name) files;
+    in
+    lib.mapAttrs' (
+      name: _:
+      let
+        # Remove .age extension for the secret name
+        secretName = lib.removeSuffix ".age" name;
+
+        # Get custom config for this secret if defined
+        customConfig = customConfigs.${secretName} or { };
+
+        # Base configuration with file path
+        baseConfig = {
+          file = dirPath + "/${name}";
+        };
+      in
+      lib.nameValuePair secretName (baseConfig // customConfig)
+    ) secretFiles;
+
+  # Read public keys from a specific directory and map to private key paths
+  readIdentityPathsFromDir =
+    dirName:
+    let
+      dirPath = secretsPath + "/${dirName}";
+      files = if builtins.pathExists dirPath then builtins.readDir dirPath else { };
+      # Only include .pub public key files
+      pubKeyFiles = lib.filterAttrs (name: type: type == "regular" && lib.hasSuffix ".pub" name) files;
+    in
+    lib.mapAttrsToList (
+      name: _:
+      let
+        # Map public key filename to expected private key location
+        baseName = lib.removeSuffix ".pub" name;
+        filePath = dirPath + "/${name}";
+        fileContent = builtins.readFile filePath;
+        # Check if it's an SSH key by looking at the content
+        isSSHKey = lib.hasPrefix "ssh-" fileContent || lib.hasPrefix "ecdsa-" fileContent;
+      in
+      if lib.hasPrefix "ssh_host_" name then
+        # SSH host keys: ssh_host_ed25519_key.pub -> /etc/ssh/ssh_host_ed25519_key
+        "/etc/ssh/${baseName}"
+      else if name == "identity.pub" then
+        # Standard age identity: identity.pub -> /etc/age/identity.key
+        "/etc/age/identity.key"
+      else if isSSHKey then
+        # Other SSH keys (user keys, etc.): hunter_halloran_key.pub -> /etc/ssh/hunter_halloran_key
+        "/etc/ssh/${baseName}"
+      else
+        # Generic age keys: key.pub -> /etc/age/key
+        "/etc/age/${baseName}"
+    ) pubKeyFiles;
+
+  # Determine which secrets apply to this host
+  applicableSecrets =
+    let
+      # Global secrets apply to all hosts
+      globalSecrets = if directories ? "global" then readSecretsFromDir "global" else { };
+
+      # Host-specific secrets
+      hostSecrets = if directories ? ${hostname} then readSecretsFromDir hostname else { };
+    in
+    globalSecrets // hostSecrets; # Host-specific secrets override global if same name
+
+  # Determine which identity paths (private keys) to use for decryption
+  identityPaths =
+    let
+      # Global identity paths (keys in global/ that all hosts can use)
+      globalPaths = if directories ? "global" then readIdentityPathsFromDir "global" else [ ];
+
+      # Host-specific identity paths
+      hostPaths = if directories ? ${hostname} then readIdentityPathsFromDir hostname else [ ];
+
+      # Default paths that NixOS/agenix use
+      defaultPaths = [
+        "/etc/ssh/ssh_host_rsa_key"
+        "/etc/ssh/ssh_host_ed25519_key"
+        "/etc/age/identity.key"
+      ];
+
+      # Combine all paths and remove duplicates
+      allPaths = lib.unique (defaultPaths ++ globalPaths ++ hostPaths);
+    in
+    allPaths;
+in
+{
+  options.athenix.sw.secrets = {
+    enable = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Enable automatic secret management using agenix.
+
+        Secrets are loaded from ./secrets based on directory structure:
+        - ./secrets/global/       -> All systems
+        - ./secrets/{hostname}/   -> Specific host only
+
+        Only .age encrypted files are loaded; .pub files are ignored.
+      '';
+    };
+
+    extraSecrets = mkOption {
+      type = types.attrsOf (
+        types.submodule {
+          options = {
+            file = mkOption {
+              type = types.path;
+              description = "Path to the encrypted secret file";
+            };
+            mode = mkOption {
+              type = types.str;
+              default = "0400";
+              description = "Permissions mode for the decrypted secret";
+            };
+            owner = mkOption {
+              type = types.str;
+              default = "root";
+              description = "Owner of the decrypted secret file";
+            };
+            group = mkOption {
+              type = types.str;
+              default = "root";
+              description = "Group of the decrypted secret file";
+            };
+          };
+        }
+      );
+      default = { };
+      description = ''
+        Additional secrets to define manually, beyond the auto-discovered ones.
+        Use this for secrets that need custom permissions or are stored elsewhere.
+      '';
+      example = lib.literalExpression ''
+        {
+          "my-secret" = {
+            file = ./secrets/custom/secret.age;
+            mode = "0440";
+            owner = "nginx";
+            group = "nginx";
+          };
+        }
+      '';
+    };
+  };
+
+  config = mkIf (cfg.enable && cfg.secrets.enable) {
+    # Auto-discovered secrets with default permissions
+    age.secrets = applicableSecrets // cfg.secrets.extraSecrets;
+
+    # Generate age identity files from SSH host keys at boot
+    # This is needed because age can't reliably use OpenSSH private keys directly
+    # Must run before agenix tries to decrypt secrets
+    system.activationScripts.convertSshToAge = {
+      deps = [
+        "users"
+        "groups"
+      ];
+      text = ''
+        mkdir -p /etc/age
+        if [ -f /etc/ssh/ssh_host_ed25519_key ]; then
+          ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key > /etc/age/ssh_host_ed25519.age || true
+          chmod 600 /etc/age/ssh_host_ed25519.age 2>/dev/null || true
+        fi
+        if [ -f /etc/ssh/ssh_host_rsa_key ]; then
+          ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i /etc/ssh/ssh_host_rsa_key > /etc/age/ssh_host_rsa.age 2>/dev/null || true
+          chmod 600 /etc/age/ssh_host_rsa.age 2>/dev/null || true
+        fi
+      '';
+    };
+
+    # Add the converted age keys to identity paths (in addition to auto-discovered ones)
+    age.identityPaths = identityPaths ++ [
+      "/etc/age/ssh_host_ed25519.age"
+      "/etc/age/ssh_host_rsa.age"
+    ];
+
+    # Optional: Add assertion to warn if no secrets found
+    warnings =
+      let
+        hasSecrets = (builtins.length (builtins.attrNames applicableSecrets)) > 0;
+      in
+      lib.optional (
+        !hasSecrets
+      ) "No age-encrypted secrets found in ./secrets/global/ or ./secrets/${hostname}/";
+  };
+}

sw/stateless-kiosk/kiosk-browser.nix

@@ -1,13 +1,13 @@
 # This module configures Chromium for kiosk mode under Sway.
 # It includes a startup script that determines the kiosk URL based on the machine's MAC address.
 {
-  lib,
   pkgs,
+  inputs,
   ...
 }:
 
 let
-  macCaseBuilder = (import ./mac-hostmap.nix { inherit lib; }).macCaseBuilder;
+  macCaseBuilder = inputs.self.lib.macCaseBuilder;
   macCases = macCaseBuilder {
     varName = "STATION";
   };

sw/stateless-kiosk/mac-hostmap.nix

@@ -1,28 +0,0 @@
-# Shared MAC address to station mapping and case builder for stateless-kiosk modules
-{ lib }:
-let
-  hostmap = {
-    "00:e0:4c:46:0b:32" = "1";
-    "00:e0:4c:46:07:26" = "2";
-    "00:e0:4c:46:05:94" = "3";
-    "00:e0:4c:46:07:11" = "4";
-    "00:e0:4c:46:08:02" = "5";
-    "00:e0:4c:46:08:5c" = "6";
-  };
-  # macCaseBuilder: builds a shell case statement from a hostmap
-  # varName: the shell variable to assign
-  # prefix: optional string to prepend to the value (default: "")
-  # attrset: attribute set to use (default: hostmap)
-  macCaseBuilder =
-    {
-      varName,
-      prefix ? "",
-      attrset ? hostmap,
-    }:
-    lib.concatStringsSep "\n" (
-      lib.mapAttrsToList (mac: val: "      ${mac}) ${varName}=${prefix}${val} ;;") attrset
-    );
-in
-{
-  inherit hostmap macCaseBuilder;
-}

sw/stateless-kiosk/programs.nix

@@ -1,7 +1,4 @@
 {
-  config,
-  lib,
-  pkgs,
   ...
 }:
 {

sw/stateless-kiosk/services.nix

@@ -1,10 +1,10 @@
 {
-  lib,
   pkgs,
+  inputs,
   ...
 }:
 let
-  macCaseBuilder = (import ./mac-hostmap.nix { inherit lib; }).macCaseBuilder;
+  macCaseBuilder = inputs.self.lib.macCaseBuilder;
   shellCases = macCaseBuilder {
     varName = "NEW_HOST";
     prefix = "nix-station";

sw/update-ref.nix

@@ -13,512 +13,512 @@ in
 {
   config = mkIf cfg.enable {
     environment.systemPackages = with pkgs; [
-    python3
-    git
-    (pkgs.writeShellScriptBin "update-ref" ''
-      set -euo pipefail
+      python3
+      git
+      (pkgs.writeShellScriptBin "update-ref" ''
+        set -euo pipefail
 
-      RED='\033[31m'; YEL='\033[33m'; NC='\033[0m'
-      die() { printf "''${RED}error:''${NC} %s\n" "$*" >&2; exit 2; }
-      warn() { printf "''${YEL}warning:''${NC} %s\n" "$*" >&2; }
+        RED='\033[31m'; YEL='\033[33m'; NC='\033[0m'
+        die() { printf "''${RED}error:''${NC} %s\n" "$*" >&2; exit 2; }
+        warn() { printf "''${YEL}warning:''${NC} %s\n" "$*" >&2; }
 
-      usage() {
-        cat >&2 <<'EOF'
-      usage:
-        update-ref [-R PATH|--athenix-repo=PATH] [-b BRANCH|--athenix-branch=BRANCH]
-                  [-m "msg"|--message "msg"]
-                  [-p[=false] [remote[=URL]]|--push[=false] [remote[=URL]]]
-                  [--make-local|-l] [--make-remote|-r] [--ssh]
-                  user=<username> | system=<device-type>:<hostkey>
-      EOF
-        exit 2
-      }
+        usage() {
+          cat >&2 <<'EOF'
+        usage:
+          update-ref [-R PATH|--athenix-repo=PATH] [-b BRANCH|--athenix-branch=BRANCH]
+                    [-m "msg"|--message "msg"]
+                    [-p[=false] [remote[=URL]]|--push[=false] [remote[=URL]]]
+                    [--make-local|-l] [--make-remote|-r] [--ssh]
+                    user=<username> | system=<device-type>:<hostkey>
+        EOF
+          exit 2
+        }
 
-      # --- must be in a git repo (current dir) ---
-      git rev-parse --is-inside-work-tree >/dev/null 2>&1 || die "This directory is not a git project"
-      CUR_REPO_ROOT="$(git rev-parse --show-toplevel)"
-      CUR_BRANCH="$(git rev-parse --abbrev-ref HEAD)"
+        # --- must be in a git repo (current dir) ---
+        git rev-parse --is-inside-work-tree >/dev/null 2>&1 || die "This directory is not a git project"
+        CUR_REPO_ROOT="$(git rev-parse --show-toplevel)"
+        CUR_BRANCH="$(git rev-parse --abbrev-ref HEAD)"
 
-      # --- athenix checkout (working tree) ---
-      ATHENIX_DIR="$HOME/athenix"
-      ATHENIX_BRANCH=""
+        # --- athenix checkout (working tree) ---
+        ATHENIX_DIR="$HOME/athenix"
+        ATHENIX_BRANCH=""
 
-      # --- current repo automation ---
-      COMMIT_MSG=""
-      PUSH_SPEC=""
+        # --- current repo automation ---
+        COMMIT_MSG=""
+        PUSH_SPEC=""
 
-      # --- push / url mode ---
-      PUSH_SET=0
-      DO_PUSH=0
-      MODE_FORCE=""  # "", local, remote
+        # --- push / url mode ---
+        PUSH_SET=0
+        DO_PUSH=0
+        MODE_FORCE=""  # "", local, remote
 
-      TARGET=""
+        TARGET=""
 
-      is_remote_url() {
-        # https://, http://, ssh://, or scp-style git@host:org/repo
-        printf "%s" "$1" | grep -qE '^(https?|ssh)://|^[^/@:]+@[^/:]+:'
-      }
+        is_remote_url() {
+          # https://, http://, ssh://, or scp-style git@host:org/repo
+          printf "%s" "$1" | grep -qE '^(https?|ssh)://|^[^/@:]+@[^/:]+:'
+        }
 
-      derive_full_hostname() {
-        devtype="$1"; hostkey="$2"
-        if printf "%s" "$hostkey" | grep -q '-' || printf "%s" "$hostkey" | grep -q "^$devtype"; then
-          printf "%s" "$hostkey"
-        elif printf "%s" "$hostkey" | grep -qE '^[0-9]+$'; then
-          printf "%s" "$devtype$hostkey"
-        else
-          printf "%s" "$devtype-$hostkey"
-        fi
-      }
+        derive_full_hostname() {
+          devtype="$1"; hostkey="$2"
+          if printf "%s" "$hostkey" | grep -q '-' || printf "%s" "$hostkey" | grep -q "^$devtype"; then
+            printf "%s" "$hostkey"
+          elif printf "%s" "$hostkey" | grep -qE '^[0-9]+$'; then
+            printf "%s" "$devtype$hostkey"
+          else
+            printf "%s" "$devtype-$hostkey"
+          fi
+        }
 
-      extract_existing_fetch_url() {
-        # args: mode file username key
-        python3 - "$1" "$2" "$3" "$4" "$5"<<'PY'
-      import sys, re, pathlib
-      mode, file, username, key, use_ssh = sys.argv[1:5]
-      t = pathlib.Path(file).read_text()
+        extract_existing_fetch_url() {
+          # args: mode file username key
+          python3 - "$1" "$2" "$3" "$4" "$5"<<'PY'
+        import sys, re, pathlib
+        mode, file, username, key, use_ssh = sys.argv[1:5]
+        t = pathlib.Path(file).read_text()
 
-      def url_from_block(block: str) -> str:
-          if not block:
-              return ""
-          m = re.search(r'url\s*=\s*"([^"]+)"\s*;', block)
-          url = m.group(1) if m else ""
+        def url_from_block(block: str) -> str:
+            if not block:
+                return ""
+            m = re.search(r'url\s*=\s*"([^"]+)"\s*;', block)
+            url = m.group(1) if m else ""
 
-          if use_ssh = "true":
-            return url
-
-          # Already https
-          if url.startswith("https://"):
+            if use_ssh = "true":
               return url
 
-          # ssh://git@host/org/repo.git
-          m = re.match(r"ssh://(?:.+?)@([^/]+)/(.+)", url)
-          if m:
-              host, path = m.groups()
-              return f"https://{host}/{path}"
+            # Already https
+            if url.startswith("https://"):
+                return url
 
-          # git@host:org/repo.git
-          m = re.match(r"(?:.+?)@([^:]+):(.+)", url)
-          if m:
-              host, path = m.groups()
-              return f"https://{host}/{path}"
+            # ssh://git@host/org/repo.git
+            m = re.match(r"ssh://(?:.+?)@([^/]+)/(.+)", url)
+            if m:
+                host, path = m.groups()
+                return f"https://{host}/{path}"
 
-          # If you gave me something cursed
-          raise ValueError(f"Unrecognized SSH git URL format: {url}")
+            # git@host:org/repo.git
+            m = re.match(r"(?:.+?)@([^:]+):(.+)", url)
+            if m:
+                host, path = m.groups()
+                return f"https://{host}/{path}"
+
+            # If you gave me something cursed
+            raise ValueError(f"Unrecognized SSH git URL format: {url}")
 
 
-      if mode == "user":
-          m = re.search(r'(?s)\n\s*' + re.escape(username) + r'\.external\s*=\s*builtins\.fetchGit\s*\{(.*?)\n\s*\};', t)
-          block = m.group(1) if m else ""
-          print(url_from_block(block))
-      else:
-          m = re.search(r'(?s)\n\s*"' + re.escape(key) + r'"\s*=\s*builtins\.fetchGit\s*\{(.*?)\n\s*\};', t)
-          block = m.group(1) if m else ""
-          print(url_from_block(block))
-      PY
-      }
+        if mode == "user":
+            m = re.search(r'(?s)\n\s*' + re.escape(username) + r'\.external\s*=\s*builtins\.fetchGit\s*\{(.*?)\n\s*\};', t)
+            block = m.group(1) if m else ""
+            print(url_from_block(block))
+        else:
+            m = re.search(r'(?s)\n\s*"' + re.escape(key) + r'"\s*=\s*builtins\.fetchGit\s*\{(.*?)\n\s*\};', t)
+            block = m.group(1) if m else ""
+            print(url_from_block(block))
+        PY
+        }
 
-      # --- parse args ---
-      while [ "$#" -gt 0 ]; do
-        case "$1" in
-          user=*|system=*)
-            [ -z "$TARGET" ] || die "Only one subcommand allowed (user=... or system=...)"
-            TARGET="$1"; shift
-            ;;
-          --athenix-repo=*)
-            ATHENIX_DIR="''${1#*=}"; shift
-            ;;
-          -R)
-            [ "$#" -ge 2 ] || usage
-            ATHENIX_DIR="$2"; shift 2
-            ;;
-          --athenix-branch=*)
-            ATHENIX_BRANCH="''${1#*=}"; shift
-            ;;
-          -b)
-            [ "$#" -ge 2 ] || usage
-            ATHENIX_BRANCH="$2"; shift 2
-            ;;
-          -m|--message)
-            [ "$#" -ge 2 ] || usage
-            COMMIT_MSG="$2"; shift 2
-            ;;
+        # --- parse args ---
+        while [ "$#" -gt 0 ]; do
+          case "$1" in
+            user=*|system=*)
+              [ -z "$TARGET" ] || die "Only one subcommand allowed (user=... or system=...)"
+              TARGET="$1"; shift
+              ;;
+            --athenix-repo=*)
+              ATHENIX_DIR="''${1#*=}"; shift
+              ;;
+            -R)
+              [ "$#" -ge 2 ] || usage
+              ATHENIX_DIR="$2"; shift 2
+              ;;
+            --athenix-branch=*)
+              ATHENIX_BRANCH="''${1#*=}"; shift
+              ;;
+            -b)
+              [ "$#" -ge 2 ] || usage
+              ATHENIX_BRANCH="$2"; shift 2
+              ;;
+            -m|--message)
+              [ "$#" -ge 2 ] || usage
+              COMMIT_MSG="$2"; shift 2
+              ;;
 
-          -p|--push)
-            PUSH_SET=1
-            DO_PUSH=1
-            PUSH_SPEC=""
+            -p|--push)
+              PUSH_SET=1
+              DO_PUSH=1
+              PUSH_SPEC=""
 
-            # If there is a next token, only consume it if it is a remote spec
-            # and not another flag or the subcommand.
-            if [ "$#" -ge 2 ]; then
-              nxt="$2"
+              # If there is a next token, only consume it if it is a remote spec
+              # and not another flag or the subcommand.
+              if [ "$#" -ge 2 ]; then
+                nxt="$2"
 
-              if printf "%s" "$nxt" | grep -qE '^(user=|system=)'; then
-                # next token is the subcommand; don't consume it
-                shift
-              elif printf "%s" "$nxt" | grep -qE '^-'; then
-                # next token is another flag; don't consume it
-                shift
-              elif printf "%s" "$nxt" | grep -qE '^[A-Za-z0-9._-]+$'; then
-                # remote name
-                PUSH_SPEC="$nxt"
-                shift 2
-              elif printf "%s" "$nxt" | grep -qE '^[A-Za-z0-9._-]+=.+$'; then
-                # remote=URL
-                PUSH_SPEC="$nxt"
-                shift 2
+                if printf "%s" "$nxt" | grep -qE '^(user=|system=)'; then
+                  # next token is the subcommand; don't consume it
+                  shift
+                elif printf "%s" "$nxt" | grep -qE '^-'; then
+                  # next token is another flag; don't consume it
+                  shift
+                elif printf "%s" "$nxt" | grep -qE '^[A-Za-z0-9._-]+$'; then
+                  # remote name
+                  PUSH_SPEC="$nxt"
+                  shift 2
+                elif printf "%s" "$nxt" | grep -qE '^[A-Za-z0-9._-]+=.+$'; then
+                  # remote=URL
+                  PUSH_SPEC="$nxt"
+                  shift 2
+                else
+                  # unknown token; treat as not-a-push-spec and don't consume it
+                  shift
+                fi
               else
-                # unknown token; treat as not-a-push-spec and don't consume it
                 shift
               fi
-            else
+              ;;
+
+            -p=*|--push=*)
+              PUSH_SET=1
+              val="''${1#*=}"
+              case "$val" in
+                false|0|no|off) DO_PUSH=0 ;;
+                true|1|yes|on|"") DO_PUSH=1 ;;
+                *) die "Invalid value for --push: $val (use true/false)" ;;
+              esac
               shift
+              ;;
+
+            --make-local|-l) MODE_FORCE="local"; shift ;;
+            --make-remote|-r) MODE_FORCE="remote"; shift ;;
+            --ssh) USE_SSH="true"; shift ;;
+            -h|--help) usage ;;
+            *) die "Unknown argument: $1" ;;
+          esac
+        done
+
+        [ -n "$TARGET" ] || die "Missing required subcommand: user=<username> or system=<device-type>:<hostkey>"
+
+        # --- validate athenix working tree path ---
+        [ -d "$ATHENIX_DIR" ] || die "$ATHENIX_DIR does not exist"
+        git -C "$ATHENIX_DIR" rev-parse --is-inside-work-tree >/dev/null 2>&1 || die "$ATHENIX_DIR is not a git project (athenix checkout)"
+
+        # --- -b behavior: fork/switch athenix working tree into branch ---
+        if [ -n "$ATHENIX_BRANCH" ]; then
+          ATH_CUR_BRANCH="$(git -C "$ATHENIX_DIR" rev-parse --abbrev-ref HEAD)"
+          if [ "$ATH_CUR_BRANCH" != "$ATHENIX_BRANCH" ]; then
+            if git -C "$ATHENIX_DIR" show-ref --verify --quiet "refs/heads/$ATHENIX_BRANCH"; then
+              warn "Branch '$ATHENIX_BRANCH' already exists in $ATHENIX_DIR."
+              warn "Delete and recreate it from current branch '$ATH_CUR_BRANCH' state? [y/N] "
+              read -r ans || true
+              case "''${ans:-N}" in
+                y|Y|yes|YES)
+                  git -C "$ATHENIX_DIR" branch -D "$ATHENIX_BRANCH"
+                  git -C "$ATHENIX_DIR" switch -c "$ATHENIX_BRANCH"
+                  ;;
+                *)
+                  git -C "$ATHENIX_DIR" switch "$ATHENIX_BRANCH"
+                  ;;
+              esac
+            else
+              git -C "$ATHENIX_DIR" switch -c "$ATHENIX_BRANCH"
             fi
-            ;;
-
-          -p=*|--push=*)
-            PUSH_SET=1
-            val="''${1#*=}"
-            case "$val" in
-              false|0|no|off) DO_PUSH=0 ;;
-              true|1|yes|on|"") DO_PUSH=1 ;;
-              *) die "Invalid value for --push: $val (use true/false)" ;;
-            esac
-            shift
-            ;;
-
-          --make-local|-l) MODE_FORCE="local"; shift ;;
-          --make-remote|-r) MODE_FORCE="remote"; shift ;;
-          --ssh) USE_SSH="true"; shift ;;
-          -h|--help) usage ;;
-          *) die "Unknown argument: $1" ;;
-        esac
-      done
-
-      [ -n "$TARGET" ] || die "Missing required subcommand: user=<username> or system=<device-type>:<hostkey>"
-
-      # --- validate athenix working tree path ---
-      [ -d "$ATHENIX_DIR" ] || die "$ATHENIX_DIR does not exist"
-      git -C "$ATHENIX_DIR" rev-parse --is-inside-work-tree >/dev/null 2>&1 || die "$ATHENIX_DIR is not a git project (athenix checkout)"
-
-      # --- -b behavior: fork/switch athenix working tree into branch ---
-      if [ -n "$ATHENIX_BRANCH" ]; then
-        ATH_CUR_BRANCH="$(git -C "$ATHENIX_DIR" rev-parse --abbrev-ref HEAD)"
-        if [ "$ATH_CUR_BRANCH" != "$ATHENIX_BRANCH" ]; then
-          if git -C "$ATHENIX_DIR" show-ref --verify --quiet "refs/heads/$ATHENIX_BRANCH"; then
-            warn "Branch '$ATHENIX_BRANCH' already exists in $ATHENIX_DIR."
-            warn "Delete and recreate it from current branch '$ATH_CUR_BRANCH' state? [y/N] "
-            read -r ans || true
-            case "''${ans:-N}" in
-              y|Y|yes|YES)
-                git -C "$ATHENIX_DIR" branch -D "$ATHENIX_BRANCH"
-                git -C "$ATHENIX_DIR" switch -c "$ATHENIX_BRANCH"
-                ;;
-              *)
-                git -C "$ATHENIX_DIR" switch "$ATHENIX_BRANCH"
-                ;;
-            esac
-          else
-            git -C "$ATHENIX_DIR" switch -c "$ATHENIX_BRANCH"
           fi
         fi
-      fi
 
-      # --- target file + identifiers ---
-      MODE=""; FILE=""; USERNAME=""; DEVTYPE=""; HOSTKEY=""
-      case "$TARGET" in
-        user=*)
-          MODE="user"
-          USERNAME="''${TARGET#user=}"
-          [ -n "$USERNAME" ] || die "user=<username>: username missing"
-          FILE="$ATHENIX_DIR/users.nix"
-          ;;
-        system=*)
-          MODE="system"
-          RHS="''${TARGET#system=}"
-          printf "%s" "$RHS" | grep -q ':' || die "system=... must be system=<device-type>:<hostkey>"
-          DEVTYPE="''${RHS%%:*}"
-          HOSTKEY="''${RHS#*:}"
-          [ -n "$DEVTYPE" ] || die "system=<device-type>:<hostkey>: device-type missing"
-          [ -n "$HOSTKEY" ] || die "system=<device-type>:<hostkey>: hostkey missing"
-          FILE="$ATHENIX_DIR/inventory.nix"
-          ;;
-      esac
-      [ -f "$FILE" ] || die "File not found: $FILE"
+        # --- target file + identifiers ---
+        MODE=""; FILE=""; USERNAME=""; DEVTYPE=""; HOSTKEY=""
+        case "$TARGET" in
+          user=*)
+            MODE="user"
+            USERNAME="''${TARGET#user=}"
+            [ -n "$USERNAME" ] || die "user=<username>: username missing"
+            FILE="$ATHENIX_DIR/users.nix"
+            ;;
+          system=*)
+            MODE="system"
+            RHS="''${TARGET#system=}"
+            printf "%s" "$RHS" | grep -q ':' || die "system=... must be system=<device-type>:<hostkey>"
+            DEVTYPE="''${RHS%%:*}"
+            HOSTKEY="''${RHS#*:}"
+            [ -n "$DEVTYPE" ] || die "system=<device-type>:<hostkey>: device-type missing"
+            [ -n "$HOSTKEY" ] || die "system=<device-type>:<hostkey>: hostkey missing"
+            FILE="$ATHENIX_DIR/inventory.nix"
+            ;;
+        esac
+        [ -f "$FILE" ] || die "File not found: $FILE"
 
-      # --- push default based on existing entry url in the target file ---
-      EXISTING_URL=""
-      ENTRY_EXISTS=0
-      if [ "$MODE" = "user" ]; then
-        EXISTING_URL="$(extract_existing_fetch_url user "$FILE" "$USERNAME" "" "false")"
-        [ -n "$EXISTING_URL" ] && ENTRY_EXISTS=1 || true
-      else
-        FULL="$(derive_full_hostname "$DEVTYPE" "$HOSTKEY")"
-        EXISTING_URL="$(extract_existing_fetch_url system "$FILE" "" "$HOSTKEY")"
-        if [ -n "$EXISTING_URL" ]; then
-          ENTRY_EXISTS=1
-        elif [ "$FULL" != "$HOSTKEY" ]; then
-          EXISTING_URL="$(extract_existing_fetch_url system "$FILE" "" "$FULL")"
+        # --- push default based on existing entry url in the target file ---
+        EXISTING_URL=""
+        ENTRY_EXISTS=0
+        if [ "$MODE" = "user" ]; then
+          EXISTING_URL="$(extract_existing_fetch_url user "$FILE" "$USERNAME" "" "false")"
           [ -n "$EXISTING_URL" ] && ENTRY_EXISTS=1 || true
-        fi
-      fi
-
-      if [ "$PUSH_SET" -eq 0 ]; then
-        if [ "$ENTRY_EXISTS" -eq 1 ] && is_remote_url "$EXISTING_URL"; then
-          DO_PUSH=1
         else
-          DO_PUSH=0
-          [ "$MODE_FORCE" = "remote" ] && DO_PUSH=1 || true
+          FULL="$(derive_full_hostname "$DEVTYPE" "$HOSTKEY")"
+          EXISTING_URL="$(extract_existing_fetch_url system "$FILE" "" "$HOSTKEY")"
+          if [ -n "$EXISTING_URL" ]; then
+            ENTRY_EXISTS=1
+          elif [ "$FULL" != "$HOSTKEY" ]; then
+            EXISTING_URL="$(extract_existing_fetch_url system "$FILE" "" "$FULL")"
+            [ -n "$EXISTING_URL" ] && ENTRY_EXISTS=1 || true
+          fi
         fi
-      fi
-      if [ "$MODE_FORCE" = "local" ] && [ "$PUSH_SET" -eq 0 ]; then
-        DO_PUSH=0
-      fi
 
-      # --- if current repo dirty, prompt ---
-      if [ -n "$(git status --porcelain)" ]; then
-        warn "This branch has untracked or uncommitted changes. Would you like to add, commit''${DO_PUSH:+, and push}? [y/N] "
-        read -r ans || true
-        case "''${ans:-N}" in
-          y|Y|yes|YES)
-            git add -A
-            if ! git diff --cached --quiet; then
-              if [ -n "$COMMIT_MSG" ]; then git commit -m "$COMMIT_MSG"; else git commit; fi
-            else
-              warn "No staged changes to commit."
-            fi
-            ;;
-          *) warn "Proceeding without committing. (rev will be last committed HEAD.)" ;;
-        esac
-      fi
-
-      # --- push current repo if requested ---
-      PUSH_REMOTE_URL=""
-      if [ "$DO_PUSH" -eq 1 ]; then
-        if [ -n "$PUSH_SPEC" ]; then
-          if printf "%s" "$PUSH_SPEC" | grep -q '='; then
-            REM_NAME="''${PUSH_SPEC%%=*}"
-            REM_URL="''${PUSH_SPEC#*=}"
-            [ -n "$REM_NAME" ] || die "--push remote-name=URL: remote-name missing"
-            [ -n "$REM_URL" ] || die "--push remote-name=URL: URL missing"
-            if git remote get-url "$REM_NAME" >/dev/null 2>&1; then
-              git remote set-url "$REM_NAME" "$REM_URL"
-            else
-              git remote add "$REM_NAME" "$REM_URL"
-            fi
-            git push -u "$REM_NAME" "$CUR_BRANCH"
-            PUSH_REMOTE_URL="$REM_URL"
+        if [ "$PUSH_SET" -eq 0 ]; then
+          if [ "$ENTRY_EXISTS" -eq 1 ] && is_remote_url "$EXISTING_URL"; then
+            DO_PUSH=1
           else
-            REM_NAME="$PUSH_SPEC"
-            git push -u "$REM_NAME" "$CUR_BRANCH"
-            PUSH_REMOTE_URL="$(git remote get-url "$REM_NAME")"
+            DO_PUSH=0
+            [ "$MODE_FORCE" = "remote" ] && DO_PUSH=1 || true
           fi
-        else
-          if ! git rev-parse --abbrev-ref --symbolic-full-name @{u} >/dev/null 2>&1; then
-            die "No upstream is set. Set a default upstream with \"git branch -u <remote>/<remote_branch_name>\""
-          fi
-          git push
-          UPSTREAM_REMOTE="$(git rev-parse --abbrev-ref --symbolic-full-name @{u} | cut -d/ -f1)"
-          PUSH_REMOTE_URL="$(git remote get-url "$UPSTREAM_REMOTE")"
         fi
-      fi
+        if [ "$MODE_FORCE" = "local" ] && [ "$PUSH_SET" -eq 0 ]; then
+          DO_PUSH=0
+        fi
 
-      CUR_REV="$(git -C "$CUR_REPO_ROOT" rev-parse HEAD)"
+        # --- if current repo dirty, prompt ---
+        if [ -n "$(git status --porcelain)" ]; then
+          warn "This branch has untracked or uncommitted changes. Would you like to add, commit''${DO_PUSH:+, and push}? [y/N] "
+          read -r ans || true
+          case "''${ans:-N}" in
+            y|Y|yes|YES)
+              git add -A
+              if ! git diff --cached --quiet; then
+                if [ -n "$COMMIT_MSG" ]; then git commit -m "$COMMIT_MSG"; else git commit; fi
+              else
+                warn "No staged changes to commit."
+              fi
+              ;;
+            *) warn "Proceeding without committing. (rev will be last committed HEAD.)" ;;
+          esac
+        fi
 
-      # --- choose URL to write into fetchGit ---
-      if [ "$MODE_FORCE" = "local" ]; then
-        FETCH_URL="file://$CUR_REPO_ROOT"
-      elif [ "$MODE_FORCE" = "remote" ]; then
+        # --- push current repo if requested ---
+        PUSH_REMOTE_URL=""
         if [ "$DO_PUSH" -eq 1 ]; then
-          FETCH_URL="$PUSH_REMOTE_URL"
-        elif [ "$ENTRY_EXISTS" -eq 1 ] && [ -n "$EXISTING_URL" ] && is_remote_url "$EXISTING_URL"; then
-          FETCH_URL="$EXISTING_URL"
-        else
-          CUR_ORIGIN="$(git remote get-url origin 2>/dev/null || true)"
-          [ -n "$CUR_ORIGIN" ] && is_remote_url "$CUR_ORIGIN" || die "--make-remote requires a remote url (set origin or use -p remote=URL)"
-          FETCH_URL="$CUR_ORIGIN"
+          if [ -n "$PUSH_SPEC" ]; then
+            if printf "%s" "$PUSH_SPEC" | grep -q '='; then
+              REM_NAME="''${PUSH_SPEC%%=*}"
+              REM_URL="''${PUSH_SPEC#*=}"
+              [ -n "$REM_NAME" ] || die "--push remote-name=URL: remote-name missing"
+              [ -n "$REM_URL" ] || die "--push remote-name=URL: URL missing"
+              if git remote get-url "$REM_NAME" >/dev/null 2>&1; then
+                git remote set-url "$REM_NAME" "$REM_URL"
+              else
+                git remote add "$REM_NAME" "$REM_URL"
+              fi
+              git push -u "$REM_NAME" "$CUR_BRANCH"
+              PUSH_REMOTE_URL="$REM_URL"
+            else
+              REM_NAME="$PUSH_SPEC"
+              git push -u "$REM_NAME" "$CUR_BRANCH"
+              PUSH_REMOTE_URL="$(git remote get-url "$REM_NAME")"
+            fi
+          else
+            if ! git rev-parse --abbrev-ref --symbolic-full-name @{u} >/dev/null 2>&1; then
+              die "No upstream is set. Set a default upstream with \"git branch -u <remote>/<remote_branch_name>\""
+            fi
+            git push
+            UPSTREAM_REMOTE="$(git rev-parse --abbrev-ref --symbolic-full-name @{u} | cut -d/ -f1)"
+            PUSH_REMOTE_URL="$(git remote get-url "$UPSTREAM_REMOTE")"
+          fi
         fi
-      else
-        if [ "$DO_PUSH" -eq 1 ]; then FETCH_URL="$PUSH_REMOTE_URL"; else FETCH_URL="file://$CUR_REPO_ROOT"; fi
-      fi
 
-      # --- rewrite users.nix or inventory.nix ---
-      python3 - "$MODE" "$FILE" "$FETCH_URL" "$CUR_REV" "$USERNAME" "$DEVTYPE" "$HOSTKEY" <<'PY'
-      import sys, re, pathlib
+        CUR_REV="$(git -C "$CUR_REPO_ROOT" rev-parse HEAD)"
 
-      mode = sys.argv[1]
-      path = pathlib.Path(sys.argv[2])
-      fetch_url = sys.argv[3]
-      rev = sys.argv[4]
-      username = sys.argv[5]
-      devtype = sys.argv[6]
-      hostkey = sys.argv[7]
-      text = path.read_text()
+        # --- choose URL to write into fetchGit ---
+        if [ "$MODE_FORCE" = "local" ]; then
+          FETCH_URL="file://$CUR_REPO_ROOT"
+        elif [ "$MODE_FORCE" = "remote" ]; then
+          if [ "$DO_PUSH" -eq 1 ]; then
+            FETCH_URL="$PUSH_REMOTE_URL"
+          elif [ "$ENTRY_EXISTS" -eq 1 ] && [ -n "$EXISTING_URL" ] && is_remote_url "$EXISTING_URL"; then
+            FETCH_URL="$EXISTING_URL"
+          else
+            CUR_ORIGIN="$(git remote get-url origin 2>/dev/null || true)"
+            [ -n "$CUR_ORIGIN" ] && is_remote_url "$CUR_ORIGIN" || die "--make-remote requires a remote url (set origin or use -p remote=URL)"
+            FETCH_URL="$CUR_ORIGIN"
+          fi
+        else
+          if [ "$DO_PUSH" -eq 1 ]; then FETCH_URL="$PUSH_REMOTE_URL"; else FETCH_URL="file://$CUR_REPO_ROOT"; fi
+        fi
 
-      def find_matching_brace(s: str, start: int) -> int:
-          depth = 0
-          i = start
-          in_str = False
-          while i < len(s):
-              ch = s[i]
-              if in_str:
-                  if ch == '\\':
-                      i += 2
-                      continue
-                  if ch == '"':
-                      in_str = False
-                  i += 1
-                  continue
-              if ch == '"':
-                  in_str = True
-                  i += 1
-                  continue
-              if ch == '{':
-                  depth += 1
-              elif ch == '}':
-                  depth -= 1
-                  if depth == 0:
-                      return i
-              i += 1
-          raise ValueError("Could not find matching '}'")
+        # --- rewrite users.nix or inventory.nix ---
+        python3 - "$MODE" "$FILE" "$FETCH_URL" "$CUR_REV" "$USERNAME" "$DEVTYPE" "$HOSTKEY" <<'PY'
+        import sys, re, pathlib
 
-      def mk_fetch(entry_indent: str) -> str:
-        # entry_indent is indentation for the whole `"key" = <here>;` line.
-        # The attrset contents should be indented one level deeper.
-        inner = entry_indent + "  "
-        return (
-            'builtins.fetchGit {\n'
-            f'{inner}url = "{fetch_url}";\n'
-            f'{inner}rev = "{rev}";\n'
-            f'{inner}submodules = true;\n'
-            f'{entry_indent}}}'
-        )
+        mode = sys.argv[1]
+        path = pathlib.Path(sys.argv[2])
+        fetch_url = sys.argv[3]
+        rev = sys.argv[4]
+        username = sys.argv[5]
+        devtype = sys.argv[6]
+        hostkey = sys.argv[7]
+        text = path.read_text()
 
-      def full_hostname(devtype: str, hostkey: str) -> str:
-          if hostkey.startswith(devtype) or "-" in hostkey:
-              return hostkey
-          if hostkey.isdigit():
-              return f"{devtype}{hostkey}"
-          return f"{devtype}-{hostkey}"
+        def find_matching_brace(s: str, start: int) -> int:
+            depth = 0
+            i = start
+            in_str = False
+            while i < len(s):
+                ch = s[i]
+                if in_str:
+                    if ch == '\\':
+                        i += 2
+                        continue
+                    if ch == '"':
+                        in_str = False
+                    i += 1
+                    continue
+                if ch == '"':
+                    in_str = True
+                    i += 1
+                    continue
+                if ch == '{':
+                    depth += 1
+                elif ch == '}':
+                    depth -= 1
+                    if depth == 0:
+                        return i
+                i += 1
+            raise ValueError("Could not find matching '}'")
 
-      def update_user(t: str) -> str:
-          mblock = re.search(r"(?s)athenix\.users\s*=\s*\{(.*?)\n\s*\};", t)
-          if not mblock:
-              raise SystemExit("error: could not locate `athenix.users = { ... };` block")
-
-          # locate the full span of the users block to edit inside it
-          # (re-find with groups for reconstruction)
-          m2 = re.search(r"(?s)(athenix\.users\s*=\s*\{)(.*?)(\n\s*\};)", t)
-          head, body, tail = m2.group(1), m2.group(2), m2.group(3)
-
-          entry_re = re.search(
-              r"(?s)(\n[ \t]*" + re.escape(username) + r"\.external\s*=\s*)builtins\.fetchGit\s*\{",
-              body
+        def mk_fetch(entry_indent: str) -> str:
+          # entry_indent is indentation for the whole `"key" = <here>;` line.
+          # The attrset contents should be indented one level deeper.
+          inner = entry_indent + "  "
+          return (
+              'builtins.fetchGit {\n'
+              f'{inner}url = "{fetch_url}";\n'
+              f'{inner}rev = "{rev}";\n'
+              f'{inner}submodules = true;\n'
+              f'{entry_indent}}}'
           )
-          if entry_re:
-              brace = body.rfind("{", 0, entry_re.end())
-              end = find_matching_brace(body, brace)
-              semi = re.match(r"\s*;", body[end+1:])
-              if not semi:
-                  raise SystemExit("error: expected ';' after fetchGit attrset")
-              semi_end = end + 1 + semi.end()
 
-              line_start = body.rfind("\n", 0, entry_re.start()) + 1
-              indent = re.match(r"[ \t]*", body[line_start:entry_re.start()]).group(0)
+        def full_hostname(devtype: str, hostkey: str) -> str:
+            if hostkey.startswith(devtype) or "-" in hostkey:
+                return hostkey
+            if hostkey.isdigit():
+                return f"{devtype}{hostkey}"
+            return f"{devtype}-{hostkey}"
 
-              new_body = body[:entry_re.start()] + entry_re.group(1) + mk_fetch(indent) + ";" + body[semi_end:]
-          else:
-              indent = "    "
-              new_body = body + f"\n{indent}{username}.external = {mk_fetch(indent)};\n"
+        def update_user(t: str) -> str:
+            mblock = re.search(r"(?s)athenix\.users\s*=\s*\{(.*?)\n\s*\};", t)
+            if not mblock:
+                raise SystemExit("error: could not locate `athenix.users = { ... };` block")
 
-          return t[:m2.start()] + head + new_body + tail + t[m2.end():]
+            # locate the full span of the users block to edit inside it
+            # (re-find with groups for reconstruction)
+            m2 = re.search(r"(?s)(athenix\.users\s*=\s*\{)(.*?)(\n\s*\};)", t)
+            head, body, tail = m2.group(1), m2.group(2), m2.group(3)
 
-      def update_system(t: str) -> str:
-          # Find devtype block robustly: start-of-file or newline.
-          m = re.search(r"(?s)(^|\n)[ \t]*" + re.escape(devtype) + r"\s*=\s*\{", t)
-          if not m:
-              raise SystemExit(f"error: could not locate `{devtype} = {{ ... }};` block")
-
-          dev_open = t.find("{", m.end() - 1)
-          dev_close = find_matching_brace(t, dev_open)
-          dev = t[dev_open:dev_close+1]
-
-          # Find devices attrset inside dev
-          dm = re.search(r"(?s)(^|\n)[ \t]*devices\s*=\s*\{", dev)
-          if not dm:
-              raise SystemExit(f"error: could not locate `devices = {{ ... }};` inside `{devtype}`")
-
-          devices_open = dev.find("{", dm.end() - 1)
-          devices_close = find_matching_brace(dev, devices_open)
-          devices = dev[devices_open:devices_close+1]
-
-          # indentation for entries in devices
-          # find indent of the 'devices' line, then add 2 spaces
-
-          candidates = [hostkey, full_hostname(devtype, hostkey)]
-          seen = set()
-          candidates = [c for c in candidates if not (c in seen or seen.add(c))]
-
-          for key in candidates:
-              entry = re.search(
-                r'(?s)\n([ ]*)"' + re.escape(key) + r'"\s*=\s*builtins\.fetchGit\s*\{',
-                devices
-              )
-              if entry:
-                entry_indent = entry.group(1)
-
-                # find the '{' we matched
-                brace = devices.find("{", entry.end() - 1)
-                end = find_matching_brace(devices, brace)
-
-                semi = re.match(r"\s*;", devices[end+1:])
+            entry_re = re.search(
+                r"(?s)(\n[ \t]*" + re.escape(username) + r"\.external\s*=\s*)builtins\.fetchGit\s*\{",
+                body
+            )
+            if entry_re:
+                brace = body.rfind("{", 0, entry_re.end())
+                end = find_matching_brace(body, brace)
+                semi = re.match(r"\s*;", body[end+1:])
                 if not semi:
-                    raise SystemExit("error: expected ';' after fetchGit attrset in devices")
+                    raise SystemExit("error: expected ';' after fetchGit attrset")
                 semi_end = end + 1 + semi.end()
 
-                # Reconstruct the prefix: newline + indent + "key" = 
-                prefix = f'\n{entry_indent}"{key}" = '
+                line_start = body.rfind("\n", 0, entry_re.start()) + 1
+                indent = re.match(r"[ \t]*", body[line_start:entry_re.start()]).group(0)
 
-                new_devices = (
-                    devices[:entry.start()]
-                    + prefix
-                    + mk_fetch(entry_indent)
-                    + ";"
-                    + devices[semi_end:]
+                new_body = body[:entry_re.start()] + entry_re.group(1) + mk_fetch(indent) + ";" + body[semi_end:]
+            else:
+                indent = "    "
+                new_body = body + f"\n{indent}{username}.external = {mk_fetch(indent)};\n"
+
+            return t[:m2.start()] + head + new_body + tail + t[m2.end():]
+
+        def update_system(t: str) -> str:
+            # Find devtype block robustly: start-of-file or newline.
+            m = re.search(r"(?s)(^|\n)[ \t]*" + re.escape(devtype) + r"\s*=\s*\{", t)
+            if not m:
+                raise SystemExit(f"error: could not locate `{devtype} = {{ ... }};` block")
+
+            dev_open = t.find("{", m.end() - 1)
+            dev_close = find_matching_brace(t, dev_open)
+            dev = t[dev_open:dev_close+1]
+
+            # Find devices attrset inside dev
+            dm = re.search(r"(?s)(^|\n)[ \t]*devices\s*=\s*\{", dev)
+            if not dm:
+                raise SystemExit(f"error: could not locate `devices = {{ ... }};` inside `{devtype}`")
+
+            devices_open = dev.find("{", dm.end() - 1)
+            devices_close = find_matching_brace(dev, devices_open)
+            devices = dev[devices_open:devices_close+1]
+
+            # indentation for entries in devices
+            # find indent of the 'devices' line, then add 2 spaces
+
+            candidates = [hostkey, full_hostname(devtype, hostkey)]
+            seen = set()
+            candidates = [c for c in candidates if not (c in seen or seen.add(c))]
+
+            for key in candidates:
+                entry = re.search(
+                  r'(?s)\n([ ]*)"' + re.escape(key) + r'"\s*=\s*builtins\.fetchGit\s*\{',
+                  devices
                 )
-                new_dev = dev[:devices_open] + new_devices + dev[devices_close+1:]
+                if entry:
+                  entry_indent = entry.group(1)
 
-                return t[:dev_open] + new_dev + t[dev_close+1:]
+                  # find the '{' we matched
+                  brace = devices.find("{", entry.end() - 1)
+                  end = find_matching_brace(devices, brace)
 
-          # Not found: append into devices (exact hostkey)
-          # Indent for new entries: take indent of the closing '}' of devices, add 2 spaces.
-          close_line_start = devices.rfind("\n", 0, len(devices)-1) + 1
-          close_indent = re.match(r"[ ]*", devices[close_line_start:]).group(0)
-          entry_indent = close_indent + "  "
+                  semi = re.match(r"\s*;", devices[end+1:])
+                  if not semi:
+                      raise SystemExit("error: expected ';' after fetchGit attrset in devices")
+                  semi_end = end + 1 + semi.end()
 
-          insertion = f'\n{entry_indent}"{hostkey}" = {mk_fetch(entry_indent)};\n'
-          new_devices = devices[:-1].rstrip() + insertion + close_indent + "}"
-          new_dev = dev[:devices_open] + new_devices + dev[devices_close+1:]
-          return t[:dev_open] + new_dev + t[dev_close+1:]
+                  # Reconstruct the prefix: newline + indent + "key" = 
+                  prefix = f'\n{entry_indent}"{key}" = '
 
-      if mode == "user":
-          out = update_user(text)
-      elif mode == "system":
-          out = update_system(text)
-      else:
-          raise SystemExit("error: unknown mode")
+                  new_devices = (
+                      devices[:entry.start()]
+                      + prefix
+                      + mk_fetch(entry_indent)
+                      + ";"
+                      + devices[semi_end:]
+                  )
+                  new_dev = dev[:devices_open] + new_devices + dev[devices_close+1:]
 
-      path.write_text(out)
-      PY
+                  return t[:dev_open] + new_dev + t[dev_close+1:]
 
-      cd $ATHENIX_DIR
-      nix fmt **/*.nix
-      cd $CUR_REPO_ROOT
+            # Not found: append into devices (exact hostkey)
+            # Indent for new entries: take indent of the closing '}' of devices, add 2 spaces.
+            close_line_start = devices.rfind("\n", 0, len(devices)-1) + 1
+            close_indent = re.match(r"[ ]*", devices[close_line_start:]).group(0)
+            entry_indent = close_indent + "  "
 
-      printf "updated %s\n" "$FILE" >&2
-      printf "  url = %s\n" "$FETCH_URL" >&2
-      printf "  rev = %s\n" "$CUR_REV" >&2
-    '')
-  ];
+            insertion = f'\n{entry_indent}"{hostkey}" = {mk_fetch(entry_indent)};\n'
+            new_devices = devices[:-1].rstrip() + insertion + close_indent + "}"
+            new_dev = dev[:devices_open] + new_devices + dev[devices_close+1:]
+            return t[:dev_open] + new_dev + t[dev_close+1:]
+
+        if mode == "user":
+            out = update_user(text)
+        elif mode == "system":
+            out = update_system(text)
+        else:
+            raise SystemExit("error: unknown mode")
+
+        path.write_text(out)
+        PY
+
+        cd $ATHENIX_DIR
+        nix fmt **/*.nix
+        cd $CUR_REPO_ROOT
+
+        printf "updated %s\n" "$FILE" >&2
+        printf "  url = %s\n" "$FETCH_URL" >&2
+        printf "  rev = %s\n" "$CUR_REV" >&2
+      '')
+    ];
   };
 }