From 438abe536b3a271cec31a48ca64ee4180c8aa1b3 Mon Sep 17 00:00:00 2001
From: Tero Halla-aho <thallaa@gmail.com>
Date: Thu, 18 Dec 2025 22:06:36 +0200
Subject: [PATCH 1/2] Improve age key guidance in build pre-flight checks

---
 deploy/build.sh | 30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/deploy/build.sh b/deploy/build.sh
index 5509dbb..e5fbdde 100755
--- a/deploy/build.sh
+++ b/deploy/build.sh
@@ -31,24 +31,38 @@ check_age_setup() {
     return
   fi
   require_cmd sops
+  local repo_age_key="$PWD/creds/age-key.txt"
   if [[ ! -f "$AGE_KEY_FILE" ]]; then
     echo "Age key file not found at $AGE_KEY_FILE. Copy creds/age-key.txt or set SOPS_AGE_KEY_FILE." >&2
     exit 1
   fi
+  local has_key="0"
   if command -v age-keygen >/dev/null 2>&1; then
-    if ! age-keygen -y "$AGE_KEY_FILE" 2>/dev/null | grep -q "$AGE_RECIPIENT"; then
-      echo "Age key file at $AGE_KEY_FILE does not contain the expected public key ($AGE_RECIPIENT)." >&2
-      echo "Ensure your ~/.config/age/keys.txt includes the repo key (see creds/age-key.txt)." >&2
-      exit 1
+    if age-keygen -y "$AGE_KEY_FILE" 2>/dev/null | grep -q "$AGE_RECIPIENT"; then
+      has_key="1"
     fi
   else
     # Fallback: best-effort text check for the public key comment
-    if ! grep -q "$AGE_RECIPIENT" "$AGE_KEY_FILE"; then
-      echo "Age key file at $AGE_KEY_FILE is missing the expected public key comment ($AGE_RECIPIENT)." >&2
-      echo "Install age-keygen to verify keys or copy creds/age-key.txt." >&2
-      exit 1
+    if grep -q "$AGE_RECIPIENT" "$AGE_KEY_FILE"; then
+      has_key="1"
     fi
   fi
+
+  if [[ "$has_key" != "1" ]]; then
+    echo "Age key file at $AGE_KEY_FILE does not contain the expected public key ($AGE_RECIPIENT)." >&2
+    if [[ -f "$repo_age_key" ]] && grep -q "$AGE_RECIPIENT" "$repo_age_key"; then
+      cat >&2 <<EOF
+Found the repository age key at $repo_age_key.
+Import it with:
+  mkdir -p "$(dirname "$AGE_KEY_FILE")"
+  cat "$repo_age_key" >> "$AGE_KEY_FILE"
+Or set: SOPS_AGE_KEY_FILE="$repo_age_key"
+EOF
+    else
+      echo "Ensure your ~/.config/age/keys.txt includes the repo key (see creds/age-key.txt)." >&2
+    fi
+    exit 1
+  fi
 }
 
 echo "Running pre-flight checks..."
-- 
2.45.3


From 22240e5080dc12fdeb7d8d7c31af7e1ad4453cc1 Mon Sep 17 00:00:00 2001
From: Tero Halla-aho <thallaa@gmail.com>
Date: Thu, 18 Dec 2025 22:14:55 +0200
Subject: [PATCH 2/2] Fail fast if sops keys cannot decrypt secrets

---
 deploy/build.sh | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/deploy/build.sh b/deploy/build.sh
index e5fbdde..a04292f 100755
--- a/deploy/build.sh
+++ b/deploy/build.sh
@@ -6,6 +6,7 @@ source deploy/env.sh
 
 AGE_KEY_FILE="${SOPS_AGE_KEY_FILE:-$HOME/.config/age/keys.txt}"
 AGE_RECIPIENT="age1hkehkc2rryjl975c2mg5cghmjr54n4wjshncl292h2eg5l394fhs4uydrh"
+ENCRYPTED_SECRETS_FILE="${ENCRYPTED_SECRETS_FILE:-$PWD/creds/secrets.enc.env}"
 
 require_cmd() {
   local cmd="$1"
@@ -63,6 +64,15 @@ EOF
     fi
     exit 1
   fi
+
+  export SOPS_AGE_KEY_FILE="${SOPS_AGE_KEY_FILE:-$AGE_KEY_FILE}"
+  if [[ -f "$ENCRYPTED_SECRETS_FILE" ]]; then
+    if ! sops -d "$ENCRYPTED_SECRETS_FILE" >/dev/null 2>&1; then
+      echo "sops could not decrypt $ENCRYPTED_SECRETS_FILE with the configured keys." >&2
+      echo "Export SOPS_AGE_KEY_FILE to point at the correct key (e.g., creds/age-key.txt)." >&2
+      exit 1
+    fi
+  fi
 }
 
 echo "Running pre-flight checks..."
-- 
2.45.3