From f0259cfb96b572cd311d1774b60b007c104d0f1f Mon Sep 17 00:00:00 2001
From: Yisroel Baum <yisroel.d.baum@gmail.com>
Date: Sat, 9 May 2026 22:17:15 +0300
Subject: [PATCH 1/3] point sops at age key file

sops-nix's default identity discovery imports the host's SSH
ed25519 key as an age identity, but secrets/tide.yaml is encrypted
to the age key generated with age-keygen and stored at
/var/lib/sops-nix/key.txt. Without sops.age.keyFile pointing at
that path, activation fails with 'Error getting data key: 0
successful groups required, got 0'. Also blank the SSH/GPG
fallback paths so the module never silently picks up an
unintended identity.
---
 tide.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tide.nix b/tide.nix
index fac2eba..da5fd4e 100644
--- a/tide.nix
+++ b/tide.nix
@@ -20,6 +20,14 @@
   # the file is absent, which is the right place for that failure.
   sops.validateSopsFiles = false;
 
+  # Use the host's age key generated with age-keygen, not the
+  # SSH-host-key-derived identity sops-nix falls back to by default.
+  # The encrypted file's recipient is the public key paired with
+  # this private key.
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.sshKeyPaths = [ ];
+  sops.gnupg.sshKeyPaths = [ ];
+
   sops.secrets."tide-env" = {
     sopsFile = ./secrets/tide.yaml;
     # phpfpm reads this via EnvironmentFile, which runs as root

From a4c735ec17ca499782f70bb124d80b0f168516d5 Mon Sep 17 00:00:00 2001
From: Yisroel Baum <yisroel.d.baum@gmail.com>
Date: Sat, 9 May 2026 22:21:39 +0300
Subject: [PATCH 2/3] add direnv to use flake

---
 .envrc     | 1 +
 .gitignore | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 .envrc

diff --git a/.envrc b/.envrc
new file mode 100644
index 0000000..8392d15
--- /dev/null
+++ b/.envrc
@@ -0,0 +1 @@
+use flake
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
index b629ca6..2718357 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 *~
-result
\ No newline at end of file
+result
+/.direnv/

From 1e8d26bc6e4f054c69cea71274ae87c7583f31c4 Mon Sep 17 00:00:00 2001
From: Yisroel Baum <yisroel.d.baum@gmail.com>
Date: Sat, 9 May 2026 22:21:53 +0300
Subject: [PATCH 3/3] set useAcmehost to null

---
 tide.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tide.nix b/tide.nix
index da5fd4e..80f5fdd 100644
--- a/tide.nix
+++ b/tide.nix
@@ -11,7 +11,7 @@
     # Reuse the wildcard cert already issued for *.${domainName}
     # in configuration.nix instead of requesting a new one per
     # subdomain.
-    nginx.useACMEHost = domainName;
+    nginx.useACMEHost = null;
   };
 
   # Don't fail evaluation when secrets/tide.yaml is missing (e.g.