How to handle creating, updating, and using secrets in this repository.
- agenix: https://github.com/ryantm/agenix (this flake uses ragenix as a drop-in substitute)
- Access to https://github.com/henrikvtcodes/nix-secrets repo
Set up Git-over-SSH and then run
git submodule init && git submodule update
Note
All agenix
operations must happen inside the secrets
folder: cd secrets
Keys determine who can decrypt a given secret. Each secret gets assigned a nix "set" of SSH public keys that can access the secret.
Warning
In order to edit or rekey a secret, a private key that corresponds to an existing public key with access to that secret must be present at ~/.ssh/id_ed25519
(bc RSA keys are mid). If on NixOS, ensure that the system host key is part of the keys allowed to access required secrets.
Example Name: mysecret
- Create the secret entry in
secrets.nix
:"mysecret.age".publicKeys = all;
- Create & encrypt the secret:
agenix -e mysecret.age
- Register the secret for Nix to use in
default.nix
:age.secrets.mysecret.file = "henrikUserPassword.age";
- Commit to secrets repo & update submodule in main repo
- Edit & re-encrypt the secret:
agenix -e mysecret.age
- Commit to secrets repo & update submodule in main repo
Example: a user password
{
users.users.user1 = {
isNormalUser = true;
# .path gives the path to the decrypted secret
passwordFile = config.age.secrets.mysecret.path;
};
}