Jump to content

Agenix: Difference between revisions

From NixOS Wiki
← Older edit
VisualWikitext
Pigs (talk | contribs)
259 edits
m Choose a Public/Private Key: link to ssh pages
Layer-09 (talk | contribs)
174 edits
m Translate tags
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[https://github.com/ryantm/agenix agenix] is a commandline tool for managing secrets in your Nix configuration, encrypted with your existing SSH keys. The project also includes the NixOS module age for adding encrypted secrets into the Nix store and decrypting them.
<languages/>


== Installation ==
<translate>
<!--T:1-->
<strong>[https://github.com/ryantm/agenix Agenix]</strong><ref name="agenix">Ryan Mulligan and contributors, "agenix", GitHub Repository, Accessed October 2025. https://github.com/ryantm/agenix</ref> is a command-line tool for managing secrets in Nix configurations. It relies on existing SSH key pairs and integrates with the [https://age-encryption.org/ age] encryption tool to protect secrets while they reside in the Nix store and during system activation.<ref name="age">Filippo Valsorda and collaborators, "age", Official Website, Accessed October 2025. https://age-encryption.org/</ref><ref name="agenix-readme">Ryan Mulligan and contributors, "agenix README", GitHub Repository, Accessed October 2025. https://github.com/ryantm/agenix/blob/main/README.md</ref>


The following example describes an installation via [[Flakes]]. For further installation methods see the [https://github.com/ryantm/agenix upstream documentation].
== Features == <!--T:2-->


<!--T:3-->
* <strong>SSH-based encryption workflow:</strong> The `agenix` CLI encrypts raw secret files with user and host SSH public keys, allowing decryption wherever the matching private keys are present.<ref name="agenix-readme" />
* <strong>Reproducible storage model:</strong> Encrypted `.age` files can live in version control, enter the Nix store, and are decrypted during system activation to paths such as <code>/run/agenix</code>.<ref name="agenix-readme" />
* <strong>Declarative module support:</strong> NixOS and Home Manager modules ship with the project, so secrets can be imported, decrypted, and exposed declaratively alongside other configuration.<ref name="agenix-readme" />
* <strong>Minimal dependency footprint:</strong> Agenix depends on the `age` tool rather than GnuPG and intentionally omits templating features, keeping the code base small and auditable.<ref name="agenix-readme" /><ref name="comparison">NixOS Wiki Community, "Comparison of secret managing schemes", NixOS Wiki, Accessed October 2025. https://wiki.nixos.org/wiki/Comparison_of_secret_managing_schemes</ref>
== Installation == <!--T:4-->
<!--T:5-->
The following example describes installing [https://github.com/ryantm/agenix Agenix] with [[Flakes]].<ref name="agenix" /> For additional installation methods, consult the README.<ref name="agenix-readme" />
</translate>
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
{
{
Line 22: Line 35:
}
}
</syntaxhighlight>
</syntaxhighlight>
<translate>
<!--T:6-->
Replace <code>yourhostname</code> with the actual host name and <code>x86_64-linux</code> with the relevant system architecture.


Change <code>yourhostname</code> to your actual hostname and <code>x86_64-linux</code> to your system architecture.
<!--T:7-->
 
After adding the input, install the <code>agenix</code> client application with:
After that installing the agenix client application can be achieved like this
</translate>
 
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
{ config, pkgs, lib, inputs, ... }:{
{ config, pkgs, lib, inputs, ... }:{
Line 34: Line 49:
}
}
</syntaxhighlight>
</syntaxhighlight>
<translate>
== Configuration == <!--T:8-->


== Configuration ==
=== Choose a public/private key === <!--T:9-->
 
=== Choose a Public/Private Key ===


First, we have to decide which [[SSH public key authentication|SSH public key]] to use to encrypt the secrets. (The private key will be used to decrypt the secrets when loading the NixOS configuration.)
<!--T:10-->
Decide which [[SSH public key authentication|SSH public key]] should encrypt the secrets. The corresponding private key decrypts the secrets when rebuilding the system.


Assuming that you have [[SSH]] already installed on your NixOS server (with i.e. <code>services.openssh.enable = true;</code>), you will already have two different SSH keypairs that are intended to be used by the system itself, located at:
<!--T:11-->
If you deploy the configuration as the root user, the host key pairs generated by [[SSH]] are already available at:


<!--T:12-->
* <code>/etc/ssh/ssh_host_rsa_key</code> / <code>/etc/ssh/ssh_host_rsa_key.pub</code>
* <code>/etc/ssh/ssh_host_rsa_key</code> / <code>/etc/ssh/ssh_host_rsa_key.pub</code>
* <code>/etc/ssh/ssh_host_ed25519_key</code> / <code>/etc/ssh/ssh_host_ed25519_key.pub</code>
* <code>/etc/ssh/ssh_host_ed25519_key</code> / <code>/etc/ssh/ssh_host_ed25519_key.pub</code>


If you load your NixOS config using the root user, then you can use these public keys to encrypt your secrets.
<!--T:13-->
 
For deployments triggered by another user, create a dedicated key pair with <code>ssh-keygen</code>. Such keys typically reside at:
However, if you load your NixOS config using some other user, then you will have to use <code>ssh-keygen</code> to generate a keypair for that user, which typically lives in:


<!--T:14-->
* <code>~/.ssh/id_rsa</code> / <code>~/.ssh/id_rsa.pub</code>
* <code>~/.ssh/id_rsa</code> / <code>~/.ssh/id_rsa.pub</code>
* <code>~/.ssh/id_ed25519</code> / <code>~/.ssh/id_ed25519.pub</code>
* <code>~/.ssh/id_ed25519</code> / <code>~/.ssh/id_ed25519.pub</code>


For more information, see [[SSH_public_key_authentication|the SSH public key authentication page]].
<!--T:15-->
Refer to [[SSH public key authentication]] for more information.


=== Create the Secrets ===
=== Create the secrets === <!--T:16-->
 
Next, create a directory where secrets are going to be stored. In this example we are creating the directory <code>secrets</code> inside the NixOS system configuration path <code>/etc/nixos</code>


<!--T:17-->
Create a directory that stores encrypted secrets. For example:
</translate>
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
# mkdir /etc/nixos/secrets
# mkdir /etc/nixos/secrets
</syntaxhighlight>
</syntaxhighlight>
 
<translate>
Inside the secrets directory we create a <code>secrets.nix</code> file which will be used by the agenix client as a rule file to encrypt secrets for specific users and parts of the system. The following example configures access to secrets stored in <code>secret1.age</code> for the SSH public keys of <code>user1</code> and <code>system1</code>.
<!--T:18-->
 
Inside the secrets directory, create a <code>secrets.nix</code> file that defines the encryption rules. The following example gives <code>user1</code> and <code>system1</code> access to <code>secret1.age</code>:
</translate>
{{file|/etc/nixos/secrets/secrets.nix|nix|<nowiki>
{{file|/etc/nixos/secrets/secrets.nix|nix|<nowiki>
let
let
Line 77: Line 98:
}
}
</nowiki>}}
</nowiki>}}
<translate>
== Usage == <!--T:19-->


== Usage ==
<!--T:20-->
 
Create a secret file and encrypt it by running:
Creating a secret file, which contents will be encrypted
</translate>
 
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
# cd /etc/nixos/secrets
# cd /etc/nixos/secrets
# agenix -e secret1.age
# agenix -e secret1.age
</syntaxhighlight>
</syntaxhighlight>
<translate>
<!--T:21-->
The <code>agenix</code> command opens the default terminal editor. Enter the secret (for example, <code>password123</code>) and save the file. The <code>secret1.age</code> filename is defined in <code>secrets.nix</code>, allowing <code>agenix</code> to select the correct SSH keys.<ref name="agenix-readme" />


The agenix command will open your default terminal editor. Write in your secret, for example <code>password123</code>.
<!--T:22-->
 
To reference the secret inside a NixOS module, use a configuration similar to the following example:
The filename <code>secret1.age</code> is specified above in the agenix <code>secrets.nix</code> configuration. So agenix will know which keys to use for a specific user or system.
</translate>
 
To use and reference the secret inside your Nix configuration, an example would look like this
 
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
age.secrets.nextcloud = {
age.secrets.nextcloud = {
Line 106: Line 128:
};
};
</syntaxhighlight>
</syntaxhighlight>
<translate>
<!--T:23-->
In this case, the [[Nextcloud]] service reads its administrator password from the age-encrypted file, preventing the secret from appearing in the world-readable Nix store.<ref name="agenix-readme" />


Here, the service [[Nextcloud]] requires a password for the administrator account. In this case, the password is stored in an age-encrypted file, so no plaintext passwords will be copied into your world-readable Nix-store. We configure <code>owner</code> and <code>group</code> names to <code>nextcloud</code> so that the webservice has the permissions to read the password file.
<!--T:24-->
 
Secrets can also be deployed as files with specific permissions:<ref name="agenix-readme" />
Secrets can be also deployed as file with specific permissions to a target path. In this example the secret is sourced to <code>/home/myuser/.netrc</code> and permissions are set that only <code>myuser</code> is able to read and write the file.
</translate>
 
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
age.secrets = {
age.secrets = {
Line 122: Line 146:
};
};
</syntaxhighlight>
</syntaxhighlight>
<translate>
== Tips and tricks == <!--T:25-->


== Tips and tricks ==
=== Replace in-place strings with secrets === <!--T:26-->
 
=== Replace inplace strings with secrets ===
 
Considering that there still might be some modules which doesn't support reading secrets from a file, you could provide a placeholder string instead of a clear-text password and replace this placeholder with the secret provided by Agenix.
 
In the following example, the Dex module creates the config file <code>/run/dex/config.yaml</code> containing the placeholder string <code>@dex-user-password@</code>. The activation script will read the Agenix secret from <code>config.age.secret.dex-user-password.path</code> and replace the placeholder string with the actual secret.


<!--T:27-->
Some modules do not yet support reading secrets from a file. Provide a placeholder string and replace it during activation.
</translate>
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
system.activationScripts."dex-user-secret" = ''
system.activationScripts."dex-user-secret" = ''
Line 138: Line 161:
'';
'';
</syntaxhighlight>
</syntaxhighlight>
<translate>
=== Access secrets inside a container === <!--T:28-->


=== Access secrets inside container ===
<!--T:29-->
 
Expose secrets to a container by binding the decrypted file into the container filesystem:
Using the option <code>bindMounts</code> for an example container named <code>mycontainer</code> will provide the secret file inside the container as <code>/run/agenix/mysecret</code>:
</translate>
 
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
containers.mycontainer.bindMounts."${config.agenix.secrets.mysecret.path}".isReadOnly = true;
containers.mycontainer.bindMounts."${config.agenix.secrets.mysecret.path}".isReadOnly = true;
</syntaxhighlight>
</syntaxhighlight>
 
<translate>
Another option would be to to use the agenix-module in the nixos-container. This also allows to set the secret-owner to the users inside the container. But it is also necessary to provide the ssh-private-key to the container in order for agenix to decrypt the secret (or generate a own for the container).
<!--T:30-->
 
Another option is to import <code>agenix.nixosModules.default</code> directly inside the container and supply the required private key:
</translate>
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
{ agenix, ... }: {
{ agenix, ... }: {
   containers."mycontainer" = {
   containers."mycontainer" = {
     # pass the private key to the container for agenix to decrypt the secret
     # pass the private key to the container for agenix to decrypt the secret
     bindMounts."/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
     bindMounts."/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;


     config = { config, lib, pkgs, ... }: {
     config = { config, lib, pkgs, ... }: {
      imports = [ agenix.nixosModules.default ];


      imports = [ agenix.nixosModules.default ]; # import agenix-module into the nixos-container
       age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 
       age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # isn't set automatically for some reason


      # import the secret
       age.secrets."mysecret" = {
       age.secrets."mysecret" = {
         file = ../secrets/mysecret.age;
         file = ../secrets/mysecret.age;
         owner = "myuser";
         owner = "myuser";
       };
       };
      # use the secret like you normally would with config.age.secrets."mysecret".path
     };
     };
   };
   };
}
}
</syntaxhighlight>
</syntaxhighlight>
<translate>
=== Use secrets in the initrd === <!--T:31-->


=== Using secrets in initrd ===
<!--T:32-->
 
Agenix provisions secrets during system activation, so they are unavailable while building the initrd. As a workaround, create the secret as a static file outside <code>/run/agenix</code> and reference it from <code>/etc/initrd-hostkey</code>.
Unfortunately this doesn't work because Agenix sets up secrets during system activation stage but initrd is being built before that. As [https://github.com/ryantm/agenix/issues/193 a workaround] we could create the secret as a static file outside of <code>/run/agenix</code> and reference the secret at <code>/etc/initrd-hostkey</code>.
</translate>
 
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
age.secrets.hostkey-initrd = {
age.secrets.hostkey-initrd = {
Line 188: Line 208:
boot.initrd.network.ssh.hostKeys = [ "/etc/initrd-hostkey" ];
boot.initrd.network.ssh.hostKeys = [ "/etc/initrd-hostkey" ];
</syntaxhighlight>
</syntaxhighlight>
<translate>
<!--T:33-->
Rebuild the system twice and reference <code>/etc/initrd-hostkey</code> only after the file exists.


For this workaround you'll have to rebuild twice and reference the secret <code>/etc/initrd-hostkey</code> only after the file is created.
=== Agenix with Impermanence === <!--T:34-->


=== Agenix with Impermanence ===
<!--T:35-->
Systems that use [[Impermanence]] may regenerate host keys on each boot. Point <code>age.identityPaths</code> to the persistent locations of those keys:
</translate>
If your system is configured to be [[Impermanence|impermanent]], then it's possible the system's ssh keys won't yet be available during boot to decrypt secrets. The solution is to manually set <code>age.identityPaths</code> to the persistent paths of your keys.
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
# Direct path to persistent location of system ssh keys
age.identityPaths = [
age.identityPaths = [
   "/persist/etc/ssh/ssh_host_ed25519_key"
   "/persist/etc/ssh/ssh_host_ed25519_key"
   "/persist/etc/ssh/ssh_host_rsa_key"
   "/persist/etc/ssh/ssh_host_rsa_key"
];
</syntaxhighlight>
<translate>
== See also == <!--T:36-->


];
<!--T:37-->
* [[Comparison of secret managing schemes]] – Overview of alternative secret management approaches
* [https://age-encryption.org/ age] – Encryption tool that underpins Agenix secrets<ref name="age" />
* [[Home Manager]] – Declarative per-user configuration that can consume Agenix-managed secrets


</syntaxhighlight>
== References == <!--T:38-->


== See also ==
<references />
* [[Comparison of secret managing schemes]]


[[Category:Applications]]
[[Category:Applications]]
[[Category:Security]]
[[Category:Security]]
</translate>

Latest revision as of 05:26, 18 October 2025


Agenix[1] is a command-line tool for managing secrets in Nix configurations. It relies on existing SSH key pairs and integrates with the age encryption tool to protect secrets while they reside in the Nix store and during system activation.[2][3]

Features

  • SSH-based encryption workflow: The `agenix` CLI encrypts raw secret files with user and host SSH public keys, allowing decryption wherever the matching private keys are present.[3]
  • Reproducible storage model: Encrypted `.age` files can live in version control, enter the Nix store, and are decrypted during system activation to paths such as /run/agenix.[3]
  • Declarative module support: NixOS and Home Manager modules ship with the project, so secrets can be imported, decrypted, and exposed declaratively alongside other configuration.[3]
  • Minimal dependency footprint: Agenix depends on the `age` tool rather than GnuPG and intentionally omits templating features, keeping the code base small and auditable.[3][4]

Installation

The following example describes installing Agenix with Flakes.[1] For additional installation methods, consult the README.[3] 

{
  inputs.agenix.url = "github:ryantm/agenix";
  # optional, not necessary for the module
  #inputs.agenix.inputs.nixpkgs.follows = "nixpkgs";

  outputs = { self, nixpkgs, agenix }: {
    nixosConfigurations.yourhostname = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        ./configuration.nix
        agenix.nixosModules.default
      ];
    };
  };
}

Replace yourhostname with the actual host name and x86_64-linux with the relevant system architecture.

After adding the input, install the agenix client application with: 

{ config, pkgs, lib, inputs, ... }:{
  environment.systemPackages = [
    inputs.agenix.packages."${system}".default
  ];
}

Configuration

Choose a public/private key

Decide which SSH public key should encrypt the secrets. The corresponding private key decrypts the secrets when rebuilding the system.

If you deploy the configuration as the root user, the host key pairs generated by SSH are already available at:

  • /etc/ssh/ssh_host_rsa_key / /etc/ssh/ssh_host_rsa_key.pub
  • /etc/ssh/ssh_host_ed25519_key / /etc/ssh/ssh_host_ed25519_key.pub

For deployments triggered by another user, create a dedicated key pair with ssh-keygen. Such keys typically reside at:

  • ~/.ssh/id_rsa / ~/.ssh/id_rsa.pub
  • ~/.ssh/id_ed25519 / ~/.ssh/id_ed25519.pub

Refer to SSH public key authentication for more information.

Create the secrets

Create a directory that stores encrypted secrets. For example: 

# mkdir /etc/nixos/secrets

Inside the secrets directory, create a secrets.nix file that defines the encryption rules. The following example gives user1 and system1 access to secret1.age:

❄︎ /etc/nixos/secrets/secrets.nix
let
  user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
  users = [ user1 ];

  system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
  systems = [ system1 ];
in
{
  "secret1.age".publicKeys = [ user1 system1 ];
}

Usage

Create a secret file and encrypt it by running: 

# cd /etc/nixos/secrets
# agenix -e secret1.age

The agenix command opens the default terminal editor. Enter the secret (for example, password123) and save the file. The secret1.age filename is defined in secrets.nix, allowing agenix to select the correct SSH keys.[3]

To reference the secret inside a NixOS module, use a configuration similar to the following example: 

age.secrets.nextcloud = {
  file = ./secrets/secret1.age;
  owner = "nextcloud";
  group = "nextcloud";
};
services.nextcloud = {
  enable = true;
  package = pkgs.nextcloud28;
  hostName = "localhost";
  config.adminpassFile = config.age.secrets.nextcloud.path;
};

In this case, the Nextcloud service reads its administrator password from the age-encrypted file, preventing the secret from appearing in the world-readable Nix store.[3]

Secrets can also be deployed as files with specific permissions:[3] 

age.secrets = {
  netrc = {
    file = ./secrets/netrc.age;
    path = "/home/myuser/.netrc";
    owner = "myuser";
    group = "users";
    mode = "600";
  };
};

Tips and tricks

Replace in-place strings with secrets

Some modules do not yet support reading secrets from a file. Provide a placeholder string and replace it during activation. 

system.activationScripts."dex-user-secret" = ''
  secret=$(cat "${config.age.secrets.dex-user-password.path}")
  configFile=/run/dex/config.yaml
  ${pkgs.gnused}/bin/sed -i "s#@dex-user-password@#$secret#" "$configFile"
'';

Access secrets inside a container

Expose secrets to a container by binding the decrypted file into the container filesystem: 

containers.mycontainer.bindMounts."${config.agenix.secrets.mysecret.path}".isReadOnly = true;

Another option is to import agenix.nixosModules.default directly inside the container and supply the required private key: 

{ agenix, ... }: {
  containers."mycontainer" = {
    # pass the private key to the container for agenix to decrypt the secret
    bindMounts."/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;

    config = { config, lib, pkgs, ... }: {
      imports = [ agenix.nixosModules.default ];

      age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

      age.secrets."mysecret" = {
        file = ../secrets/mysecret.age;
        owner = "myuser";
      };
    };
  };
}

Use secrets in the initrd

Agenix provisions secrets during system activation, so they are unavailable while building the initrd. As a workaround, create the secret as a static file outside /run/agenix and reference it from /etc/initrd-hostkey. 

age.secrets.hostkey-initrd = {
  file = "${paths.agenix}/hostkey-initrd.age";
  path = "/etc/initrd-hostkey";
  symlink = false;
};

boot.initrd.network.ssh.hostKeys = [ "/etc/initrd-hostkey" ];

Rebuild the system twice and reference /etc/initrd-hostkey only after the file exists.

Agenix with Impermanence

Systems that use Impermanence may regenerate host keys on each boot. Point age.identityPaths to the persistent locations of those keys: 

age.identityPaths = [
  "/persist/etc/ssh/ssh_host_ed25519_key"
  "/persist/etc/ssh/ssh_host_rsa_key"
];

See also

References

  1. 1.0 1.1 Ryan Mulligan and contributors, "agenix", GitHub Repository, Accessed October 2025. https://github.com/ryantm/agenix
  2. 2.0 2.1 Filippo Valsorda and collaborators, "age", Official Website, Accessed October 2025. https://age-encryption.org/
  3. 3.0 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 Ryan Mulligan and contributors, "agenix README", GitHub Repository, Accessed October 2025. https://github.com/ryantm/agenix/blob/main/README.md
  4. NixOS Wiki Community, "Comparison of secret managing schemes", NixOS Wiki, Accessed October 2025. https://wiki.nixos.org/wiki/Comparison_of_secret_managing_schemes
Retrieved from "https://wiki.nixos.org/w/index.php?title=Agenix&oldid=27807"