Agenix

From NixOS Wiki
Revision as of 11:02, 29 December 2022 by imported>Onny (Add more informations to configure section)

agenix is a commandline tool for managing secrets encrypted with your existing SSH keys. The project also includes the NixOS module age for adding encrypted secrets into the Nix store and decrypting them.

Installation

The following example describes an installation via Flakes. For further installation methods see the upstream documentation.

{
  inputs.agenix.url = "github:ryantm/agenix";
  # optional, not necessary for the module
  #inputs.agenix.inputs.nixpkgs.follows = "nixpkgs";

  outputs = { self, nixpkgs, agenix }: {
    nixosConfigurations.yourhostname = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        ./configuration.nix
        agenix.nixosModule
      ];
    };
  };
}

Change yourhostname to your actual hostname and x86_64-linux to your system architecture.

After that installing the agenix client application can be achieved like this

{ config, pkgs, lib, inputs, ... }:{
  environment.systemPackages = [
    inputs.agenix.defaultPackage."${system}"
  ];
}

Configuration

First create a directory where secrets are going to be stored. In this example we're creating the directory secrets inside the NixOS system configuration path /etc/nixos

# mkdir /etc/nixos/secrets

Inside the secrets directory we create a secrets.nix file which will be used by the agenix client to encrypt secrets for specific users and parts of the system

/etc/nixos/secrets/secrets.nix
let
  user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
  users = [ user1 ];

  system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
  systems = [ system1 ];
in
{
  "secret1.age".publicKeys = [ user1 system1 ];
}

SSH public keys for a specific user or system can be generated with ssh-keygen, see this page for more information.