Agenix
agenix is a commandline tool for managing secrets encrypted in your Nix configuration with your existing SSH keys. The project also includes the NixOS module age for adding encrypted secrets into the Nix store and decrypting them.
Installation
The following example describes an installation via Flakes. For further installation methods see the upstream documentation.
{
inputs.agenix.url = "github:ryantm/agenix";
# optional, not necessary for the module
#inputs.agenix.inputs.nixpkgs.follows = "nixpkgs";
outputs = { self, nixpkgs, agenix }: {
nixosConfigurations.yourhostname = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
./configuration.nix
agenix.nixosModules.default
];
};
};
}
Change yourhostname
to your actual hostname and x86_64-linux
to your system architecture.
After that installing the agenix client application can be achieved like this
{ config, pkgs, lib, inputs, ... }:{
environment.systemPackages = [
inputs.agenix.packages."${system}".default
];
}
Configuration
First create a directory where secrets are going to be stored. In this example we're creating the directory secrets
inside the NixOS system configuration path /etc/nixos
# mkdir /etc/nixos/secrets
Inside the secrets directory we create a secrets.nix
file which will be used by the agenix client to encrypt secrets for specific users and parts of the system
/etc/nixos/secrets/secrets.nix
let
user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
users = [ user1 ];
system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
systems = [ system1 ];
in
{
"secret1.age".publicKeys = [ user1 system1 ];
}
SSH public keys for a specific user or system can be generated with ssh-keygen
, see this page for more information. Usually the public key of your user can be found in ~/.ssh/id_rsa.pub
and the system one in /etc/ssh/ssh_host_rsa_key.pub
.
Usage
Creating a secret file, which contents will be encrypted
# cd /etc/nixos/secrets
# agenix -e secret1.age
The agenix command will open your default terminal editor. Write in your secret, for example password123
.
The filename secret1.age
is specified above in the agenix secrets.nix
configuration. So agenix will know which keys to use for a specific user or system.
To use and reference the secret inside your Nix configuration, an example would look like this
age.secrets.nextcloud = {
file = /etc/nixos/secrets/secret1.age;
owner = "nextcloud";
group = "nextcloud";
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud25;
hostName = "localhost";
config.adminpassFile = config.age.secrets.nextcloud.path;
};
Here, the service Nextcloud requires a password for the administrator account. In this case, the password is stored in an age-encrypted file, so no plaintext passwords will be copied into your world-readable Nix-store. We configure owner
and group
names to nextcloud
so that the webservice has the permissions to read the password wile.