dustinlyons
commented
1 month ago @diogox If you want to do this, I would look into removing the nix-secrets input and rely instead on agenix directly. nix-secrets is just creating and managing what is essentially the config file for running agenix commands. You'll run agenix commands when you want to create or edit a secret.
What steps to take?
-
agenixis already imported as part of the template, so no need to import anything else. -
Create a
secrets.nixfile in the root of your nix configuration that looks like this: https://github.com/dustinlyons/nix-secrets-example/blob/main/secrets.nix -
Create a key you want to use to encrypt/decrypt. Stick it here:
Users/${user}/.ssh/id_ed25519 -
Specify the public key in your
secrets.nixfile. This will tellagenixto use this key for encrypting, when running commands like this: https://github.com/dustinlyons/nix-secrets-example -
Ensure the path is correct for telling
agenixwhich key to decrypt with, and configure which secrets you want: https://github.com/dustinlyons/nixos-config/blob/main/modules/darwin/secrets.nix -
Run commands to encrypt your secrets that get added to the Nix Store: https://github.com/dustinlyons/nix-secrets-example
Note, these "secrets" end up being files in the Nix Store, and a symlink is created at the path you specify.
More information on agenix:
https://github.com/ryantm/agenix?tab=readme-ov-file#installation
Any way to have an encrypted
secretsfolder instead of having it in a remote repo?I'd like to have the config be self contained, encrypted ssh keys included and all 🙏