Agenix Tutorial

nix ops

published 2022-06-14 14:31

updated 2023-06-07 23:35

Need to store secrets in your nixos config gitrepo that declaritively manages everything for you? Try agenix today!

I have it in my devShell for nix-garden Otherwise run it with flakes: nix run github:ryantm/agenix -- --help


Add an entry to secrets.nix with the name of the secret and the list of keys that can decrypt it then run agenix -e <secret-name>.age to create the secret. It'll open a text editor to enter the secret value


In order to rekey secrets, you need to be able to decrypt them. You'll probably need to copy over the keys from all the various key files defined in secrets.nix then you can run with agenix installed: agenix --rekey

However, if you're running this as user, you're likely to run into errors, depending on the keys you've configured.

You could try sudo agenix --rekey -i <path-to-ssh-key> which on nixOS is generally /etc/ssh/ssh_host_ed25519_key

But what if you're decrypting keys that were never on your current machine? Things get annoying then. A possible solution could be agenix-rekey and using my yubikey. But before I commit to that I really need a second yubikey