published
updated
Need to store secrets in your nixos config gitrepo that declaritively manages everything for you? Try agenix today!
I have it in my devShell for nix-garden
Otherwise run it with flakes:
nix run github:ryantm/agenix -- --help
Usage
Add an entry to secrets.nix with the name of the secret and the list of keys that can decrypt it
then run agenix -e <secret-name>.age to create the secret. It'll open a text editor to enter the secret value
Rekey
In order to rekey secrets, you need to be able to decrypt them. You'll probably need to copy over the keys from all the various key files defined in secrets.nix
then you can run with agenix installed:
agenix --rekey
However, if you're running this as user, you're likely to run into errors, depending on the keys you've configured.
You could try
sudo agenix --rekey -i <path-to-ssh-key> which on nixOS is generally /etc/ssh/ssh_host_ed25519_key
But what if you're decrypting keys that were never on your current machine? Things get annoying then. A possible solution could be agenix-rekey and using my yubikey. But before I commit to that I really need a second yubikey