mirror of
https://github.com/ryantm/agenix.git
synced 2024-11-23 10:10:47 +03:00
657789137c
* use mmdoc * add github pages action to auto publish * do not edit README for now, will follow up with a commit directs people to the doc site
5 lines
596 B
Markdown
5 lines
596 B
Markdown
# Problem and solution {#problem-and-solution}
|
|
|
|
All files in the Nix store are readable by any system user, so it is not a suitable place for including cleartext secrets. Many existing tools (like NixOps deployment.keys) deploy secrets separately from `nixos-rebuild`, making deployment, caching, and auditing more difficult. Out-of-band secret management is also less reproducible.
|
|
|
|
`agenix` solves these issues by using your pre-existing SSH key infrastructure and `age` to encrypt secrets into the Nix store. Secrets are decrypted using an SSH host private key during NixOS system activation.
|