mirror of
https://github.com/ryantm/agenix.git
synced 2024-12-22 23:58:29 +03:00
age-encrypted secrets for NixOS
modules | ||
pkgs | ||
age.sh | ||
default.nix | ||
example.yaml | ||
flake.lock | ||
flake.nix | ||
LICENSE | ||
README.md |
agenix
age-encrypted secrets for NixOS.
Features
- Secrets are encrypted with SSH keys
** system public keys via
ssh-keyscan
** can use public keys available on GitHub for users (for example, https://github.com/ryantm.keys) - No GPG
- Very little code, so it should be easy for you to audit
Installation
Choose one of the following methods:
niv (Current recommendation)
First add it to niv:
$ niv add ryantm/agenix
Than add the following to your configuration.nix in the imports
list:
{
imports = [ "${(import ./nix/sources.nix).agenix}/modules/age" ];
}
nix-channel
As root run:
$ nix-channel --add https://github.com/ryantm/agenix/archive/master.tar.gz agenix
$ nix-channel --update
Than add the following to your configuration.nix in the imports
list:
{
imports = [ <agenix/modules/age> ];
}
fetchTarball
Add the following to your configuration.nix:
{
imports = [ "${builtins.fetchTarball "https://github.com/ryantm/agenix/archive/master.tar.gz"}/modules/age" ];
}
or with pinning:
{
imports = let
# replace this with an actual commit id or tag
commit = "298b235f664f925b433614dc33380f0662adfc3f";
in [
"${builtins.fetchTarball {
url = "https://github.com/ryantm/agenix/archive/${commit}.tar.gz";
# replace this with an actual hash
sha256 = "0000000000000000000000000000000000000000000000000000";
}}/modules/age"
];
}
Flakes
{
inputs.agenix.url = "github:ryantm/agenix";
# optional, not necessary for the module
#inputs.agenix.inputs.nixpkgs.follows = "nixpkgs";
outputs = { self, nixpkgs, agenix }: {
# change `yourhostname` to your actual hostname
nixosConfigurations.yourhostname = nixpkgs.lib.nixosSystem {
# change to your system:
system = "x86_64-linux";
modules = [
./configuration.nix
agenix.nixosModules.age
];
};
};
}