blu/quincy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
quincy/secrets/secrets.nix
Brandon Lucas 5a52b3c159 Add agenix secrets management 
Phase 3: Encrypted secrets

- Add secrets module with agenix integration
- Create secrets/secrets.nix template for key definitions
- Installer generates SSH key if missing
- Installer creates personalized secrets.nix with user's key
- Full documentation in docs/SECRETS.md

Features:
- Secrets encrypted with age using SSH keys
- Decrypted automatically at system activation
- Safe to commit .age files to git
- Support for WiFi passwords, API keys, service credentials

Usage:
  agenix -e secrets/my-secret.age
  age.secrets.my-secret.file = ./secrets/my-secret.age;

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-15 02:56:25 -05:00

42 lines
1.2 KiB
Nix
Raw Permalink Blame History

# Secrets configuration for agenix
#
# This file defines which public keys can decrypt each secret.
# Secrets are encrypted with `agenix -e <secret>.age`
#
# To set up:
# 1. Get your user's SSH public key: cat ~/.ssh/id_ed25519.pub
# 2. Get the host's SSH public key: ssh-keyscan localhost 2>/dev/null | grep ed25519
# 3. Add keys below and run: agenix -e <secret>.age
let
# User SSH public keys (for encrypting secrets on your machine)
# Example: user = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... user@host";
# Host SSH public keys (for decrypting on target machines)
# Get with: ssh-keyscan <hostname> | grep ed25519
# Example: host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA...";
# Define your keys here:
# user = "ssh-ed25519 AAAAC3...";
# host = "ssh-ed25519 AAAAC3...";
# For testing/example, use an empty list (secrets won't be encryptable)
allKeys = [
# user
# host
];
in {
# Example secrets - uncomment and add keys above to use:
# WiFi password for specific network
# "wifi-home.age".publicKeys = allKeys;
# API keys
# "github-token.age".publicKeys = allKeys;
# "openai-api-key.age".publicKeys = allKeys;
# Application secrets
# "syncthing-key.age".publicKeys = allKeys;
# "mullvad-account.age".publicKeys = allKeys;
}
Reference in New Issue View Git Blame Copy Permalink