Brandon Lucas
5a52b3c159
Phase 3: Encrypted secrets - Add secrets module with agenix integration - Create secrets/secrets.nix template for key definitions - Installer generates SSH key if missing - Installer creates personalized secrets.nix with user's key - Full documentation in docs/SECRETS.md Features: - Secrets encrypted with age using SSH keys - Decrypted automatically at system activation - Safe to commit .age files to git - Support for WiFi passwords, API keys, service credentials Usage: agenix -e secrets/my-secret.age age.secrets.my-secret.file = ./secrets/my-secret.age; Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
43 lines
1023 B
Nix
43 lines
1023 B
Nix
# Secrets management with agenix
|
|
# Secrets are encrypted with age and decrypted at system activation
|
|
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
inputs,
|
|
nomarchyConfig,
|
|
...
|
|
}: let
|
|
# Check if secrets directory exists and has secrets
|
|
secretsPath = ../../secrets;
|
|
hasSecrets = builtins.pathExists secretsPath;
|
|
in {
|
|
# Import agenix module
|
|
imports = lib.optionals hasSecrets [
|
|
inputs.agenix.nixosModules.default
|
|
];
|
|
|
|
config = lib.mkIf hasSecrets {
|
|
# Install agenix CLI for managing secrets
|
|
environment.systemPackages = [
|
|
inputs.agenix.packages.${pkgs.system}.default
|
|
];
|
|
|
|
# Configure age to use SSH host keys for decryption
|
|
age.identityPaths = [
|
|
"/etc/ssh/ssh_host_ed25519_key"
|
|
"/etc/ssh/ssh_host_rsa_key"
|
|
];
|
|
|
|
# Example secrets configuration (users override in their config)
|
|
# age.secrets = {
|
|
# wifi-password = {
|
|
# file = ../../secrets/wifi-password.age;
|
|
# owner = "root";
|
|
# group = "root";
|
|
# mode = "0400";
|
|
# };
|
|
# };
|
|
};
|
|
}
|