Encrypted secrets folder

[diogox]

Any way to have an encrypted secrets folder instead of having it in a remote repo?

I'd like to have the config be self contained, encrypted ssh keys included and all 🙏

[dustinlyons]

@diogox If you want to do this, I would look into removing the nix-secrets input and rely instead on agenix directly. nix-secrets is just creating and managing what is essentially the config file for running agenix commands. You'll run agenix commands when you want to create or edit a secret.

What steps to take?

• agenix is already imported as part of the template, so no need to import anything else.

• Create a secrets.nix file in the root of your nix configuration that looks like this:
  https://github.com/dustinlyons/nix-secrets-example/blob/main/secrets.nix

• Create a key you want to use to encrypt/decrypt. Stick it here: Users/${user}/.ssh/id_ed25519

• Specify the public key in your secrets.nix file. This will tell agenix to use this key for encrypting, when running commands like this: https://github.com/dustinlyons/nix-secrets-example

• Ensure the path is correct for telling agenix which key to decrypt with, and configure which secrets you want: https://github.com/dustinlyons/nixos-config/blob/main/modules/darwin/secrets.nix

• Run commands to encrypt your secrets that get added to the Nix Store: https://github.com/dustinlyons/nix-secrets-example

Note, these "secrets" end up being files in the Nix Store, and a symlink is created at the path you specify.

More information on agenix:

https://github.com/ryantm/agenix?tab=readme-ov-file#installation