agenix uses age (a utility + standard) that encrypts secrets using ssh key.
This simplifies secrets management quite a bit compared to GPG (my attempts for
which have failed so far).
Changes included:
- Encrypt all current keys (mail, backups) using age, configured via
agenix
- All encrypted keys are committed to git repo and decrypted during boot
- None of the keys are used anywhere just yet. They will replace file
paths in future commit after testing
- Decrypted keys are available after boot under user name with read-only
permissions at default agenix location (as of this commit)
- The Nix variable path is provided by agenix and can be used instead of
having to recreate
- multiple keys can be specified for single key, but for now I am only
using one
For now, the code is dirty and can definitely use improvements. It is just at a
place where it is all working right now.
TODO: Get age + agenix in environment packages available at runtime in NixOS
Links:
- https://github.com/ryantm/agenix
- https://github.com/hlissner/dotfiles