I use agenix for managing some secrets on my nixos-configs. Agenix deploys the unencrypted secrets in the live system, so the secrets cannot be accesed when evaluating the nixos config.

Do you know any way or hack to have secrets inside of nix expressions?

It would be great if that solution would be pure and compatible with nix flakes.

Thanks :)

  • rycee@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago

    The only way I know of for this is to use something like git-crypt. You can, for example, have a secrets.nix file that is encrypted in the repo but unencrypted when you do a checkout. This is trivially compatible with Nix Flakes since the file of secrets actually is in plain text on your system.

  • Atemu@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Question is whether you want that because that’d likely embed the secret into the .drv files.

    What do you need that for?