I use agenix for managing some secrets on my nixos-configs. Agenix deploys the unencrypted secrets in the live system, so the secrets cannot be accesed when evaluating the nixos config.
Do you know any way or hack to have secrets inside of nix expressions?
It would be great if that solution would be pure and compatible with nix flakes.
Thanks :)
The only way I know of for this is to use something like git-crypt. You can, for example, have a
secrets.nix
file that is encrypted in the repo but unencrypted when you do a checkout. This is trivially compatible with Nix Flakes since the file of secrets actually is in plain text on your system.Question is whether you want that because that’d likely embed the secret into the .drv files.
What do you need that for?