agenix-rekey

This is an extension for agenix which allows you to get rid of maintaining a secrets.nix file by automatically re-encrypting secrets where needed. It also allows you to define versatile generators for secrets, so they can be bootstrapped automatically. This can be used alongside regular use of agenix.

Please also refer to the upstream installation section and usage guide for information on how to access the wrapper utility in a devshell and how to setup your hosts to make use of agenix-rekey.

Installation

To use these options, add to your flake inputs:

agenix-rekey.url = "github:oddlama/agenix-rekey";

and inside the mkFlake:

imports = [
  inputs.agenix-rekey.flakeModule
];

Run nix flake lock and you're set.

Options

flake.agenix-rekey

The agenix-rekey apps specific to your flake. Used by the agenix wrapper script, and can be run manually using nix run .#agenix-rekey.$system.<app>.

Type: lazy attribute set of lazy attribute set of package (read only)

Default: "Automatically filled by agenix-rekey"

Declared by:

perSystem.agenix-rekey.package

The agenix-rekey wrapper script agenix. We recommend adding this to your devshell so you can execute it easily. By using the package provided here, you can skip adding the overlay to your pkgs. Alternatively you can also pass it to your flake outputs (apps or packages).

Type: package (read only)

Default: "<agenix script derivation from agenix-rekey>"

Declared by:

perSystem.agenix-rekey.agePackage

The rage package to use. Determines the age package used for encrypting / decrypting. Defaults to pkgs.rage. We only guarantee compatibility with pkgs.age and pkgs.rage.

Type: package

Default: pkgs.rage

Declared by:

perSystem.agenix-rekey.collectHomeManagerConfigurations

Whether to collect home manager configurations automatically from specified NixOS configurations.

Type: boolean

Default: true

Declared by:

perSystem.agenix-rekey.homeConfigurations

All home manager configurations that should be considered for rekeying.

Type: lazy attribute set of unspecified value

Default: { }

Declared by:

perSystem.agenix-rekey.nixosConfigurations

All nixosSystems that should be considered for rekeying.

Type: lazy attribute set of unspecified value

Default: self.nixosConfigurations

Declared by:

perSystem.agenix-rekey.pkgs

The package set to use when defining agenix-rekey scripts.

Type: unspecified value

Default: pkgs # (module argument)

Declared by: