agenix-rekey
This is an extension for agenix which allows you to get
rid of maintaining a secrets.nix file by automatically re-encrypting secrets where needed.
It also allows you to define versatile generators for secrets, so they can be bootstrapped
automatically. This can be used alongside regular use of agenix.
Please also refer to the upstream installation section and usage guide for information on how to access the wrapper utility in a devshell and how to setup your hosts to make use of agenix-rekey.
Installation
To use these options, add to your flake inputs:
agenix-rekey.url = "github:oddlama/agenix-rekey";
and inside the mkFlake:
imports = [
inputs.agenix-rekey.flakeModule
];
Run nix flake lock and you're set.
Options
flake.agenix-rekey
The agenix-rekey apps specific to your flake. Used by the agenix wrapper script,
and can be run manually using nix run .#agenix-rekey.$system.<app>.
Type: lazy attribute set of lazy attribute set of package (read only)
Default:
"Automatically filled by agenix-rekey"
Declared by:
perSystem.agenix-rekey.package
The agenix-rekey wrapper script agenix.
We recommend adding this to your devshell so you can execute it easily.
By using the package provided here, you can skip adding the overlay to your pkgs.
Alternatively you can also pass it to your flake outputs (apps or packages).
Type: package (read only)
Default:
"<agenix script derivation from agenix-rekey>"
Declared by:
perSystem.agenix-rekey.agePackage
The rage package to use. Determines the age package used for encrypting / decrypting.
Defaults to pkgs.rage. We only guarantee compatibility with
pkgs.age and pkgs.rage.
Type: package
Default:
pkgs.rage
Declared by:
perSystem.agenix-rekey.nodes
All nixosSystems that should be considered for rekeying.
Type: lazy attribute set of unspecified value
Default:
self.nixosConfigurations
Declared by:
perSystem.agenix-rekey.pkgs
The package set to use when defining agenix-rekey scripts.
Type: unspecified value
Default:
pkgs # (module argument)
Declared by: