This is an extension for agenix which allows you to get rid of maintaining a secrets.nix file by automatically re-encrypting secrets where needed. It also allows you to define versatile generators for secrets, so they can be bootstrapped automatically. This can be used alongside regular use of agenix.

Please also refer to the upstream installation section and usage guide for information on how to access the wrapper utility in a devshell and how to setup your hosts to make use of agenix-rekey.


To use these options, add to your flake inputs:

agenix-rekey.url = "github:oddlama/agenix-rekey";

and inside the mkFlake:

imports = [

Run nix flake lock and you're set.



The agenix-rekey apps specific to your flake. Used by the agenix wrapper script, and can be run manually using nix run .#agenix-rekey.$system.<app>.

Type: lazy attribute set of lazy attribute set of package (read only)

Default: "Automatically filled by agenix-rekey"

Declared by:


The agenix-rekey wrapper script agenix. We recommend adding this to your devshell so you can execute it easily. By using the package provided here, you can skip adding the overlay to your pkgs. Alternatively you can also pass it to your flake outputs (apps or packages).

Type: package (read only)

Default: "<agenix script derivation from agenix-rekey>"

Declared by:


The rage package to use. Determines the age package used for encrypting / decrypting. Defaults to pkgs.rage. We only guarantee compatibility with pkgs.age and pkgs.rage.

Type: package

Default: pkgs.rage

Declared by:


All nixosSystems that should be considered for rekeying.

Type: lazy attribute set of unspecified value

Default: self.nixosConfigurations

Declared by:


The package set to use when defining agenix-rekey scripts.

Type: unspecified value

Default: pkgs # (module argument)

Declared by: