657789137c
* use mmdoc * add github pages action to auto publish * do not edit README for now, will follow up with a commit directs people to the doc site
596 B
596 B
Problem and solution
All files in the Nix store are readable by any system user, so it is not a suitable place for including cleartext secrets. Many existing tools (like NixOps deployment.keys) deploy secrets separately from nixos-rebuild
, making deployment, caching, and auditing more difficult. Out-of-band secret management is also less reproducible.
agenix
solves these issues by using your pre-existing SSH key infrastructure and age
to encrypt secrets into the Nix store. Secrets are decrypted using an SSH host private key during NixOS system activation.