homeage - runtime decrypted age secrets for nix home manager

homeage is a module for home-manager that enables runtime decryption of declarative age files.

Features

• File agnostic declarative secrets that can be used inside your home-manager flakes
• Symlink (or copy if symlinks aren't supported) decrypted secrets
• Safely cleans up secrets on generation change or systemd service stop
• Encryption is normal age encryption, use your ssh or age keys
• Decryption/cleanup secrets either through systemd services or home-manager activation (for systems without systemd support)

Management Scheme

Pre-Build:

• Encrypt files with age and make them accessible to home-manager config (through git repository, builtin function, etc.).
• Install your age/ssh key outside of the scope home-manager.

Post-build:

• Encrypted files are copied into the nix store (globally available).
• Scripts for decrypting are in the nix store (globally available).
  • Because of this must to make sure your decryption key has correct file permissions set.

Systemd Installation

Service Start:

• Decrypts secret and copies/symlinks to locations

Service Stop:

• Cleans up decrypted secret and associated copies/symlinks

Home-manager activation:

• With home-manager systemd reload enabled services will automatically reload/stop during activation for seamless cleanup and re-installation.

Activation Installation

Home-manager activation:

• Cleans up all secrets that changed between current and previous generation
• Decrypts secret and copies/symlinks to locations

Getting started

Non-flake

If you are using homeage without nix flakes feel free to contribute an example config.

Nix Flakes

Import homeage.homeManagerModules.homeage into the configuration and set valid homeage.identityPaths and your all set.

{
  inputs = {
    nixpkgs.url = "nixpkgs/nixos-unstable";
    home-manager = {
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    homeage = {
      url = "github:jordanisaacs/homeage";
      # Optional
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  outputs = { nixpkgs, homeage, ... }@inputs:
    let
      pkgs = import nixpkgs {
        inherit system;
      };
      
      system = "x86_64-linux";
      username = "jd";
      stateVersion = "21.05";
    in {
      homeManagerConfigurations = {
        jd = home-manager.lib.homeManagerConfiguration {
          inherit system stateVersion username pkgs;
          home.homeDirectory = "/home/${username}";

          configuration = {
            home.stateVersion = stateVersion;
            home.username = username;
            home.homeDirectory = "/home/${username}";

            homeage = {
                # Absolute path to identity (created not through home-manager)
                identityPaths = [ "~/.ssh/id_ed25519" ];

                # "activation" if system doesn't support systemd
                installationType = "systemd";

                file."pijulsecretkey" = {
                  # Path to encrypted file tracked by the git repository
                  source = ./secretkey.json.age;
                  symlinks = [ "${config.xdg.configHome}/pijul/secretkey.json" ];
                  copies = [ "${config.xdg.configHome}/no-symlink-support/secretkey.json" ];
                };
            };

            imports = [ homeage.homeManagerModules.homeage ];
          };
        };
      };
    };
}

Options

See source for all the options and their descriptions.

Acknowledgments

The inspiration for this came from RaitoBezarius' pull request to agenix. I have been trying to figure out how to do secrets with home manager for a while and that PR laid out the foundational ideas for how to do it!