runtime decrypted age secrets for nix home manager
homeage
is a module for home-manager that enables runtime decryption of declarative age files.
Pre-Build:
Post-build:
Service Start:
Service Stop:
Home-manager activation:
Home-manager activation:
If you are using homeage without nix flakes feel free to contribute an example config.
Import homeage.homeManagerModules.homeage
into the configuration and set valid homeage.identityPaths
and your all set.
{
inputs = {
nixpkgs.url = "nixpkgs/nixos-unstable";
home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
homeage = {
url = "github:jordanisaacs/homeage";
# Optional
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { nixpkgs, homeage, ... }@inputs:
let
pkgs = import nixpkgs {
inherit system;
};
system = "x86_64-linux";
username = "jd";
stateVersion = "21.05";
in {
homeManagerConfigurations = {
jd = home-manager.lib.homeManagerConfiguration {
inherit system stateVersion username pkgs;
home.homeDirectory = "/home/${username}";
configuration = {
home.stateVersion = stateVersion;
home.username = username;
home.homeDirectory = "/home/${username}";
homeage = {
# Absolute path to identity (created not through home-manager)
identityPaths = [ "~/.ssh/id_ed25519" ];
# "activation" if system doesn't support systemd
installationType = "systemd";
file."pijulsecretkey" = {
# Path to encrypted file tracked by the git repository
source = ./secretkey.json.age;
symlinks = [ "${config.xdg.configHome}/pijul/secretkey.json" ];
copies = [ "${config.xdg.configHome}/no-symlink-support/secretkey.json" ];
};
};
imports = [ homeage.homeManagerModules.homeage ];
};
};
};
};
}
See source for all the options and their descriptions.
The inspiration for this came from RaitoBezarius' pull request to agenix. I have been trying to figure out how to do secrets with home manager for a while and that PR laid out the foundational ideas for how to do it!