#agenix — Public Fediverse posts

Does someone on #NixOS use #Radicale with the email hook?
I would like to use this but encrypt the credentials with #agenix but there isn't an option to read them from a file.

Okay, the long awaited, most anticipated, overly masturbated part two is ready for public consumption:

https://blog.xvrqt.com/nix-wireguard-key-gen.html

We're finally, almost, ready to configure Wireguard ​:hypecirno:​

Also, I won't have to write any more shell scripts in Nix which I do not enjoy at all.

If you give it a read please let me know! I find it encouraging, and the feedback helps me grow as a writer.

#nix #wireguard #linux #kernel #flakes #nixox #age #agenix

Okay, the long awaited, most anticipated, overly masturbated part two is ready for public consumption:

https://blog.xvrqt.com/nix-wireguard-key-gen.html

We're finally, almost, ready to configure Wireguard ​:hypecirno:​

Also, I won't have to write any more shell scripts in Nix which I do not enjoy at all.

If you give it a read please let me know! I find it encouraging, and the feedback helps me grow as a writer.

#nix #wireguard #linux #kernel #flakes #nixox #age #agenix

Okay, the long awaited, most anticipated, overly masturbated part two is ready for public consumption:

https://blog.xvrqt.com/nix-wireguard-key-gen.html

We're finally, almost, ready to configure Wireguard ​:hypecirno:​

Also, I won't have to write any more shell scripts in Nix which I do not enjoy at all.

If you give it a read please let me know! I find it encouraging, and the feedback helps me grow as a writer.

#nix #wireguard #linux #kernel #flakes #nixox #age #agenix

Okay, the long awaited, most anticipated, overly masturbated part two is ready for public consumption:

https://blog.xvrqt.com/nix-wireguard-key-gen.html

We're finally, almost, ready to configure Wireguard ​:hypecirno:​

Also, I won't have to write any more shell scripts in Nix which I do not enjoy at all.

If you give it a read please let me know! I find it encouraging, and the feedback helps me grow as a writer.

#nix #wireguard #linux #kernel #flakes #nixox #age #agenix

Okay, the long awaited, most anticipated, overly masturbated part two is ready for public consumption:

https://blog.xvrqt.com/nix-wireguard-key-gen.html

We're finally, almost, ready to configure Wireguard ​:hypecirno:​

Also, I won't have to write any more shell scripts in Nix which I do not enjoy at all.

If you give it a read please let me know! I find it encouraging, and the feedback helps me grow as a writer.

#nix #wireguard #linux #kernel #flakes #nixox #age #agenix

Weil es letztes Jahr beim #Tübix2025 so gut angekommen war, mache ich wohl beim #Tübix2026 sogar zwei :nixos: #NixOS workshops:

1. Workshop: Einstieg, Motivation, Killer Features, Basics
2. Workshop: Deep Dive ins Nixos-Modulsystem, schreiben eigener Module, secrets management mit #agenix, vllt. Live-Deployment auf einen :raspberrypi: #RaspberryPi vor Ort

Was meint ihr?

https://www.tuebix.org/callforpapers/

#Tübingen #LinuxTag #FOSS

Weil es letztes Jahr beim #Tübix2025 so gut angekommen war, mache ich wohl beim #Tübix2026 sogar zwei :nixos: #NixOS workshops:

1. Workshop: Einstieg, Motivation, Killer Features, Basics
2. Workshop: Deep Dive ins Nixos-Modulsystem, schreiben eigener Module, secrets management mit #agenix, vllt. Live-Deployment auf einen :raspberrypi: #RaspberryPi vor Ort

Was meint ihr?

https://www.tuebix.org/callforpapers/

#Tübingen #LinuxTag #FOSS

Weil es letztes Jahr beim #Tübix2025 so gut angekommen war, mache ich wohl beim #Tübix2026 sogar zwei :nixos: #NixOS workshops:

1. Workshop: Einstieg, Motivation, Killer Features, Basics
2. Workshop: Deep Dive ins Nixos-Modulsystem, schreiben eigener Module, secrets management mit #agenix, vllt. Live-Deployment auf einen :raspberrypi: #RaspberryPi vor Ort

Was meint ihr?

https://www.tuebix.org/callforpapers/

#Tübingen #LinuxTag #FOSS

Weil es letztes Jahr beim #Tübix2025 so gut angekommen war, mache ich wohl beim #Tübix2026 sogar zwei :nixos: #NixOS workshops:

1. Workshop: Einstieg, Motivation, Killer Features, Basics
2. Workshop: Deep Dive ins Nixos-Modulsystem, schreiben eigener Module, secrets management mit #agenix, vllt. Live-Deployment auf einen :raspberrypi: #RaspberryPi vor Ort

Was meint ihr?

https://www.tuebix.org/callforpapers/

#Tübingen #LinuxTag #FOSS

Weil es letztes Jahr beim #Tübix2025 so gut angekommen war, mache ich wohl beim #Tübix2026 sogar zwei :nixos: #NixOS workshops:

1. Workshop: Einstieg, Motivation, Killer Features, Basics
2. Workshop: Deep Dive ins Nixos-Modulsystem, schreiben eigener Module, secrets management mit #agenix, vllt. Live-Deployment auf einen :raspberrypi: #RaspberryPi vor Ort

Was meint ihr?

https://www.tuebix.org/callforpapers/

#Tübingen #LinuxTag #FOSS

I figured out how to use #agenix on #nixos

https://www.splitbrain.org/blog/2025-07/27-agenix

#blogpost

How are people who use #agenix solving passing secrets to modules that don't take a path? I'm specifically looking at my Prometheus config where I need to configure a bearer token for a scrape job, and API tokens in the Alertmanager configuration. All of these just take strings.

I guess you can lib.readFile the decrypted file which is frowned upon, but there's no other users on the system so I guess having it in the clear in the store is less of an issue.

#age #nix #nixos

It seems that in #nix flakes one still can't use files that have to go through a git smudge filter. This apparently includes:

- git-crypt (selectively encrypt some files)
- :gitannex: #gitAnnex (manage large files outside of git)
- git-lfs (same, but less powerful than git annex)

For credentials, #agenix et al. might suffice, but for secret configs in #nix files or just for large files you want deployed to your system, the lack of support for the above tools is a huge flake blocker for me.

Finally taking the time to implement #agenix to store my secrets in :nixos: #NixOS. Age itself is nicely lightweight and simple. It's a bit weird that agenix uses an un-included #nix file for configuration, but okay. It also doesn't feel like it's designed to build fresh systems from the ground up, as you're supposed to already have the ssh server and all your keys at hand.

Great article on using #agenix with #nix #nixos https://jonascarpay.com/posts/2021-07-27-agenix.html

#Nix #NixOS friends which should I use #agenix or #sops ? :nix:

I just realized my #agenix setup is effectively one-way because I used a hardware-stored ssh key to encrypt the secrets and age has no way to access the private key 😐

Added a new section to the #NixOS wiki page on #Agenix, a secret management tool 🔑 The section references a tip by @aanderse on how to access a secret file inside a container 🛳️ https://nixos.wiki/wiki/Agenix#Access_secrets_inside_container

How much of a stupid idea is it to use the same host keys to unlock #LUKS over #SSH?
And they are unencrypted in my public #NixOS repo.
I know that MitM is a possible scenario but I’m only able to connect via VPN and once the system is unlocked it uses different keys which I then properly verify.

Otherwise I probably would have to generate a key for each device and somehow copy it manually during the installation since #agenix doesn’t work at that stage.

#security #linux

I've just added secrets management via agenix to my #nixos config. I can now manage my secrets in my config repo as plain encrypted files and deploy them to my machines using plain ol' ssh keys.

I really like the concept, simplicity and usabilty of #agenix so far.

Not yet using it for any actual secrets, but looking forward to it. Will be especially handy once I expand my NixOS usage to my actual server 😁​

https://git.eisfunke.com/config/nixos/-/commit/00b103ab47c0e45561afa682fd681996d5d38823

@frigidcode my setup for secrets management with #NixOS has been to use #agenix to get the secrets securely decrypted on the host (and only visible by root)
Then I use systemd’s LoadCredential to make it visible to only to the specific service that needs it (works great with systemd DynamicUser=true setups too)
Been pretty happy with it so far!