add the agenix module:
inputs = {
# NixOS official package source, using the nixos-24.11 branch here
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
agenix.url = "github:ryantm/agenix";
[...]
modules = [
[...]
agenix.nixosModules.default
{
environment.systemPackages = [ agenix.packages.x86_64-linux.default ];
}
mkdir ./secrets; cd ./secrets
edit secrets.nix to set a list of public keys for each secret:
let
nixos02 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPk+adV2Jf1oNAHXP2xr17tN40osdv4q943cHGJ7Px6v root@nixos02";
in
{
"tailscale.age".publicKeys = [ nixos02 ];
"peertube.age".publicKeys = [ nixos02 ];
"postgresql.age".publicKeys = [ nixos02 ];
"redis.age".publicKeys = [ nixos02 ];
}
edit each secret:
sudo EDITOR=vim agenix -i /etc/ssh/ssh_host_ed25519_key -e postgresql.age
in the editor (assuming you have openssl installed as a pkgs), you can generate a new string as follows:
:!openssl rand -hex 32
set config.age.secrets.$FILENAME.file:
age.secrets.tailscale.file = ./secrets/tailscale.age;
you can then use the path:
`cat ${config.age.secrets.tailscale.path}`
or point directly to /run:
${tailscale}/bin/tailscale up -authkey `cat /run/agenix/tailscale`