Parker Jones Dev Blog - securityDev Blog of Parker JonesZola2026-06-26T00:00:00+00:00https://parkerjones.dev/tags/security/atom.xmlNix Fleet, Part 3: Fleet-Wide Secrets with agenix2026-06-26T00:00:00+00:002026-06-26T00:00:00+00:00
Unknown
https://parkerjones.dev/posts/nix-fleet-agenix-secrets/<blockquote>
<p><strong>Nix Fleet, part 3.</strong> <a href="/posts/nix-fleet-one-flake/">Part 1</a> covered the architecture; <a href="/posts/nix-fleet-remote-builders/">Part 2</a> made builds painless. This part handles the thing you must <em>not</em> commit to a public config repo: secrets.</p>
</blockquote>
<p>My whole system is declared in a Git repository, and most of it is public. But a fleet needs secrets — API keys, SMB credentials, a WireGuard config — and those obviously can't sit in plaintext next to the rest of the config. The constraint that shapes everything here: I want secrets to be <strong>versioned, shared across every machine, and reproducible</strong>, with the same Git-reviewable discipline as the rest of the system — without any secret ever appearing in plaintext, in the repo, or in the Nix store.</p>
<p><a rel="external" href="https://github.com/ryantm/agenix">agenix</a> gets me there. Here's the setup.</p>
<h2 id="two-repos-one-boundary">Two repos, one boundary</h2>
<p>The cleanest decision I made was to put secrets in their <strong>own separate repo</strong> (<code>nix-secrets</code>) and pull it into the system flake as an input. I keep my real one private, but I've published a <a rel="external" href="https://github.com/parallaxisjones/nix-secrets">public example repo</a> so you can see the shape:</p>
<pre><code data-lang="nix"># flake.nix
inputs.secrets = {
url = "git+ssh://git@github.com/parallaxisjones/nix-secrets.git";
flake = false;
};
</code></pre>
<p>That boundary pays off operationally: I can lock or revoke access to the secrets repo independently of the (public) config, rotate recipients without touching application code, and grant a machine read-only deploy access to just the secrets it needs. The public config can stay public because the sensitive bits live behind a separate door.</p>
<h2 id="how-agenix-encrypts">How agenix encrypts</h2>
<p>agenix is <code>age</code> encryption wired into Nix. You declare, per secret, <em>which identities are allowed to decrypt it</em>. That declaration lives in <code>secrets.nix</code> in the private repo:</p>
<pre><code data-lang="nix">let
# macOS (pjones) and NixOS (parallaxis) decrypt with the
# same ~/.ssh/parallaxis identity.
pjones = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA...oqt7Aq";
users = [ pjones ];
in
{
"openai-key.age".publicKeys = users;
"anthropic-api-key.age".publicKeys = users;
"datadog-api-key.age".publicKeys = users;
"datadog-app-key.age".publicKeys = users;
"smb-credentials.age".publicKeys = users;
"protonvpn-wireguard.age".publicKeys = users;
}
</code></pre>
<p>Each <code>.age</code> file is encrypted to the public keys listed. The matching private identity — and <em>only</em> that identity — can decrypt it. The encrypted files are safe to commit (to the private repo); the identity never is.</p>
<h2 id="one-identity-for-the-whole-fleet">One identity for the whole fleet</h2>
<p>Notice that <code>users</code> is a single key. That's deliberate: <strong>both my macOS and NixOS machines decrypt with the same <code>~/.ssh/parallaxis</code> ed25519 identity.</strong> agenix can use an <code>age</code>-native key (<code>age-keygen</code>) or reuse an existing SSH ed25519 key via <code>age-plugin-ssh</code>; I reuse the SSH key so there's exactly one secret-decrypting identity to manage across the fleet.</p>
<p>The trade-off is real and worth stating: one identity is one thing to protect and one thing to rotate, but it's also a single point of compromise. For a personal fleet that's the right call — fewer keys means I actually keep the rotation story straight instead of letting five per-host keys drift. If this were a team, I'd encrypt each secret to multiple recipients (one per person/host) so revoking one doesn't force re-keying everyone. agenix supports exactly that; it's just a longer <code>publicKeys</code> list.</p>
<h2 id="how-decryption-works-at-runtime">How decryption works at runtime</h2>
<p>This is the part that makes agenix better than "stash a <code>.env</code> somewhere." At activation time, NixOS/nix-darwin decrypts each declared secret to a path under <code>/run</code> (tmpfs), owned by the user/service that needs it, with the permissions you specify. The decrypted value:</p>
<ul>
<li><strong>never lands in the Nix store</strong> (which is world-readable and gets copied to your binary cache),</li>
<li><strong>never sits in the repo</strong> in plaintext,</li>
<li>exists only on the machine authorized to decrypt it, only while the system is running.</li>
</ul>
<p>So a service reads its API key from a file at <code>/run/agenix/...</code>, that file only exists because <em>this</em> machine holds the identity that can decrypt it, and the policy for who-can-read-what is reviewable in <code>secrets.nix</code>. Secrets management becomes declarative and auditable, like the rest of the config.</p>
<h2 id="bootstrapping-a-brand-new-machine">Bootstrapping a brand-new machine</h2>
<p>The chicken-and-egg problem: a fresh machine needs secrets to be useful, but doesn't yet have the identity to decrypt them. My flake exposes helper apps for exactly this lifecycle:</p>
<pre><code data-lang="text">nix run .#create-keys # generate keys on a new machine
nix run .#copy-keys # place an identity where agenix expects it
nix run .#check-keys # verify the identity can decrypt
nix run .#install-with-secrets # first install WITH secrets provisioned
</code></pre>
<p><code>install-with-secrets</code> is the interesting one. On a first NixOS install it runs <a href="/posts/nix-fleet-helios64-disko/">disko</a> to partition, stages the repo to the new root, and installs via the flake — and crucially, it relies on <strong>SSH agent forwarding</strong> so the installer can fetch the private <code>secrets</code> input without ever copying a key onto the installer media. Nothing persistent is left behind on the installer once it's done. The machine comes up on first boot already matching repo state, with its secrets provisioned where they're declared.</p>
<h2 id="why-this-beats-the-alternatives">Why this beats the alternatives</h2>
<ul>
<li><strong>vs. plaintext <code>.env</code> / committed config:</strong> secrets are encrypted at rest, never in the repo, never in the store.</li>
<li><strong>vs. a cloud secrets manager:</strong> no external dependency, no per-machine bootstrapping against a third-party API, and the policy is in Git where I review everything else.</li>
<li><strong>vs. copying keys around by hand:</strong> the recipient list is declarative; adding or removing who-can-decrypt is a reviewable diff, not a tribal-knowledge ritual.</li>
</ul>
<p>The throughline of this whole series is "manage it declaratively, in Git, reproducibly." Secrets are the case where people usually give up and do something ad-hoc. agenix is how I kept them inside the same discipline as everything else. Next, in <a href="/posts/nix-fleet-helios64-disko/">Part 4</a>, I put all of this to work standing up an ARM NAS from bare metal — disko for the disks, agenix for the backup credentials, and <code>nixos-anywhere</code> to tie it together.</p>
<p><em>A public example secrets repo is at <a rel="external" href="https://github.com/parallaxisjones/nix-secrets"><code>parallaxisjones/nix-secrets</code></a>; the fleet config that consumes it is <a rel="external" href="https://github.com/parallaxisjones/dotfiles"><code>parallaxisjones/dotfiles</code></a>.</em></p>
<p><em>— Parker Jones, <a rel="external" href="https://parkerjones.dev">parkerjones.dev</a></em></p>