Secrets

garnix also supports secrets. How this works is that garnix deploys a secret key to your servers. That way, you can use something like agenix or sops-nix to encrypt your secrets for that secret key and deploy them as needed.

Currently garnix generates a single key for each repo, and deploys them to all servers in the path /var/garnix/keys/repo-key. It's root-readable only. To get the public key, you can use curl:

curl https://garnix.io/api/keys/<myorg/myuser>/<myrepo>/repo-key.public

Note that any root exploit can thus gain access to all secrets. For this and other reasons (i.e., hosting and secrets are still alpha), we recommend not yet using highly sensitive secrets.

Secrets with agenix

Here's an example of encrypting with agenix. Things should work relatively similarly for sops-nix.

First, we create a secrets.nix file, containing only one secret. It states that all our servers, and we ourselves, should have access to the secret:

let repoKey = <gotten from curl command above>;
    myKey = <gotten from ~/.ssh/id_ed25519.pub or the like>;
in
{
  "sampleSecret.age".publicKeys = [ repoKey myKey ];
}

Then, assuming we have agenix installed, we run:

agenix -e sampleSecret.age

And write the secret in the editor that opens up.

Next we add the agenix repo to our flake inputs:

  inputs.agenix.url = "github:ryantm/agenix";

And the agenix module (agenix.nixosModules.default) to the nixos configuration we want to deploy. Then we add the following:

  age.secrets.sampleSecret = {
    file = ./sampleSecret.age;
  };
  age.identityPaths = [
    "/var/garnix/keys/repo-key"
  ];

See the agenix reference for more options, such as path, modes and ownership. When you deploy, /run/agenix/sampleSecret should contain the secret you encrypted.