Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jordanisaacs/homeage

runtime decrypted age secrets for nix home manager
https://github.com/jordanisaacs/homeage

age encryption home-manager nix nixos secrets

Last synced: 3 months ago
JSON representation

runtime decrypted age secrets for nix home manager

Host: GitHub
URL: https://github.com/jordanisaacs/homeage
Owner: jordanisaacs
License: mit
Created: 2021-11-07T14:46:28.000Z (about 3 years ago)
Default Branch: main
Last Pushed: 2023-11-11T01:51:53.000Z (12 months ago)
Last Synced: 2024-06-30T20:36:38.629Z (4 months ago)
Topics: age, encryption, home-manager, nix, nixos, secrets
Language: Nix
Homepage:
Size: 32.2 KB
Stars: 130
Watchers: 8
Forks: 19
Open Issues: 11
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-age - homeage - manager module for runtime decryption of declarative age files. (Integrations)

README

        # homeage - runtime decrypted [age](https://github.com/str4d/rage) secrets for nix home manager

`homeage` is a module for [home-manager](https://github.com/nix-community/home-manager) that enables runtime decryption of declarative age files.

## Features

- [x] File agnostic declarative secrets that can be used inside your home-manager flakes

- [X] Symlink (or copy if symlinks aren't supported) decrypted secrets

- [X] Safely cleans up secrets on generation change or systemd service stop

- [x] Encryption is normal age encryption, use your ssh or age keys

- [X] Decryption/cleanup secrets either through systemd services or home-manager activation (for systems without systemd support)

## Management Scheme

Pre-Build:

* Encrypt files with age and make them accessible to home-manager config (through git repository, builtin function, etc.).

* Install your age/ssh key outside of the scope home-manager.

Post-build:

* Encrypted files are copied into the nix store (globally available).

* Scripts for decrypting are in the nix store (globally available).

    * Because of this **must** to make sure your decryption key has correct file permissions set.

### Systemd Installation

Service Start:

* Decrypts secret and copies/symlinks to locations

Service Stop:

* Cleans up decrypted secret and associated copies/symlinks

Home-manager activation:

* With home-manager systemd reload enabled services will automatically reload/stop during activation for seamless cleanup and re-installation.

### Activation Installation

Home-manager activation:

* Cleans up all secrets that changed between current and previous generation

* Decrypts secret and copies/symlinks to locations

## Getting started

### Non-flake

If you are using homeage without nix flakes feel free to contribute an example config.

### Nix Flakes

Import `homeage.homeManagerModules.homeage` into the configuration and set valid `homeage.identityPaths` and your all set.

```nix

{

  inputs = {

    nixpkgs.url = "nixpkgs/nixos-unstable";

    home-manager = {

      url = "github:nix-community/home-manager";

      inputs.nixpkgs.follows = "nixpkgs";

    };

    homeage = {

      url = "github:jordanisaacs/homeage";

      # Optional

      inputs.nixpkgs.follows = "nixpkgs";

    };

  };

  outputs = { nixpkgs, homeage, ... }@inputs:

    let

      pkgs = import nixpkgs {

        inherit system;

      };

      

      system = "x86_64-linux";

      username = "jd";

      stateVersion = "21.05";

    in {

      homeManagerConfigurations = {

        jd = home-manager.lib.homeManagerConfiguration {

          inherit system stateVersion username pkgs;

          home.homeDirectory = "/home/${username}";

          configuration = {

            home.stateVersion = stateVersion;

            home.username = username;

            home.homeDirectory = "/home/${username}";

            homeage = {

                # Absolute path to identity (created not through home-manager)

                identityPaths = [ "~/.ssh/id_ed25519" ];

                # "activation" if system doesn't support systemd

                installationType = "systemd";

                file."pijulsecretkey" = {

                  # Path to encrypted file tracked by the git repository

                  source = ./secretkey.json.age;

                  symlinks = [ "${config.xdg.configHome}/pijul/secretkey.json" ];

                  copies = [ "${config.xdg.configHome}/no-symlink-support/secretkey.json" ];

                };

            };

            imports = [ homeage.homeManagerModules.homeage ];

          };

        };

      };

    };

}

```

## Options

See [source](./module/default.nix) for all the options and their descriptions.

## Acknowledgments

The inspiration for this came from RaitoBezarius' [pull request](https://github.com/ryantm/agenix/pull/58/files) to agenix. I have been trying to figure out how to do secrets with home manager for a while and that PR laid out the foundational ideas for how to do it!