Secrets are managed with agenix under secrets/. That means the repo can keep encrypted secret files in Git without committing plaintext values.
- encrypted material:
*.age - recipient mapping:
secrets/secrets.nix
# edit existing encrypted secret
agenix -e secrets/<service>.age- Create encrypted file with
agenix. - Add recipients in
secrets/secrets.nix. - Reference the secret from host config:
age.secrets.<service>.file = ../../secrets/<service>.age;- never commit plaintext secrets.
- keep names service-oriented and lowercase.
- validate affected host builds before merge.
secrets/README.mdsecrets/secrets.nix