Set up Agent Build Pipeline

Declaratively encrypt and automatically deploy secrets across NixOS systems using SSH keys

Declarative secret management for NixOS infrastructure where secrets must be versioned and reproduced identically across hosts.

• · Plaintext secrets (passwords, API keys, certs) via editor $EDITOR
• · SSH public keys of authorized hosts/users in secrets.nix
• · NixOS configuration referencing age.secrets.<name>.file

• · Encrypted .age files safe to commit to Git
• · Decrypted secrets in /run/agenix/<name> at system activation time
• · Automatic file permissions and ownership applied

• · age encryption library (SSH key-based)
• · NixOS module system
• · SSH infrastructure (public keys of target systems/users)

• · NixOS with Flakes or nix-channel support
• · SSH key pair already generated on all target systems
• · agenix binary installed or run via nix run github:ryantm/agenix

• · Secrets decryption fails if SSH private key missing or inaccessible on target
• · Multi-user confusion if secrets.nix public key list out of sync with actual users
• · Editor cleanup may leave plaintext remnants (use secure editors like vim with noshm)
• · Nix store world-readable — secrets must be read from /run/agenix, not directly from store

• · CC0-1.0 public domain license
• · Mature NixOS community tool (Production-ready status)
• · Minimal codebase with only age + SSH infrastructure dependency
• · Support for Home Manager, nix-darwin, Nix-on-Droid ecosystem