Agenix-shell: keep secrets directly in your flake and access them from your devShell

The repository started as a proof of concept at the NixCon in Darmstadt but after months I finally verified it works by using it in a real project (it had many problems I had to fix).

At the beginning it was conceived only as a flake-parts module (you can find autogenerated docs here) but now it works also without.

It includes 3 templates that shows how to use it with a plain flake, with flake-parts or with devenv (not very tested since I don’t use it).

Basically it allows you to include encrypted secrets to flakes and having them decrypted in your devShells as environment variables. It can be pretty convenient for onboarding new people to projects since you basically just need to declare a new key and re-encrypt the secrets.

It’s also nice for people that already uses the agenix module since you use the same secrets (and the agenix script) for everything (NixOS, home-manager, darwin and now even the shell!)

Take a look at the README (which I just finished writing) to understand how to use it and how it works.

Bonus: I recently tried sourcing the script that agenix-shell produces (the one that you have to source in your shell to have the secrets) in CI. This further centralizes the way you control your secrets.

Let me know what you think :slight_smile: