How not to commit age secrets?

thehyunkel · August 6, 2025, 5:41pm

I’m writing a config for a homelab server and running into issues with secret management.
I’m very new to NixOS so I might be completely misunderstanding something.
My problem is I have to commit my encrypted secret file (which shouldn’t be done) for my config to work.

My server has a reverse proxy set up and uses let’s encrypt dns-01 challenge to get the ssl certs. I generated a cloudflare api token, set that in an age secret file and thought that’d be a good way to deal with that.
Problem arose when that config would only work if I added that file into version control (which agenix’s documentation says shoudn’t be done).
So I’m a little bit stumped on what’s a good approach for this.

In case you’re wondering, here’s some details about my config:

I use flakes and home-manager (but vastly under use them at the moment, I’m still trying to figure out how to use flakes properly).
Most of my config lives in configuration.nix

In configuration.nix I have:

  security.acme = {
    acceptTerms = true;

    certs."homelab.{mydomain}" = {
      group = config.services.caddy.group;
      domain = "homelab.{mydomain}";
      dnsProvider = "cloudflare";
      dnsResolver = "1.1.1.1:53";
      dnsPropagationCheck = true;
      environmentFile = config.age.secrets.cloudflare.path;
    };
  };

and in my flake.nix I have this:

          {
             age.secrets.cloudflare.file = ./secrets/cloudflare.age;
          }

This only works if I commit the cloudflare.age.

One possible solution I thought of was to commit the cloudflare.age as an empty file, but that’d mean I’d have to be very diligent about not getting the changes added to git every time I do modification, which means sooner or later, I’m going to fail and commit that file.

What’s a good way to deal with this?
If there’s a better alternative I haven’t considered, I’m open to it, this is very much a work in progress.

bloodstiller · August 6, 2025, 7:47pm

You could just add a .gitignore file and add your age secret to that, that way it’s in still version controlled but not committed.

You could also switch to using sops and you could commit your secrets but that would be a lot more work in the long run.

tejing · August 6, 2025, 7:54pm

It’s not possible for an untracked file to influence a flake’s evaluation, by design.

Where does the documentation say this? AFAIK this is the normal way to use agenix, at least in a flake.

One alternative you could use is a separate non-git (path: url) flake on the local filesystem, which you specify as an input and load the encrypted files from. Note that you lose a degree of reproducibility this way, since if the path changes, old versions of the flake become impossible to evaluate, as the locked version of the input is no longer accessible.

thehyunkel · August 6, 2025, 11:56pm

I double checked and cannot find it anymore. I’ve been reading so much documentation and blog posts this last few days that I must have read that somewhere else.

If commiting this file is the correct way to go about it, then that’s fine by me.

Thanks for the help!

waffle8946 · August 7, 2025, 12:37am

Most likely the warning was to ensure you don’t commit the original secrets.nix file you created (if you follow the tutorial in their readme). Committing the .age file is fine, as long as your threat model allows committing encrypted secrets to the repo.