I just set it up - thank you Ryan for this simple project. Elegant idea, which secures and simplifies my workflow.
As an aside, I’d love a feature like this to be part of standard NixOS. I.e. an easy and elegant way to be secure out of the box.
Thanks also for NixOS guys - I am in love with this project (haven’t felt this way about Linux since discovering Debian & apt 20+ years ago - beautiful package systems are a wonderful thing).
For the casual reader: https://github.com/ryantm/agenix
It allows you to manage secrets in NixOS deployments, without them being exposed to the world-readable store, or readable within git.
If you put secrets (passwords, keys and the like) in your nix projects in any other way, now is probably a good time to stop doing that and changing them all.
There’s a similar project in https://github.com/Mic92/sops-nix, which does support gpg as well as age.
I prefer the latter slightly currently because it integrates nicely with my yubikey+gpg based workflow everywhere else, but if you’re ready to abandon gpg in favor of age, agenix is an alternative with a much simpler design, which definitely has its merits