Secrets in Nix, Publicly

I keep my entire Nix config in a public repo. Dotfiles, packages, shell setup, everything. But I also need my SSH and GPG keys on every machine I use. Storing private keys in a public repo is obviously a terrible idea. So how do you manage secrets in Nix without going private? The answer is agenix. How it works agenix uses age encryption. You encrypt secrets with your SSH public key, and only someone with the matching private key can decrypt them. The encrypted .age files live in your repo. On rebuild, agenix decrypts them automatically. nix ├── secrets/ ~/.local/share/ssh/ │ ├── ssh-key.age ───────────► id_rsa (decrypted on rebuild) │ └── gpg-key.age id_ed25519 (decryption key) ├── secrets.nix └── modules/agenix.nix Anyone can clone the repo. Only I can use it. Setting it up I generated a dedicated ed25519 key for agenix. My existing RSA key stays untouched for GitHub, servers, and everything else. ssh-keygen -t ed25519 -C "agenix@pwnwriter" -f ~/.local/share/ssh/id_ed25519 -N "" #…