A host-isolated NixOS configuration with multi-host Agenix secret management.
- Enter the environment:
nix-shell # Or this loads automatically via direnv- Onboard hardware:
just host-add <hostname>- Initialize secrets:
just id-init <hostname> # Sets user password
just id-gen <hostname> space "Name" "email@me.com" # space can be smth like GitHub or Iceberg ... a ssh and gpg pair- Deploy:
just rebuild <hostname>
-
hosts/: Isolated machine configurations. -
pubkey.nix: The machine's SSH public key (used for secret encryption). -
identities.json: Manifest of GPG/SSH identities for that specific host. -
modules/: The three pillars of the system: -
system/: Core OS, mandatory bootloader, and Hardware-level fixes (e.g., ISO keyboard swaps). -
services/: Networking, SSH, and GPG-Agent (with SSH support). -
profiles/: Home environment, shell aliases, and editor configs. -
secrets/: Shared scripts for identity lifecycle management.
just host-ls: List all authorized hosts and their master public keys.just host-rm <name>: Remove a host (requires confirmation).
just id-gen <id> <name> <email> <host>: Generate GPG/SSH keys bound to the host's hardware.just id-ls <host>: Check health and availability of encrypted secrets.just id-clean <host>: Wipe all identities for a host (requires confirmation).
- Hardware Locking: Secrets are encrypted via
ageusing the target machine's host SSH key. - Multi-Recipient: When an identity is generated, it is automatically re-encrypted for all authorized hosts discovered in
hosts/*/pubkey.nix. - Isolation: Private keys reside in
/run/agenix/, symlinked to~/.ssh/and automatically loaded into thegpg-agentviainteractiveShellInit. - Git Context: SSH and GPG signing keys switch automatically based on the directory context under
$HOME/projects.