artifacts​.config​.agenix​.flakeStoreDir

Path to the directory where encrypted ​.age files are stored, relative to your flake​. This path is used by agenix to find and decrypt secrets at runtime​.

Either a path inside the flake (e​.g​. ​./secrets) or a separate flake input dedicated to secrets (e​.g​. inputs​.my-secrets)​.

Type: absolute path

Example:

./secrets

artifacts​.config​.agenix​.machineName

Machine identifier used in the directory structure for encrypted secrets​. Secrets are stored under per-machine/​<​machineName>/​.

Type: string

Default:

"config.networking.hostName"

artifacts​.config​.agenix​.publicHostKey

SSH or age public key used to encrypt secrets for this machine​. The host decrypts these automatically using its SSH private key at runtime​.

To find your host key: ssh-keyscan ​<​hostname>

Type: string

artifacts​.config​.agenix​.publicUserKeys

Additional public keys that can decrypt the secrets​. Useful when:

  • You need to decrypt secrets during development

  • Multiple users manage the same machine

  • You use a YubiKey for decryption

Keys can be SSH public keys or age public keys​.

Type: list of string

Default:

[ ]

artifacts​.config​.agenix​.storeDir

Directory where the TUI writes encrypted ​.age files during serialization​. This is the working directory used when running artifacts serialize​.

Type: string

Default:

"secrets"

Example:

"$HOME/nixos-secrets"