What is nixos-artifacts-agenix?

nixos-artifacts-agenix is a backend implementation for nixos-artifacts that uses agenix for age-based encryption of secrets.

Components

This project provides two components that work together:

CLI Backend: Implements the artifacts TUI backend for encrypting artifacts. The TUI uses your public keys to encrypt artifacts and stores them in a structured directory layout.

nix run github:mrVanDalo/nixos-artifacts-agenix

NixOS/Home Manager Modules: Integrates with agenix to decrypt secrets at runtime. Reads encrypted .age files from your flake and decrypts using host SSH keys or configured identity paths.

nixos-artifacts-agenix supports three contexts:

Context Directory Keys Used Use Case

Context	Directory	Keys Used	Use Case
NixOS	`secrets/per-machine/<hostname>/`	`publicHostKey` + `publicUserKeys`	System-wide secrets (services, root configs)
Home Manager	`secrets/per-user/<username>/`	`publicUserKeys`	User-level secrets (user configs, applications)
Shared	`secrets/shared/<artifact-name>/`	All configured keys	Secrets used across multiple machines/users

NixOS

secrets/per-machine/<hostname>/

publicHostKey + publicUserKeys

System-wide secrets (services, root configs)

Home Manager

secrets/per-user/<username>/

publicUserKeys

User-level secrets (user configs, applications)

Shared

secrets/shared/<artifact-name>/

All configured keys

Secrets used across multiple machines/users

Feature Plain agenix nixos-artifacts-agenix

Feature	Plain agenix	nixos-artifacts-agenix
Secret location	Manual path management	Structured per-machine/per-user layout
Encryption	`agenix -e file.age`	TUI with artifact definitions
Key management	`secrets.nix` file	NixOS/Home Manager options
Multi-context	Separate configuration	Unified configuration across NixOS and Home Manager

Secret location

Manual path management

Structured per-machine/per-user layout

Encryption

agenix -e file.age

TUI with artifact definitions

Key management

secrets.nix file

NixOS/Home Manager options

Multi-context

Separate configuration

Unified configuration across NixOS and Home Manager

Choose the agenix backend when you:

Already use agenix and want integration with nixos-artifacts
Prefer age encryption (SSH keys, age keys, YubiKey support)
Want secrets decrypted automatically via host SSH keys (NixOS) or configured identity paths (Home Manager)
Want to distribute secrets via the Nix store