AgentSkillsCN

fact-secrets

Secrets 领域知识——Agenix 结构、访问组和模式

SKILL.md
--- frontmatter
name: fact-secrets
description: Secrets domain knowledge - Agenix structure, access groups, and patterns

Secrets Domain Knowledge

Directory Layout

code
secrets/
├── secrets.nix      # Secret definitions (which hosts can access)
├── pubkeys.nix      # Public keys and access groups
└── *.age            # Encrypted secret files

Access Groups

GroupHostsUse Case
allHostsAll hosts + userUser passwords
allServerspaimon, fischl, lumine, xianyun + userService credentials
privateServerspaimon, fischl + userInternal services
publicServerslumine, xianyun + userInternet-facing
someHosts [...]Specified + userSpecific hosts

secrets.nix Format

nix
let
  pubKeys = import ./pubkeys.nix;
in
with pubKeys;
with pubKeys.hosts;
{
  # Simple
  "myservice-env.age".publicKeys = someHosts [ paimon ];
  
  # With expiry
  "oauth-token.age" = {
    publicKeys = allServers;
    expiryDates = [ "2026-12-31" ];
  };
}

Secret Content Formats

Environment file (most common):

code
API_KEY=sk-abc123
DATABASE_URL=postgresql://user:pass@host/db

Single value:

code
mysecretpassword

Commands

CommandPurpose
agenix -e secrets/<name>.ageEdit/create secret
agenix -rRekey all (after pubkey changes)
nix run .#chkexpCheck expiring secrets

Usage in Modules

Register secret:

nix
codgician.system.agenix.secrets = lib.genAttrs
  [ "myservice-env" ]
  (name: { owner = cfg.user; group = cfg.group; mode = "0600"; });

Reference in service:

nix
systemd.services.myservice.serviceConfig.EnvironmentFile = 
  config.age.secrets."myservice-env".path;

Critical Rules

  • Always use: config.age.secrets.<name>.path
  • Never hardcode: "/run/agenix/<name>"
  • Secrets decrypt to /run/agenix/ at runtime