Skip to content

Latest commit



135 lines (101 loc) · 3.54 KB

File metadata and controls

135 lines (101 loc) · 3.54 KB


nix-rage is age/rage based tool designed to manage of encrypted configuration files within the Nix ecosystem. Unlike agenix or sops-nix, this tool is not designed for the secure use of passwords, tokens, etc. It is designed to hide personal information in public repositories. If you want to share your fancy nix config, but do not want to disclose your home address or your "secret" email, then this is the tool for you.

Strongly inspired by oddlama's article "Evaluation time secrets in Nix: Importing encrypted nix files".


The nix-rage package is currently in an unstable development phase and is not recommended for use in sensitive configurations.


  • Seamless Integration: Integrate encrypted configuration files directly within your Nix configuration.
  • Simplicity: No need to preconfigure your repository with external tools (like git-crypt).
  • Security: Securely manage sensitive configurations without exposing them in plaintext to public.


You need to add plugin-files inside you nix.conf (~/.config/nix/nix.conf, /etc/nix/nix.conf):

# with nix-env:
plugin-files = /home/YOURUSERNAMEHERE/.nix-profile/lib/

# with cago build:
plugin-files = /path/to/repo/target/debug/

# inside nix config:
plugin-files = ${pkgs.nix-rage}/lib/

Nix Flake example:

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
    nix-rage.url = "github:renesat/nix-rage";
    nix-rage.inputs.nixpkgs.follows = "nixpkgs";

  outputs = {self, nixpkgs, nix-rage, ..}: {
    nixosConfigurations = {
      myhostname = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
            nix.extraOptions = let
              nix-rage-package = nix-rage.packages."x86_64-linux".default;
            in ''
            plugin-files = ${nix-rage-package}/lib/

Build From Source

Clone the repository and build nix-rage locally:

git clone
cd nix-rage

# Using nix
nix build

# Using cargo
cargo build


First create secret config:


  mySecretEmail = "[email protected]"

Now we need to encrypt using age secret.nix:

age --encrypt -r <AGE-KEY> secret.nix -o secret.nix.age

Now we can use this file in our config:

  secrets = builtins.importAge [ ./secret-key ] ./secret.nix.age {}
in { = secrets.mySecretEmail;

Also, you can read other files:

  secretConfig = builtins.readAgeFile [ ./secret-key ] ./secret.toml.age {}
in {


Contributions are welcome! Feel free to open issues or submit pull requests on GitHub.

Related software

You might also be interested in:


nix-rage is licensed under the MIT License. See the LICENSE file for more information.