Secrets are managed using opnix, a built-in 1Password integration for Nix. This provides secure, declarative secrets management without committing sensitive data to the repository.
- Install 1Password CLI: The
opCLI tool must be available on your system - Create a token file: Store your 1Password service account token at
/etc/opnix-tokenecho "your-service-account-token" | sudo tee /etc/opnix-token sudo chmod 600 /etc/opnix-token
- Configure secrets: Add secrets in
nix/modules/system/onepassword.nix:services.onepassword-secrets = { enable = true; tokenFile = "/etc/opnix-token"; secrets = { mySecret = { reference = "op://VaultName/ItemName/field"; }; }; };
- Secrets are referenced using 1Password URI format:
op://VaultName/ItemName/field - The opnix service runs at boot and fetches secrets from 1Password
- Secrets are made available to the system without being stored in the Nix store
- The token file (
/etc/opnix-token) is never committed to version control
For WSL systems, 1Password SSH agent is integrated via 1password-agent.nix:
- SSH agent is forwarded from Windows host to WSL using npiperelay
- SSH_AUTH_SOCK is automatically configured system-wide
- Git operations can use SSH keys stored in 1Password
- Enable WSL if you haven't done already:
wsl --install --no-distribution
- Download nixos.wsl from the latest release.
- Double-click the file you just downloaded (requires WSL >= 2.4.4)
- You can now run NixOS:
wsl -d NixOS
- The following commands:
cdexport NIXPKGS_ALLOW_UNFREE=1nix-shell -p git fzfgit clone https://github.com/Dumspy/dotfiles.gitcd ./dotfilesdotfiles/rebuild.sh
npiperelay is needed for the SSH agent forwarding to work from the host system to the WSL instance. Ensure that npiperelay is added to the PATH of the host Windows system.