██████╗ ██████╗ ███╗ ██╗██╗██╗ ██╗
██╔═══██╗██╔══██╗████╗ ██║██║╚██╗██╔╝
██║ ██║██████╔╝██╔██╗ ██║██║ ╚███╔╝
██║ ██║██╔═══╝ ██║╚██╗██║██║ ██╔██╗
╚██████╔╝██║ ██║ ╚████║██║██╔╝ ██╗
╚═════╝ ╚═╝ ╚═╝ ╚═══╝╚═╝╚═╝ ╚═╝
Secure integration between 1Password and NixOS for managing secrets during system builds and home directory setup.
╭────────────────────────────────────────────╮
│ • Secure secret storage in 1Password │
│ • NixOS integration via service accounts │
│ • Build-time secret retrieval │
│ • Home Manager secret management │
╰────────────────────────────────────────────╯
Add OPNix to your NixOS configuration:
{
inputs.opnix.url = "github:brizzbuzz/opnix";
outputs = { self, nixpkgs, opnix }: {
nixosConfigurations.yourhostname = nixpkgs.lib.nixosSystem {
modules = [
opnix.nixosModules.default
./configuration.nix
];
};
# If using home-manager
homeConfigurations.yourusername = home-manager.lib.homeManagerConfiguration {
modules = [
opnix.homeManagerModules.default
./home.nix
];
};
};
}-
Create a 1Password service account and generate a token:
- Follow the 1Password documentation
-
Store the token securely:
# Using the opnix CLI (recommended) sudo opnix token set # Or with a custom path sudo opnix token set -path /path/to/token
-
Create a secrets configuration file for system secrets:
{ "secrets": [ { "path": "mysql/root-password", "reference": "op://vault/database/root-password" }, { "path": "ssl/private-key", "reference": "op://vault/certificates/private-key" } ] } -
Enable OPNix in your NixOS configuration:
{ services.onepassword-secrets = { enable = true; users = [ "yourusername" ]; # Users that need secret access tokenFile = "/etc/opnix-token"; # Default location configFile = "/path/to/your/secrets.json"; outputDir = "/var/lib/opnix/secrets"; # Optional, this is the default }; }
-
(Optional) Set up Home Manager integration for user-specific secrets:
{ programs.onepassword-secrets = { enable = true; secrets = [ { # Paths are relative to home directory path = ".ssh/id_rsa"; reference = "op://Personal/ssh-key/private-key" } { path = ".config/secret-app/token"; reference = "op://Work/api/token" } ]; }; }
╭─ CLI Commands ──────────────────────────────╮
│ opnix secret │
│ └─ Retrieve secrets from 1Password │
│ │
│ opnix token set │
│ └─ Set up service account token │
╰───────────────────────────────────────────╯
- Store token file with proper permissions (600 for system, 640 for group access)
- Default location:
/etc/opnix-token - Never commit tokens to version control
- Access controlled via onepassword-secrets group for Home Manager users
- Use minimal required permissions
- Rotate tokens regularly
- Monitor service account activity
Common issues and solutions:
-
Token File Issues:
Error: Token file not found ▪ Check if /etc/opnix-token exists ▪ Verify file permissions ▪ For Home Manager, ensure user in onepassword-secrets group -
Authentication Problems:
Error: Authentication failed ▪ Verify token validity ▪ Check service account permissions -
Secret Access:
Error: Cannot access secret ▪ Verify secret reference format ▪ Check service account vault access
For local development:
# Enter development shell
nix develop
# Run tests
go test ./...- Inspired by agenix
- Built with 1Password SDK for Go