modules/age: add option to disable symlinking

There are some cases where it may be better or even required to have the secret be a file that is not a symlink. Setting age.secrets.some-secret.symlink = false; will disable the default functionality of symlinking secrets and instead just forcibly move them to their `path`.
2025-07-30 02:07:44 +00:00 · 2021-11-08 09:45:34 -08:00 · 2021-11-08 09:45:34 -08:00 · 7bb0b5d7f1
commit 7bb0b5d7f1
parent e538664435
2 changed files with 26 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -193,6 +193,22 @@ randomness in `age`'s encryption algorithms, the files always change
 when rekeyed, even if the identities do not. (This eventually could be
 improved upon by reading the identities from the age file.)

+## Don't symlink secret
+
+If your secret cannot be a symlink, you should set the `symlink` option to `false`:
+
+```nix
+{
+  age.secrets.some-secret = {
+    file = ./secret;
+    path = "/var/lib/some-service/some-secret";
+    symlink = false;
+  };
+}
+```
+
+Instead of first decrypting the secret to `/run/agenix` and then symlinking to its `path`, the secret will instead be forcibly moved to its `path`. Please note that, currently, there are no cleanup mechanisms for secrets that are not symlinked by agenix.
+
 ## Threat model/Warnings

 This project has not be audited by a security professional.