### Define a Template with Content (Nginx Example) Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/templates-reference.md Another example of defining a template using the `content` option, specifically for Nginx configuration, demonstrating placeholder usage for a private key. ```nix { sops.templates."nginx-config".content = '' ssl_certificate_key "${config.sops.placeholder.nginx-key}"; ''; } ``` -------------------------------- ### Placeholder System Example Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/home-manager-module-reference.md Demonstrates how sops-nix generates unique placeholders for secrets to be injected into configuration files. ```nix { sops.secrets.db-password = {}; sops.templates.my-app-config.content = '' [database] password = "${config.sops.placeholder.db-password}" ''; } ``` -------------------------------- ### INI Configuration File Example Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/formats-and-types.md An example of an INI file structure, including sections and key-value pairs. This format is supported by SOPS-NIX for encrypted configuration. ```ini # config.ini (encrypted) [database] host = localhost port = 5432 username = dbuser password = dbpassword [api] endpoint = https://api.example.com key = secret-key-value [settings] debug = false timeout = 30 ``` -------------------------------- ### Example sops-nix Configuration Source: https://github.com/mic92/sops-nix/blob/master/README.md This is an example of an encrypted YAML file managed by sops-nix. It shows how secrets are represented after encryption. ```yaml example-key: example-value # Nesting the key results in the creation of directories. # These directories will be owned by root:keys and have permissions 0751. myservice: my_subdir: my_secret: password1 ``` An example result when saving this file could be: ``` example-key: ENC[AES256_GCM,data:AB8XMyid4P7mXdjj+A==,iv:RRsZC+V+3w22pOi/2TCjBYn/0OYsNGCu5CT1ZBSKGi0=,tag:zT5mlujrSuA6KKxLKL8CMQ==,type:str] #ENC[AES256_GCM,data:59QWbzCQCP7kLdhyjFOZe503MgegN0kv505PBNHwjp6aYztDHwx2N9+A1Bz6G/vWYo+4LpBo8/s=,iv:89q3ZXgM1wBUg5G29ROor3VXrO3QFGCvfwDoA3+G14M=,tag:hOSnEZ6DKycnF37LCXOjzg==,type:comment] #ENC[AES256_GCM,data:kUuJCkDE9JT9C+kdNe0CSB3c+gmgE4We1OoX4C1dWeoZCw/o9/09CzjRi9eOBUEL0P1lrt+g6V2uXFVq4n+M8UPGUAbRUr3A,iv:nXJS8wqi+ephoLynm9Nxbqan0V5dBstctqP0WxniSOw=,tag:ALx396Z/IPCwnlqH//Hj3g==,type:comment] myservice: my_subdir: my_secret: ENC[AES256_GCM,data:hcRk5ERw60G5,iv:3Ur6iH1Yu0eu2otcEv+hGRF5kTaH6HSlrofJ5JXvewA=,tag:hpECXFnMhGNnAxxzuGW5jg==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - recipient: age12zlz6lvcdk6eqaewfylg35w0syh58sm7gh53q5vvn7hd7c6nngyseftjxl enc: | -----BEGIN AGE ENCRYPTED FILE----- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1dFYvSTRHa3IwTVpuZjEz SDZZQnc5a0dGVGEzNXZmNEY5NlZDbVgyNVU0Clo3ZC9MRGp4SHhLUTVCeWlOUUxS MEtPdW4rUHhjdFB6bFhyUXRQTkRpWjAKLS0tIDVTbWU2V3dJNUZrK1A5U0c5bkc0 S3VINUJYc3VKcjBZbHVqcGJBSlVPZWcKqPXE01ienWDbTwxo+z4dNAizR3t6uTS+ KbmSOK1v61Ri0bsM5HItiMP+fE3VCyhqMBmPdcrR92+3oBmiSFnXPA== -----END AGE ENCRYPTED FILE----- - recipient: age18jtffqax5v0t6ehh4ypaefl4mfhcrhn6ek3p80mhfp9psx6pd35qew2ww3 enc: | -----BEGIN AGE ENCRYPTED FILE----- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzT3FxcDEzaFRQOVFpNkg2 Skw4WEIxZzNTWkNBaDRhcUN2ejY4QTAwTERvCkx2clIzT2wyaFJZjl0RkFXL2p6 enhqVEZ3ZkNKUU5jTlUxRC9Lb090TzAKLS0tIDBEaG00RFJDZ3ZVVjBGUWJkRHdQ YkpudG43eURPVWJUejd3Znk5Z29lWlkK0cIngn2qdmiOE5rHOHxTRcjfZYuY3Ej7 Yy7nYxMwTdYsm/V6Lp2xm8hvSzBEIFL+JXnSTSwSHnCIfgle5BRbug== -----END AGE ENCRYPTED FILE----- lastmodified: "2021-11-20T16:21:10Z" mac: ENC[AES256_GCM,data:5ieT/yv1GZfZFr+OAZ/DBF+6DJHijRXpjNI2kfBun3KxDkyjiu/OFmAbsoVFY/y6YCT3ofl4Vwa56Veo3iYj4njgxyLpLuD1B6zkMaNXaPywbAhuMho7bDGEJZHrlYOUNLdBqW2ytTuFA095IncXE8CFGr38A2hfjcputdHk4R4=,iv:UcBXWtaquflQFNDphZUqahADkeege5OjUY38pLIcFkU=,tag:yy+HSMm+xtX+vHO78nej5w==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.1 ``` -------------------------------- ### Persist sops-nix Key File Source: https://github.com/mic92/sops-nix/blob/master/README.md Example configuration for persisting the sops-nix key file in a known location for use with Impermanence. ```nix sops.age.keyFile = "/nix/persist/var/lib/sops-nix/key.txt"; ``` -------------------------------- ### Example SOPS Nix Manifest Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/manifest-json-schema.md Demonstrates the structure of a SOPS Nix manifest file, including definitions for secrets, templates, and other configuration options. ```json { "secrets": [ { "name": "api-key", "key": "api/key", "path": "/run/secrets/api-key", "owner": null, "uid": 0, "group": null, "gid": 0, "sopsFile": "/nix/store/abc123-secrets.yaml", "format": "yaml", "mode": "0400", "restartUnits": [], "reloadUnits": [] }, { "name": "db-password", "key": "database/password", "path": "/run/secrets/db-password", "owner": "postgres", "uid": null, "group": "postgres", "gid": null, "sopsFile": "/nix/store/abc123-secrets.yaml", "format": "yaml", "mode": "0400", "restartUnits": ["postgresql.service"], "reloadUnits": [] }, { "name": "nginx-key", "key": "", "path": "/etc/nginx/secrets/key.pem", "owner": "nginx", "uid": null, "group": "nginx", "gid": null, "sopsFile": "/nix/store/def456-nginx.key.enc", "format": "binary", "mode": "0400", "restartUnits": ["nginx.service"], "reloadUnits": [] } ], "templates": [ { "name": "app-config", "content": "[api]\nkey = \n\n[database]\npassword = \n", "path": "/etc/myapp/config.ini", "mode": "0400", "owner": "myapp", "uid": null, "group": "myapp", "gid": null, "file": "", "restartUnits": ["myapp.service"], "reloadUnits": [] } ], "placeholderBySecretName": { "api-key": "", "db-password": "" }, "secretsMountPoint": "/run/secrets.d", "symlinkPath": "/run/secrets", "keepGenerations": 1, "sshKeyPaths": [], "gnupgHome": "", "ageKeyFile": "/var/lib/sops-nix/key.txt", "ageSshKeyPaths": ["/etc/ssh/ssh_host_ed25519_key"], "useTmpfs": false, "userMode": false, "logging": { "keyImport": true, "secretChanges": true } } ``` -------------------------------- ### Example Plain YAML File Content Source: https://github.com/mic92/sops-nix/blob/master/README.md An example of a YAML file where the entire content is treated as a secret, using `key = ""`. This file would be mounted as `/run/secrets/my-config`. ```yaml my-secret1: ENC[AES256_GCM,data:tkyQPQODC3g=,iv:yHliT2FJ74EtnLIeeQtGbOoqVZnF0q5HiXYMJxYx6HE=,tag:EW5LV4kG4lcENaN2HIFiow==,type:str] my-secret2: ENC[AES256_GCM,data:tkyQPQODC3g=,iv:yHliT2FJ74EtnLIeeQtGbOoqVZnF0q5HiXYMJxYx6HE=,tag:EW5LV4kG4lcENaN2HIFiow==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] ... ``` -------------------------------- ### Morph Deployment with sops-nix Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/common-patterns.md Demonstrates how to use sops-nix within a Morph deployment configuration. This setup specifies the target host, port, user, and the path to the sops file and age key. ```nix { network = { description = "Production cluster"; enableRollback = true; }; "prod-01" = { ... }: { deployment = { targetHost = "prod-01.internal"; targetPort = 22; targetUser = "deploy"; }; imports = [ ./common.nix ]; sops.defaultSopsFile = ./secrets/prod.yaml; sops.age.keyFile = "/var/lib/sops-nix/key.txt"; }; } ``` -------------------------------- ### YAML Example Secrets Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/formats-and-types.md An example of a YAML file containing secrets, demonstrating nested structures and simple key-value pairs. ```yaml # secrets.yaml (encrypted with sops) api: key: secret-api-key endpoint: https://api.example.com database: host: localhost port: 5432 username: dbuser password: dbpassword simple_secret: simple-value ``` -------------------------------- ### JSON Example Secrets Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/formats-and-types.md An example of a JSON file containing secrets, demonstrating nested objects. ```json { "api": { "key": "secret-api-key", "endpoint": "https://api.example.com" }, "database": { "credentials": { "username": "dbuser", "password": "dbpassword" } } } ``` -------------------------------- ### Configure sops.yaml Source: https://github.com/mic92/sops-nix/blob/master/README.md Example configuration for .sops.yaml to specify age public key or GPG fingerprint for encrypting new files. ```yaml # This example uses YAML anchors which allows reuse of multiple keys # without having to repeat yourself. # Also see https://github.com/Mic92/dotfiles/blob/d6114726d859df36ccaa32891c4963ae5717ef7f/nixos/.sops.yaml ``` -------------------------------- ### Configure Template Path and Owner Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/templates-reference.md This example shows how to specify a custom filesystem path for the rendered template and set the owner and group for the resulting file. This is useful for system services that require specific file permissions and locations. ```nix { sops.templates."postgres-config" = { path = "/etc/postgresql/postgresql.conf"; owner = "postgres"; group = "postgres"; }; } ``` -------------------------------- ### Dotenv Secret Example Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/formats-and-types.md Example of an encrypted .env file containing multiple environment variables. ```dotenv # secrets.env (encrypted) API_KEY=my-secret-api-key DATABASE_URL=postgresql://user:pass@localhost/db SECRET_TOKEN=abc123xyz ``` -------------------------------- ### Dotenv Secret Example Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/sops-install-secrets-binary.md Shows a basic .env file format for secrets. Each line represents a key-value pair. ```dotenv KEY1=value1 KEY2=value2 ``` -------------------------------- ### NixOps Deployment with sops-nix Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/common-patterns.md Example of configuring NixOps to use sops-nix for managing secrets on a server. Ensure the sops.defaultSopsFile and sops.age.keyFile are correctly set. ```nix { network.description = "My infrastructure"; server1 = { config, ... }: { deployment.targetHost = "server1.example.com"; imports = [ ]; sops.defaultSopsFile = ./servers/server1/secrets.yaml; sops.age.keyFile = "/var/lib/sops-nix/key.txt"; # Server configuration }; server2 = { ... }: { deployment.targetHost = "server2.example.com"; # Similar configuration }; } ``` -------------------------------- ### Basic sops-nix Setup with Age Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/common-patterns.md Minimal configuration for sops-nix using the age encryption backend. Specifies the location of the encrypted secrets file and the age key file, and defines a basic secret. ```nix { config, ... }: { imports = [ ]; # Location of encrypted secrets file sops.defaultSopsFile = ./secrets.yaml; # Age configuration sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.generateKey = true; # Define a secret sops.secrets.api-token = { owner = "myapp"; group = "myapp"; mode = "0400"; }; } ``` -------------------------------- ### NixOS Configuration with sops-nix Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/nixos-module-reference.md Example NixOS configuration demonstrating how to import and use the sops-nix module to manage secrets. It shows default sops file location, age key file configuration, defining secrets, and configuring a service to use a secret. ```nix { config, lib, pkgs, ... }: { imports = [ ]; # Default sops file location sops.defaultSopsFile = ./secrets.yaml; # Age configuration sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.generateKey = true; # Define secrets sops.secrets.db-password = { owner = config.users.users.postgres.name; group = config.users.users.postgres.group; mode = "0400"; restartUnits = ["postgresql.service"]; }; sops.secrets.app-config = { owner = "appuser"; format = "json"; }; # Configure service to use secret systemd.services.myapp = { description = "My Application"; wantedBy = ["multi-user.target"]; serviceConfig = { User = "appuser"; ExecStart = "${pkgs.myapp}/bin/myapp --config ${config.sops.secrets.app-config.path}"; }; }; } ``` -------------------------------- ### Persist SSH File System Source: https://github.com/mic92/sops-nix/blob/master/README.md Example configuration to ensure the `/etc/ssh` file system is available during boot, which might be necessary for sops-nix key decryption. ```nix fileSystems."/etc/ssh".neededForBoot = true; ``` -------------------------------- ### Multi-Machine Setup with sops-nix Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/common-patterns.md Configure secrets per-host while sharing a common repository. Each server configuration points to its specific secrets file and uses the sops-nix module. ```nix # flake.nix { outputs = { self, nixpkgs, sops-nix }: { nixosConfigurations = { server1 = nixpkgs.lib.nixosSystem { modules = [ ./common.nix ./servers/server1/configuration.nix sops-nix.nixosModules.sops ]; }; server2 = nixpkgs.lib.nixosSystem { modules = [ ./common.nix ./servers/server2/configuration.nix sops-nix.nixosModules.sops ]; }; }; }; } ``` ```nix # servers/server1/configuration.nix { config, ... }: { sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.defaultSopsFile = ./secrets.server1.yaml; sops.secrets.db-password = { owner = "postgres"; }; } ``` -------------------------------- ### Import sops-nix Modules Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/README.md Import the sops-nix module for NixOS or Home-manager configurations. Ensure the module path is correct for your setup. ```nix # NixOS imports = [ ]; # Home-manager (system-wide) home-manager.sharedModules = [ ]; # Home-manager (standalone) imports = [ ]; ``` -------------------------------- ### YAML Secret Example Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/sops-install-secrets-binary.md Demonstrates a simple YAML structure for a secret. Access nested values using a slash-separated path. ```yaml key1: value1 nested: key2: value2 ``` -------------------------------- ### Manifest JSON Schema - placeholderBySecretName Example Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/manifest-json-schema.md Illustrates how to map secret names to their corresponding placeholder strings within the manifest JSON. ```json { "placeholderBySecretName": { "api-key": "", "db-password": "" } } ``` -------------------------------- ### Configure Template Reload Units Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/templates-reference.md This example shows how to specify systemd units that should be reloaded when the rendered template file changes. This is often used for services that can apply configuration changes without a full restart. ```nix { sops.templates."postgres-config" = { reloadUnits = ["postgresql.service"]; }; } ``` -------------------------------- ### Example SOPS Configuration with PGP and Age Keys Source: https://github.com/mic92/sops-nix/blob/master/README.md This YAML configuration defines key groups for encryption and decryption rules. It includes PGP keys (e.g., `*admin_alice`, `*server_azmidi`) and Age keys (e.g., `*admin_bob`, `*server_nosaxa`) for different secret paths. ```yaml keys: - &admin_alice 2504791468b153b8a3963cc97ba53d1919c5dfd4 - &admin_bob age12zlz6lvcdk6eqaewfylg35w0syh58sm7gh53q5vvn7hd7c6nngyseftjxl - &server_azmidi 0fd60c8c3b664aceb1796ce02b318df330331003 - &server_nosaxa age1rgffpespcyjn0d8jglk7km9kfrfhdyev6camd3rck6pn8y47ze4sug23v3 creation_rules: - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ key_groups: - pgp: - *admin_alice - *server_azmidi age: - *admin_bob - *server_nosaxa - path_regex: secrets/azmidi/[^/]+\.(yaml|json|env|ini)$ key_groups: - pgp: - *admin_alice - *server_azmidi age: - *admin_bob ``` -------------------------------- ### Install sops-nix with Nix Flakes Source: https://github.com/mic92/sops-nix/blob/master/README.md Add sops-nix as an input to your Nix flakes configuration. This is the recommended method for integrating sops-nix with NixOS. ```nix { inputs.sops-nix.url = "github:Mic92/sops-nix"; inputs.sops-nix.inputs.nixpkgs.follows = "nixpkgs"; outputs = { self, nixpkgs, sops-nix }: { # change `yourhostname` to your actual hostname nixosConfigurations.yourhostname = nixpkgs.lib.nixosSystem { # customize to your system system = "x86_64-linux"; modules = [ ./configuration.nix sops-nix.nixosModules.sops ]; }; }; } ``` -------------------------------- ### SOPS-NIX Secret Extraction Example Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/formats-and-types.md Illustrates how SOPS-NIX extracts secrets from a YAML structure, treating all values as strings in the output Nix configuration. ```nix { sops.secrets.number = { key = "number"; }; # value: "42" sops.secrets.bool = { key = "boolean"; }; # value: "true" sops.secrets.str = { key = "string"; }; # value: "hello" } ``` -------------------------------- ### NixOS Configuration for Secrets Source: https://github.com/mic92/sops-nix/blob/master/README.md Example NixOS configuration to integrate sops-nix secrets. This includes specifying the default sops file, SSH key paths for age, and defining individual secrets. ```nix { # This will add secrets.yml to the nix store # You can avoid this by adding a string to the full path instead, i.e. # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml"; sops.defaultSopsFile = ./secrets/example.yaml; # This will automatically import SSH keys as age keys sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # This is using an age key that is expected to already be in the filesystem sops.age.keyFile = "/var/lib/sops-nix/key.txt"; # This will generate a new key if the key specified above does not exist sops.age.generateKey = true; # This is the actual specification of the secrets. sops.secrets.example-key = {}; sops.secrets."myservice/my_subdir/my_secret" = {}; } ``` -------------------------------- ### Initialize GPG Key for sops-nix Source: https://github.com/mic92/sops-nix/blob/master/README.md Use the `sops-init-gpg-key` helper tool to initialize a GPG key for use with sops-nix. This command requires specifying a hostname and a GPG home directory. ```console $ nix run github:Mic92/sops-nix#sops-init-gpg-key -- --hostname server01 --gpghome /tmp/newkey ``` -------------------------------- ### Install sops-nix with Nix Flakes for Nix-Darwin Source: https://github.com/mic92/sops-nix/blob/master/README.md Integrate sops-nix into your nix-darwin configuration using flakes. This allows for global installation on macOS systems managed by nix-darwin. ```nix { inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; inputs.nix-darwin.url = "github:nix-darwin/nix-darwin/master"; inputs.nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; inputs.sops-nix.url = "github:Mic92/sops-nix"; #inputs.sops-nix.inputs.nixpkgs.follows = "nixpkgs"; outputs = { self, nix-darwin, nixpkgs, sops-nix }: { darwinConfigurations.yourhostname = nix-darwin.lib.darwinSystem { modules = [ ./configuration.nix sops-nix.darwinModules.sops ]; }; }; } ``` -------------------------------- ### Inspect sops-nix Manifest Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/common-patterns.md Instantiate the Nix system and pipe the output to `jq` to inspect the generated sops-nix manifest. This helps in understanding the generated secrets. ```bash nix-instantiate --eval '' \ -A system.build.sops-nix-manifest | jq . ``` -------------------------------- ### sops-install-secrets CLI Usage Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/sops-install-secrets-binary.md Basic command-line syntax for running the sops-install-secrets binary. Requires a manifest file as input. ```bash sops-install-secrets [options] ``` -------------------------------- ### Import sops-nix Home Manager Module (Flakes, home.nix) Source: https://github.com/mic92/sops-nix/blob/master/README.md Import the sops-nix home-manager module when using the Flakes approach with a standalone home.nix configuration. ```nix { # Configuration via home.nix imports = [ inputs.sops-nix.homeManagerModules.sops ]; } ``` -------------------------------- ### Example Encrypted Binary File Content Source: https://github.com/mic92/sops-nix/blob/master/README.md An example of the content of an encrypted binary file, showing the 'data' and 'sops' fields. This format is used when the secret cannot be represented in JSON or YAML. ```json { "data": "ENC[AES256_GCM,data:bIsPHrjrl9wxvKMcQzaAbS3RXCI2h8spw2Ee+KYUTsuousUBU6OMIdyY0wqrX3eh/1BUtl8H9EZciCTW29JfEJKfi3ackGufBH+0wp6vLg7r,iv:TlKiOmQUeH3+NEdDUMImg1XuXg/Tv9L6TmPQrraPlCQ=,tag:dVeVvRM567NszsXKK9pZvg==,type:str]", "sops": { "kms": null, "gcp_kms": null, "azure_kv": null, "lastmodified": "2020-07-06T06:21:06Z", "mac": "ENC[AES256_GCM,data:ISjUzaw/5mNiwypmUrOk2DAZnlkbnhURHmTTYA3705NmRsSyUh1PyQvCuwglmaHscwl4GrsnIz4rglvwx1zYa+UUwanR0+VeBqntHwzSNiWhh7qMAQwdUXmdCNiOyeGy6jcSDsXUeQmyIWH6yibr7hhzoQFkZEB7Wbvcw6Sossk=,iv:UilxNvfHN6WkEvfY8ZIJCWijSSpLk7fqSCWh6n8+7lk=,tag:HUTgyL01qfVTCNWCTBfqXw==,type:str]", "pgp": [ { ``` -------------------------------- ### Declare Systemd Service Dependency on sops-nix Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/home-manager-module-reference.md Ensure a custom systemd user service starts after the sops-nix service has completed its secret provisioning. This guarantees secrets are available when your service starts. ```nix { systemd.user.services.myservice = { Unit.After = ["sops-nix.service"]; }; } ``` -------------------------------- ### Import sops-nix Home Manager Module (Channel, home.nix) Source: https://github.com/mic92/sops-nix/blob/master/README.md Import the sops-nix home-manager module when using the channel approach with a standalone home.nix configuration. ```nix { # Configuration via home.nix imports = [ ]; } ``` -------------------------------- ### JSON Secret Example Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/sops-install-secrets-binary.md Illustrates a JSON object for storing secrets. Nested keys are accessed similarly to YAML. ```json { "key1": "value1", "nested": { "key2": "value2" } } ``` -------------------------------- ### Configure Age Key File and Generation Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/encryption-configuration.md Specify the path to the age private key file and enable automatic key generation if it does not exist. The key file must be a plain path outside the Nix store. ```nix { sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.generateKey = true; } ``` -------------------------------- ### Import sops-nix module with niv Source: https://github.com/mic92/sops-nix/blob/master/README.md Import the sops-nix module into your configuration.nix after adding it via niv. ```nix { imports = [ "${(import ./nix/sources.nix).sops-nix}/modules/sops" ]; } ``` -------------------------------- ### Save Initialized GPG Key to File Source: https://github.com/mic92/sops-nix/blob/master/README.md Save the output of the `sops-init-gpg-key` command to a file in ASCII-armored format. ```console $ cat > server01.asc < The fingerprint here is `9F89C5F69A10281A835014B09C3DC61F752087EF`. ``` -------------------------------- ### Get age public key Source: https://github.com/mic92/sops-nix/blob/master/README.md Retrieve the public key from an age key file. This is useful for sharing your public key. ```console $ age-keygen -y ~/.config/sops/age/keys.txt age12zlz6lvcdk6eqaewfylg35w0syh58sm7gh53q5vvn7hd7c6nngyseftjxl ``` -------------------------------- ### Minimal sops-nix Configuration Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/README.md Set up the default secrets file, age key file, and generate a new key if needed. Define a basic secret for your application. ```nix { sops.defaultSopsFile = ./secrets.yaml; sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.generateKey = true; sops.secrets.my-secret = { owner = "app"; mode = "0400"; }; } ``` -------------------------------- ### INI Secret Example Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/sops-install-secrets-binary.md Presents an INI file format for secrets. Note that values are not extracted, and the entire file is treated as the secret. ```ini [section] key1 = value1 ``` -------------------------------- ### Update sops-nix Keys Source: https://github.com/mic92/sops-nix/blob/master/README.md Command to update keys for secrets when a new host is added to the .sops.yaml file. Requires sops to be installed. ```bash $ nix-shell -p sops --run "sops updatekeys secrets/example.yaml" ``` -------------------------------- ### Create a SOPS file using Nix Shell Source: https://github.com/mic92/sops-nix/blob/master/README.md This command opens a new file with SOPS for editing within a Nix shell environment. Ensure your `.sops.yaml` is configured and your GPG keys are imported. ```console $ nix-shell -p sops --run "sops secrets/example.yaml" ``` -------------------------------- ### Add sops-nix using niv Source: https://github.com/mic92/sops-nix/blob/master/README.md Add the sops-nix repository to your niv sources. This is recommended if you are not using flakes. ```console $ niv add Mic92/sops-nix ``` -------------------------------- ### Nix Configuration with External Template File Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/templates-reference.md Uses an external template file for PostgreSQL configuration, referencing a secret for the password. The template can use placeholders or direct secret references. ```nix { config, ... }: { sops.secrets.db-password = {}; sops.templates."postgresql-config" = { file = ./postgresql.conf.tpl; path = "/etc/postgresql/postgresql.conf"; owner = "postgres"; }; } ``` ```plaintext # PostgreSQL Configuration Template password = ${SOPS::PLACEHOLDER} ssl = on ``` -------------------------------- ### Example YAML Secrets Content Source: https://github.com/mic92/sops-nix/blob/master/README.md Content for a YAML secrets file, including a GitHub token and an SSH private key. The SSH key is a multi-line string. ```yaml github_token: 4a6c73f74928a9c4c4bc47379256b72e598e2bd3 ssh_key: | -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW QyNTUxOQAAACDENhLwQI4v/Ecv65iCMZ7aZAL+Sdc0Cqyjkd012XwJzQAAAJht4at6beGr egAAAAtzc2gtZWQyNTUxOQAAACDENhLwQI4v/Ecv65iCMZ7aZAL+Sdc0Cqyjkd012XwJzQ AAAEBizgX7v+VMZeiCtWRjpl95dxqBWUkbrPsUSYF3DGV0rsQ2EvBAji/8Ry/rmIIxntpk Av5J1zQKrKOR3TXZfAnNAAAAE2pvZXJnQHR1cmluZ21hY2hpbmUBAg== -----END OPENSSH PRIVATE KEY----- ``` -------------------------------- ### Configure Age Plugins Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/encryption-configuration.md Include age plugins for extended functionality, such as integrating with hardware security modules like YubiKey. ```nix { sops.age.plugins = [ pkgs.age-plugin-yubikey ]; } ``` -------------------------------- ### Example Decrypted Plain File Content Source: https://github.com/mic92/sops-nix/blob/master/README.md The decrypted content of a YAML file when `key = ""`. This shows how secrets are exposed when the entire file is treated as a secret. ```yaml my-secret1: hello my-secret2: hello ``` -------------------------------- ### Generate Manifest with Nix Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/manifest-json-schema.md Generates the manifest.json file using pkgs.writeTextFile. Includes a checkPhase to validate the manifest at evaluation time. ```nix manifestFor = pkgs.writeTextFile { name = "manifest.json"; text = builtins.toJSON { secrets = [ ... ]; templates = [ ... ]; # ... other fields }; checkPhase = '' ${sops-install-secrets}/bin/sops-install-secrets -check-mode=manifest "$out" ''; }; ``` -------------------------------- ### Import sops-nix Home Manager Module (Flakes) Source: https://github.com/mic92/sops-nix/blob/master/README.md Import the sops-nix home-manager module when using the Flakes approach for system-wide home-manager configuration. ```nix { # NixOS system-wide home-manager configuration home-manager.sharedModules = [ inputs.sops-nix.homeManagerModules.sops ]; } ``` -------------------------------- ### Example JSON Secrets Content Source: https://github.com/mic92/sops-nix/blob/master/README.md Content for a JSON secrets file, including a GitHub token and an SSH private key. The SSH key is a multi-line string escaped for JSON. ```json { "github_token": "4a6c73f74928a9c4c4bc47379256b72e598e2bd3", "ssh_key": "-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW\nQyNTUxOQAAACDENhLwQI4v/Ecv65iCMZ7aZAL+Sdc0Cqyjkd012XwJzQAAAJht4at6beGr\negAAAAtzc2gtZWQyNTUxOQAAACDENhLwQI4v/Ecv65iCMZ7aZAL+Sdc0Cqyjkd012XwJzQ\nAAAEBizgX7v+VMZeiCtWRjpl95dxqBWUkbrPsUSYF3DGV0rsQ2EvBAji/8Ry/rmIIxntpk\nAv5J1zQKrKOR3TXZfAnNAAAAE2pvZXJnQHR1cmluZ21hY2hpbmUBAg==\n-----END OPENSSH PRIVATE KEY-----\n" } ``` -------------------------------- ### Convert SSH Key to GPG and Import Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/encryption-configuration.md Use `ssh-to-pgp` to convert an SSH private key to GPG format and import it directly into the keyring. Requires `gnupg` and `ssh-to-pgp` to be installed. ```bash # Generate new key from SSH key nix-shell -p ssh-to-pgp --run 'ssh-to-pgp -private-key -i ~/.ssh/id_rsa' > key.asc # Output: GPG fingerprint # Or import directly to keyring nix-shell -p gnupg ssh-to-pgp --run \ 'ssh-to-pgp -private-key -i ~/.ssh/id_rsa | gpg --import' ``` -------------------------------- ### Configure GnuPG Home Directory Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/encryption-configuration.md Set the home directory for GnuPG. This directory should have restricted permissions (0700) and be owned by root. ```nix sops.gnupg.home = "/var/lib/sops"; ``` -------------------------------- ### Define a Template with Content Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/templates-reference.md This snippet shows how to define a template using the `content` option, embedding placeholders for secrets directly within the Nix expression. ```nix { sops.templates."my-app-config".content = '' api_key = "${config.sops.placeholder.api-key}" db_password = "${config.sops.placeholder.db-password}" ''; } ``` -------------------------------- ### Using Placeholders in Template Content Source: https://github.com/mic92/sops-nix/blob/master/_autodocs/templates-reference.md Example of defining secrets and using their generated placeholders within a template's content. The placeholders are replaced with actual secret values during the rendering process. ```nix { sops.secrets.api-token = {}; sops.secrets.db-password = {}; sops.templates."app-config".content = '' [api] token = "${config.sops.placeholder.api-token}" [database] password = "${config.sops.placeholder.db-password}" ''; } ``` -------------------------------- ### Import sops-nix Home Manager Module (Channel) Source: https://github.com/mic92/sops-nix/blob/master/README.md Import the sops-nix home-manager module when using the channel approach for system-wide home-manager configuration. ```nix { # NixOS system-wide home-manager configuration home-manager.sharedModules = [ ]; } ``` -------------------------------- ### Create Configuration Template with Secret Placeholder Source: https://github.com/mic92/sops-nix/blob/master/README.md Define a template for a configuration file, using a placeholder for a secret. sops-nix will substitute this placeholder during activation. ```nix { sops.templates."your-config-with-secrets.toml".content = '' password = "${config.sops.placeholder.your-secret}" ''; } ``` -------------------------------- ### Configure Buildkite Agent Secrets Source: https://github.com/mic92/sops-nix/blob/master/README.md Enable Buildkite agent and configure paths for its token and SSH private key. Ensure the secrets are owned by the Buildkite agent user. ```nix { pkgs, config, ... }: { services.buildkite-agents.builder = { enable = true; tokenPath = config.sops.secrets.buildkite-token.path; privateSshKeyPath = config.sops.secrets.buildkite-ssh-key.path; runtimePackages = [ pkgs.gnutar pkgs.bash pkgs.nix pkgs.gzip pkgs.git ]; }; sops.secrets.buildkite-token.owner = config.users.buildkite-agent-builder.name; sops.secrets.buildkite-ssh-key.owner = config.users.buildkite-agent-builder.name; } ```