# generate new key at ~/.config/sops/age/keys.txt
$ nix shell nixpkgs#age -c age-keygen -o ~/.config/sops/age/keys.txt
# generate new key at ~/.config/sops/age/keys.txt from private ssh key at ~/.ssh/private
$ nix run nixpkgs#ssh-to-age -- -private-key -i ~/.ssh/private > ~/.config/sops/age/keys.txt
# get a public key of ~/.config/sops/age/keys.txt
nix shell nixpkgs#age -c age-keygen -y ~/.config/sops/age/keys.txt
# configuration.nix
{ pkgs, inputs, config, ... }:
{
imports =
[
inputs.sops-nix.nixosModules.sops
];
sops.defaultSopsFile = ./secrets/secrets.yaml;
sops.defaultSopsFormat = "yaml";
sops.age.keyFile = "/home/user/.config/sops/age/keys.txt";
sops.secrets.example-key = { };
sops.secrets."myservice/my_subdir/my_secret" = {
owner = "sometestservice";
};
systemd.services."sometestservice" = {
script = ''
echo "
Hey bro! I'm a service, and imma send this secure password:
$(cat ${config.sops.secrets."myservice/my_subdir/my_secret".path})
located in:
${config.sops.secrets."myservice/my_subdir/my_secret".path}
to database and hack the mainframe
" > /var/lib/sometestservice/testfile
'';
serviceConfig = {
User = "sometestservice";
WorkingDirectory = "/var/lib/sometestservice";
};
};
users.users.sometestservice = {
home = "/var/lib/sometestservice";
createHome = true;
isSystemUser = true;
group = "sometestservice";
};
users.groups.sometestservice = { };
}
# flake.nix
{
description = "nixos config";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
inputs.sops-nix.url = "github:Mic92/sops-nix";
# optional, not necessary for the module
#inputs.sops-nix.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = { self, nixpkgs, ... }@inputs:
let
system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system};
in
{
nixosConfigurations = {
your-hostname = nixpkgs.lib.nixosSystem {
specialArgs = { inherit inputs; };
modules = [ ./configuration.nix ];
};
};
};
}
# .sops.yaml
keys:
- &primary {{YOUR KEY HERE}}
creation_rules:
- path_regex: secrets/secrets.yaml$
key_groups:
- age:
- *primary