Skip to content

Sops

Atomic secret provisioning for NixOS based on sops.

View the synix NixOS module on Forgejo.

References

Setup

Generate an age key for your host from its ssh host key:

nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'

Then, add it to .sops.yaml (see usage example).

Config

Flake

# flake.nix
inputs = {
  sops-nix.url = "github:Mic92/sops-nix";
  sops-nix.inputs.nixpkgs.follows = "nixpkgs";
};

Host configuration

Create a secrets directory in your hosts directory. Declare all your secrets in it:

# hosts/YOUR_HOST/secrets/default.nix
{ inputs, ... }:

{
  imports = [ inputs.synix.nixosModules.sops ];

  sops.secrets.your-secret = { };
  sops.secrets.other-secret = { };

Usage

For more information on how to use sops-nix, see the Sops Home Manager module documentation.

Update Keys

Update the keys of your SOPS files after making changes to .sops.yaml:

sops --config PATH/TO/.sops.yaml updatekeys PATH/TO/secrets.yaml