Sops

Atomic secret provisioning for NixOS based on sops.

View the nix-core NixOS module on GitHub.

References

• GitHub

Config

flake.nix

inputs = {
  sops-nix.url = "github:Mic92/sops-nix";
  sops-nix.inputs.nixpkgs.follows = "nixpkgs";
};

Setup

Generate an age key for your host from its ssh host key:

nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'

Then, add it to .sops.yaml.

Host configuration:

No additional configuration is required. Each module's documentation entry will tell you if it uses sops and what secrets it expects.

Update Keys

Update the keys of your SOPS files after making changes to .sops.yaml:

sops --config PATH/TO/.sops.yaml updatekeys PATH/TO/secrets.yaml