feat(secrets): scaffold sops-nix for declarative secrets
Wires sops-nix as a flake input and bakes the NixOS module into
configuration.nix via modules/secrets.nix. Per-host defaults live in
modules/secrets.nix:
- defaultSopsFile = ../secrets/${settings.hostName}.yaml
- defaultSopsFormat = yaml
- age.keyFile = /home/${settings.user}/.config/sops/age/keys.txt
The whole sops block is gated on `builtins.pathExists` so flake eval
succeeds before the encrypted file is created — important during the
scaffold-bootstrap phase where the consumer hasn't yet generated an
age key.
Adds .sops.yaml with a placeholder admin recipient (overwrite with
your real age public key before encrypting anything) and a
creation_rules block matching `secrets/*.yaml`.
.gitignore loosened so `secrets/*.yaml` and `secrets/README.md` can
be checked in while plaintext key material (`*.key`, `*.pem`) and
anything else under `secrets/` stays ignored. The pre-commit secret
scanner most consumers use is the second line of defense.
secrets/README.md documents the workflow at the directory level.
The substantive beginner walkthrough lands in a follow-up commit at
docs/secrets-management.md.
`nix flake check --no-build` stays green.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
8ebf16d069
commit
7af3bce544
7 changed files with 146 additions and 1 deletions
42
modules/secrets.nix
Normal file
42
modules/secrets.nix
Normal file
|
|
@ -0,0 +1,42 @@
|
|||
# sops-nix per-host wiring.
|
||||
# pragma: allowlist secret start
|
||||
#
|
||||
# Imports the sops-nix NixOS module and points it at this host's
|
||||
# encrypted file + the consumer's age private key.
|
||||
#
|
||||
# - Recipients (which age public keys can decrypt) are declared in
|
||||
# `.sops.yaml` at the repo root.
|
||||
# - The encrypted file for this host lives at
|
||||
# `secrets/${settings.hostName}.yaml`. Create it with:
|
||||
# sops secrets/${settings.hostName}.yaml
|
||||
# sops auto-encrypts on save using the recipients from .sops.yaml.
|
||||
# - The matching private key lives at
|
||||
# `/home/${settings.user}/.config/sops/age/keys.txt`. Generate it
|
||||
# one-time with `age-keygen -o ~/.config/sops/age/keys.txt`.
|
||||
#
|
||||
# The whole sops block is gated on `builtins.pathExists` so flake
|
||||
# eval succeeds before the encrypted file exists — useful for the
|
||||
# scaffold-bootstrap phase. See `docs/secrets-management.md` for a
|
||||
# walkthrough.
|
||||
# pragma: allowlist secret end
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
inputs,
|
||||
settings,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
sopsFile = ../secrets/${settings.hostName}.yaml;
|
||||
in
|
||||
{
|
||||
imports = [ inputs.sops-nix.nixosModules.sops ];
|
||||
|
||||
sops = lib.mkIf (builtins.pathExists sopsFile) {
|
||||
defaultSopsFile = sopsFile;
|
||||
defaultSopsFormat = "yaml";
|
||||
age.keyFile = "/home/${settings.user}/.config/sops/age/keys.txt";
|
||||
};
|
||||
}
|
||||
Reference in a new issue