feat(secrets): scaffold sops-nix for declarative secrets
Wires sops-nix as a flake input and bakes the NixOS module into
configuration.nix via modules/secrets.nix. Per-host defaults live in
modules/secrets.nix:
- defaultSopsFile = ../secrets/${settings.hostName}.yaml
- defaultSopsFormat = yaml
- age.keyFile = /home/${settings.user}/.config/sops/age/keys.txt
The whole sops block is gated on `builtins.pathExists` so flake eval
succeeds before the encrypted file is created — important during the
scaffold-bootstrap phase where the consumer hasn't yet generated an
age key.
Adds .sops.yaml with a placeholder admin recipient (overwrite with
your real age public key before encrypting anything) and a
creation_rules block matching `secrets/*.yaml`.
.gitignore loosened so `secrets/*.yaml` and `secrets/README.md` can
be checked in while plaintext key material (`*.key`, `*.pem`) and
anything else under `secrets/` stays ignored. The pre-commit secret
scanner most consumers use is the second line of defense.
secrets/README.md documents the workflow at the directory level.
The substantive beginner walkthrough lands in a follow-up commit at
docs/secrets-management.md.
`nix flake check --no-build` stays green.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
8ebf16d069
commit
7af3bce544
7 changed files with 146 additions and 1 deletions
39
secrets/README.md
Normal file
39
secrets/README.md
Normal file
|
|
@ -0,0 +1,39 @@
|
|||
# secrets/
|
||||
|
||||
Encrypted YAML files in this directory are decrypted at NixOS
|
||||
activation time and exposed under `/run/secrets/<name>` for any
|
||||
service that declares `sops.secrets.<name>` to consume.
|
||||
|
||||
Recipients are declared in `../.sops.yaml`. The matching age
|
||||
private key lives at `~/.config/sops/age/keys.txt` on the host
|
||||
machine (see `modules/secrets.nix`).
|
||||
|
||||
## Workflow
|
||||
|
||||
```sh
|
||||
# First-time: create + encrypt this host's secrets file
|
||||
sops secrets/<hostName>.yaml
|
||||
# sops auto-encrypts on save using recipients from .sops.yaml
|
||||
|
||||
# Later edits go through sops (auto-decrypts, re-encrypts on save)
|
||||
sops secrets/<hostName>.yaml
|
||||
```
|
||||
|
||||
See [`../docs/secrets-management.md`](../docs/secrets-management.md)
|
||||
for the full walkthrough — generating the age key, adding a recipient,
|
||||
declaring a secret in NixOS, and rotating keys.
|
||||
|
||||
## What goes here
|
||||
|
||||
One YAML file per host, named after the host. Inside each file, a
|
||||
flat or nested map of secret names → values:
|
||||
|
||||
```yaml
|
||||
# secrets/<hostName>.yaml — encrypted in place
|
||||
lnbits-admin-key: changeme-real-key-goes-here
|
||||
postgres:
|
||||
lnbits-password: changeme-real-password-goes-here
|
||||
```
|
||||
|
||||
NixOS modules reference these by name via `sops.secrets.<name>`
|
||||
and read the runtime path via `config.sops.secrets.<name>.path`.
|
||||
Reference in a new issue