aiolabs/lnbits-sensei
Archived
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
This repository has been archived on 2026-06-22. You can view files and clone it, but you cannot make any changes to its state, such as pushing and creating new issues, pull requests or comments.
lnbits-sensei/secrets
History
Exact
Padreug 7af3bce544 feat(secrets): scaffold sops-nix for declarative secrets 
Wires sops-nix as a flake input and bakes the NixOS module into
configuration.nix via modules/secrets.nix. Per-host defaults live in
modules/secrets.nix:

- defaultSopsFile = ../secrets/${settings.hostName}.yaml
- defaultSopsFormat = yaml
- age.keyFile = /home/${settings.user}/.config/sops/age/keys.txt

The whole sops block is gated on `builtins.pathExists` so flake eval
succeeds before the encrypted file is created — important during the
scaffold-bootstrap phase where the consumer hasn't yet generated an
age key.

Adds .sops.yaml with a placeholder admin recipient (overwrite with
your real age public key before encrypting anything) and a
creation_rules block matching `secrets/*.yaml`.

.gitignore loosened so `secrets/*.yaml` and `secrets/README.md` can
be checked in while plaintext key material (`*.key`, `*.pem`) and
anything else under `secrets/` stays ignored. The pre-commit secret
scanner most consumers use is the second line of defense.

secrets/README.md documents the workflow at the directory level.
The substantive beginner walkthrough lands in a follow-up commit at
docs/secrets-management.md.

`nix flake check --no-build` stays green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-26 08:44:55 +02:00
..
README.md feat(secrets): scaffold sops-nix for declarative secrets 2026-05-26 08:44:55 +02:00

README.md

secrets/

Encrypted YAML files in this directory are decrypted at NixOS activation time and exposed under /run/secrets/<name> for any service that declares sops.secrets.<name> to consume.

Recipients are declared in ../.sops.yaml. The matching age private key lives at ~/.config/sops/age/keys.txt on the host machine (see modules/secrets.nix).

Workflow

# First-time: create + encrypt this host's secrets file
sops secrets/<hostName>.yaml
# sops auto-encrypts on save using recipients from .sops.yaml

# Later edits go through sops (auto-decrypts, re-encrypts on save)
sops secrets/<hostName>.yaml

See ../docs/secrets-management.md for the full walkthrough — generating the age key, adding a recipient, declaring a secret in NixOS, and rotating keys.

What goes here

One YAML file per host, named after the host. Inside each file, a flat or nested map of secret names → values:

# secrets/<hostName>.yaml — encrypted in place
lnbits-admin-key: changeme-real-key-goes-here
postgres:
  lnbits-password: changeme-real-password-goes-here

NixOS modules reference these by name via sops.secrets.<name> and read the runtime path via config.sops.secrets.<name>.path.