m

2025-11-01 06:06:08 +02:00 · 2024-02-03 22:41:47 +03:00 · 2024-02-03 22:41:47 +03:00 · a3ce20a3a3
--- a/os/linux/nixos/integration/security/secret/sops-nix.txt
+++ b/os/linux/nixos/integration/security/secret/sops-nix.txt
@ -1,7 +1,7 @@
 https://github.com/Mic92/sops-nix

 2023
-vimjoyer - NixOS Secrets Management | SOPS-NIX 2:00 of 6:34
+vimjoyer - NixOS Secrets Management | SOPS-NIX 4:00 of 6:34
    https://www.youtube.com/watch?v=G5f6GC7SnhU
    https://github.com/vimjoyer/sops-nix-video
        mkdir -p ~/.config/sops/age/
@ -42,6 +42,89 @@ vimjoyer - NixOS Secrets Management | SOPS-NIX 2:00 of 6:34
        mkdir secrets
        sops secrets/secrets.yaml

+        example_key: example_value
+        # Nesting the key results in the creation of directories
+        # These directories will be owned by root:keys and have permissions 0751
+        myservice:
+            my_subdir:
+                my_secret: password1
+        
+        cat secrets/secrets.yaml
+        # all the values are encrypted !!!
+  
+        5. flake.nix
+
+        {
+          description = "nixos config";
+
+          inputs = {
+            nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+            inputs.sops-nix.url = "github:Mic92/sops-nix";
+            # optional, not necessary for the module
+            #inputs.sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+          };
+
+          outputs = { self, nixpkgs, ... }@inputs:
+            let
+              system = "x86_64-linux";
+              pkgs = nixpkgs.legacyPackages.${system};
+            in
+            {
+              nixosConfigurations = {
+                your-hostname = nixpkgs.lib.nixosSystem {
+                  specialArgs = { inherit inputs; };
+                  modules = [ ./configuration.nix ];
+                };
+              };
+            };
+        }
+
+        6. configuration.nix
+
+        { pkgs, inputs, config, ... }:
+
+        {
+          imports = [ inputs.sops-nix.nixosModules.sops ];
+
+          sops.defaultSopsFile = ./secrets/secrets.yaml;
+          sops.defaultSopsFormat = "yaml";
+          
+          sops.age.keyFile = "/home/user/.config/sops/age/keys.txt";
+
+          sops.secrets.example-key = { };
+          sops.secrets."myservice/my_subdir/my_secret" = {
+            owner = "sometestservice";
+          };
+
+          systemd.services."sometestservice" = {
+            script = ''
+                echo "
+                Hey bro! I'm a service, and imma send this secure password:
+                $(cat ${config.sops.secrets."myservice/my_subdir/my_secret".path})
+                located in:
+                ${config.sops.secrets."myservice/my_subdir/my_secret".path}
+                to database and hack the mainframe
+                " > /var/lib/sometestservice/testfile
+              '';
+            serviceConfig = {
+              User = "sometestservice";
+              WorkingDirectory = "/var/lib/sometestservice";
+            };
+          };
+
+          users.users.sometestservice = {
+            home = "/var/lib/sometestservice";
+            createHome = true;
+            isSystemUser = true;
+            group = "sometestservice";
+          };
+          users.groups.sometestservice = { };
+        }
+
+        7. after nixos-rebuild
+
+        $ sudo cat /run/secrets/example-key
+
 2022
 https://bmcgee.ie/posts/2022/11/getting-nixos-to-keep-a-secret/