https://github.com/Mic92/sops-nix 2023 Vimjoyer - NixOS Secrets Management | SOPS-NIX of 6:34 https://www.youtube.com/watch?v=G5f6GC7SnhU https://github.com/vimjoyer/sops-nix-video mkdir -p ~/.config/sops/age/ ssh-keygen -t ed25519 # ~/.ssh/id_ed25519 https://docs.github.com/ru/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent ??? ed25519 key is more secure and performant, than classic RSA and DSA keys. 1. generate ~/.config/sops/age/keys.txt nix shell nixpkgs#age -c age-keygen -o ~/.config/sops/age/keys.txt or # https://github.com/Mic92/ssh-to-age/tree/main # go install github.com/Mic92/ssh-to-age/cmd/ssh-to-age@latest nix run nixpkgs#ssh-to-age -- -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt cat ~/.config/sops/age/keys.txt AGE-SECRET-KEY-... 2. get a public key of ~/.config/sops/age/keys.txt nix shell nixpkgs#age -c age-keygen -y ~/.config/sops/age/keys.txt age... age-keygen -y ~/.config/sops/age/keys.txt 3. create .sops.yaml keys: - &primary {{age... YOUR PUBLIC KEY HERE}} creation_rules: # at least one creation rule, that references it (pub-key) - path_regex: secrets/secrets.yaml$ key_groups: - age: - *primary 4. to create a secrets file mkdir secrets sops secrets/secrets.yaml example_key: example_value # Nesting the key results in the creation of directories # These directories will be owned by root:keys and have permissions 0751 myservice: my_subdir: my_secret: password1 cat secrets/secrets.yaml # all the values are encrypted !!! 5. flake.nix { description = "nixos config"; inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; inputs.sops-nix.url = "github:Mic92/sops-nix"; # optional, not necessary for the module #inputs.sops-nix.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = { self, nixpkgs, ... }@inputs: let system = "x86_64-linux"; pkgs = nixpkgs.legacyPackages.${system}; in { nixosConfigurations = { your-hostname = nixpkgs.lib.nixosSystem { specialArgs = { inherit inputs; }; modules = [ ./configuration.nix ]; }; }; }; } 6. configuration.nix { pkgs, inputs, config, ... }: { imports = [ inputs.sops-nix.nixosModules.sops ]; sops.defaultSopsFile = ./secrets/secrets.yaml; sops.defaultSopsFormat = "yaml"; sops.age.keyFile = "/home/user/.config/sops/age/keys.txt"; sops.secrets.example-key = { }; sops.secrets."myservice/my_subdir/my_secret" = { # or just "sometestservice" owner = config.users.users..name; }; systemd.services."sometestservice" = { script = '' echo " Hey bro! I'm a service, and imma send this secure password: $(cat ${config.sops.secrets."myservice/my_subdir/my_secret".path}) located in: ${config.sops.secrets."myservice/my_subdir/my_secret".path} to database and hack the mainframe " > /var/lib/sometestservice/testfile ''; serviceConfig = { User = "sometestservice"; WorkingDirectory = "/var/lib/sometestservice"; }; }; users.users.sometestservice = { home = "/var/lib/sometestservice"; createHome = true; isSystemUser = true; group = "sometestservice"; }; users.groups.sometestservice = { }; } 7. after nixos-rebuild $ sudo cat /run/secrets/example-key $ sudo systemctl start sometestservice.service $ sudo cat /var/lib/sometestservice/testfile Hey bro! I'm a service, and imma send this secure password: password1 located in: /run/secrets/myservice/my_subdir/my_secret to database and hack the mainframe 2022 https://bmcgee.ie/posts/2022/11/getting-nixos-to-keep-a-secret/ ???? https://notes.tiredofit.ca/books/linux/page/new-deployment-checklist Copy output of above ssh-to-age command to /root/.config/sops/age/keys.txt Make sure file is owned by root:root and can only be read (chmod 400) samples https://github.com/krupkat/gcp-nixos/blob/main/howto.md