notes/os/linux/nixos/integration/security/secret/sops-nix.txt

https://github.com/Mic92/sops-nix

2023
Vimjoyer - NixOS Secrets Management | SOPS-NIX of 6:34
    https://www.youtube.com/watch?v=G5f6GC7SnhU
    https://github.com/vimjoyer/sops-nix-video
        mkdir -p ~/.config/sops/age/
        ssh-keygen -t ed25519
        # ~/.ssh/id_ed25519

        https://docs.github.com/ru/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent
        ???  ed25519 key is more secure and performant, than classic RSA and DSA keys.

        1. generate ~/.config/sops/age/keys.txt
        nix shell nixpkgs#age -c age-keygen -o ~/.config/sops/age/keys.txt
            or
        # https://github.com/Mic92/ssh-to-age/tree/main
        # go install github.com/Mic92/ssh-to-age/cmd/ssh-to-age@latest
        nix run nixpkgs#ssh-to-age -- -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt

        ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt
        cat ~/.config/sops/age/keys.txt
        AGE-SECRET-KEY-...

        2. get a public key of ~/.config/sops/age/keys.txt
        nix shell nixpkgs#age -c age-keygen -y ~/.config/sops/age/keys.txt
        age...

        age-keygen -y ~/.config/sops/age/keys.txt

        3. create .sops.yaml
        keys:
          - &primary {{age... YOUR PUBLIC KEY HERE}}
        creation_rules:
          # at least one creation rule, that references it (pub-key)
          - path_regex: secrets/secrets.yaml$
            key_groups:
            - age:
              - *primary

        4. to create a secrets file
        mkdir secrets
        sops secrets/secrets.yaml

        example_key: example_value
        # Nesting the key results in the creation of directories
        # These directories will be owned by root:keys and have permissions 0751
        myservice:
            my_subdir:
                my_secret: password1
        
        cat secrets/secrets.yaml
        # all the values are encrypted !!!
  
        5. flake.nix

        {
          description = "nixos config";

          inputs = {
            nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
            inputs.sops-nix.url = "github:Mic92/sops-nix";
            # optional, not necessary for the module
            #inputs.sops-nix.inputs.nixpkgs.follows = "nixpkgs";
          };

          outputs = { self, nixpkgs, ... }@inputs:
            let
              system = "x86_64-linux";
              pkgs = nixpkgs.legacyPackages.${system};
            in
            {
              nixosConfigurations = {
                your-hostname = nixpkgs.lib.nixosSystem {
                  specialArgs = { inherit inputs; };
                  modules = [ ./configuration.nix ];
                };
              };
            };
        }

        6. configuration.nix

        { pkgs, inputs, config, ... }:

        {
          imports = [ inputs.sops-nix.nixosModules.sops ];

          sops.defaultSopsFile = ./secrets/secrets.yaml;
          sops.defaultSopsFormat = "yaml";
          
          sops.age.keyFile = "/home/user/.config/sops/age/keys.txt";

          sops.secrets.example-key = { };
          sops.secrets."myservice/my_subdir/my_secret" = {
            # or just "sometestservice"
            owner = config.users.users.<someuser>.name; 
          };

          systemd.services."sometestservice" = {
            script = ''
                echo "
                Hey bro! I'm a service, and imma send this secure password:
                $(cat ${config.sops.secrets."myservice/my_subdir/my_secret".path})
                located in:
                ${config.sops.secrets."myservice/my_subdir/my_secret".path}
                to database and hack the mainframe
                " > /var/lib/sometestservice/testfile
              '';
            serviceConfig = {
              User = "sometestservice";
              WorkingDirectory = "/var/lib/sometestservice";
            };
          };

          users.users.sometestservice = {
            home = "/var/lib/sometestservice";
            createHome = true;
            isSystemUser = true;
            group = "sometestservice";
          };
          users.groups.sometestservice = { };
        }

        7. after nixos-rebuild

        $ sudo cat /run/secrets/example-key
        $ sudo systemctl start sometestservice.service
        $ sudo cat /var/lib/sometestservice/testfile

        Hey bro! I'm a service, and imma send this secure password:
        password1
        located in:
        /run/secrets/myservice/my_subdir/my_secret
        to database and hack the mainframe


2022
https://bmcgee.ie/posts/2022/11/getting-nixos-to-keep-a-secret/

????
https://notes.tiredofit.ca/books/linux/page/new-deployment-checklist
    Copy output of above ssh-to-age command to /root/.config/sops/age/keys.txt
    Make sure file is owned by root:root and can only be read (chmod 400)


samples
https://github.com/krupkat/gcp-nixos/blob/main/howto.md