notes/os/linux/nixos/integration/security/secret/sops-nix.txt

https://github.com/Mic92/sops-nix

2023
vimjoyer - NixOS Secrets Management | SOPS-NIX 2:00 of 6:34
    https://www.youtube.com/watch?v=G5f6GC7SnhU
    https://github.com/vimjoyer/sops-nix-video
        mkdir -p ~/.config/sops/age/
        ssh-keygen -t ed25519
        # ~/.ssh/id_ed25519

        https://docs.github.com/ru/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent
        ???  Ключ ed25519 является более безопасным и производительным, чем классические ключи RSA или DSA.

        1. generate ~/.config/sops/age/keys.txt
        nix shell nixpkgs#age -c age-keygen -o ~/.config/sops/age/keys.txt
            or
        # https://github.com/Mic92/ssh-to-age/tree/main
        # go install github.com/Mic92/ssh-to-age/cmd/ssh-to-age@latest
        nix run nixpkgs#ssh-to-age -- -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt

        ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt
        cat ~/.config/sops/age/keys.txt
        AGE-SECRET-KEY-...

        2. get a public key of ~/.config/sops/age/keys.txt
        nix shell nixpkgs#age -c age-keygen -y ~/.config/sops/age/keys.txt
        age...

        age-keygen -y ~/.config/sops/age/keys.txt

        3. create .sops.yaml
        keys:
          - &primary {{age... YOUR PUBLIC KEY HERE}}
        creation_rules:
          # at least one creation rule, that references it (pub-key)
          - path_regex: secrets/secrets.yaml$
            key_groups:
            - age:
              - *primary

        4. to create a secrets file
        mkdir secrets
        sops secrets/secrets.yaml
        
2022
https://bmcgee.ie/posts/2022/11/getting-nixos-to-keep-a-secret/

samples
https://github.com/krupkat/gcp-nixos/blob/main/howto.md