Skip to main content

Secrets Management

Managing secrets with SOPS-Nix.

Install

NixOS

Subset of flake.nix

# flake.nix

{
  inputs = {
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };

  };

  outputs = inputs@{
    sops-nix,
    ...
  }: {

   nixosConfigurations = {
   };
  };
}

Create module for SOPS

# modules/nixos/secrets.nix

{ config, lib, pkgs, sops-nix, ... }:

let
  isEd25519 = k: k.type == "ed25519";
  getKeyPath = k: k.path;
  keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
in
{
  imports = [
    sops-nix.nixosModules.sops
  ];

  environment.systemPackages = with pkgs; [
    age
    gnupg
    pinentry.out
    ssh-to-age
    ssh-to-pgp
    sops
  ];

  sops = {
    age.sshKeyPaths = map getKeyPath keys;
  };
}

Home-Manager

# flake.nix

{
  inputs = {
    ...

    sops-nix = {
      url = "github:mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    
    ...
   
   outputs = { ..., sops-nix, ...} :
   
     imports = [
       sops-nix.homeManagerModules.sops
     ];
     
    ...
 };

Create SOPS module.

# modules/cli/sops.nix
{ pkgs, config, specialArgs, ...}:
let
  inherit(specialArgs) username;
in
{
  home = {
    packages = with pkgs;
      [
        age
        gnupg
        pinentry.out
        ssh-to-age
        ssh-to-pgp
        sops
      ];
  };

  systemd.user.services.sops-nix.Unit.After = [ "sops-nix.service" ];

  sops.defaultSopsFile = ../../secrets/example.yaml;
  sops.age.keyFile = "/home/${username}/.config/sops/age/keys.txt";
  sops.secrets.example_key = {};

Generate Public Keys for target machines

AGE (Using SSH Host Keys)

ssh-keyscan servername | ssh-to-age

# OR locally

cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age

GPG (Using SSH Host Keys)

ssh user@server "sudo cat /etc/ssh/ssh_host_rsa_key" | ssh-to-pgp -o server.asc

# OR locally

ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key -o $(hostname).asc

Generate Private+Public Keypair

If creating this for NixOS, use sudo Choose one, recommend using an existing SSH ed25519 key.

AGE
  • Need pkgs.age 
mkdir -p ~/.config/sops/age
age-keygen -o ~/.config/sops/age/keys.txt

Get Public Key:

age-keygen -y ~/.config/sops/age/keys.txt
AGE (Convert exsiting SSH ed25519 key)
  • Need pkgs.age 
mkdir -p ~/.config/sops/age
ssh-to-age -private-key -i ~/.ssh/id_ed25519 | install -D -m 400 /dev/stdin ~/.config/sops/age/keys.txt

OR NixOS

sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key | install -D -m 400 /dev/stdin ~/.config/sops/age/keys.txt

age-keygen -y ~/.config/sops/age/keys.txt
GPG Key
  • Need some variant of pkgs.pinentry 
gpg --full-generate-key

Get Public Key:

gpg --list-secret-keys

Create SOPS configuration

NixOS

Filling in the user public key, and the groups for a standard set of secrets to be found within the secrets folder.

# ./src/nixos/.sops.yaml
keys:
  - &user_dave age1upzm9um3qljxlmxcg8vl35d7eyeqtnsfcnqlh3wtnj46dhfzwyrqa80avw
  - &host_machine age1wq5xj5mwv9xk4tp26cxc4xqjq9xd9hwqv0zeemawl2cc8sarmqesw366dh
creation_rules:
  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
    key_groups:
    - age:
      - *user_dave
      - *host_machine

Home Manager

Filling in the user public key, and the groups for a standard set of secrets to be found within the secrets folder.

# ./config/home-manager/.sops.yaml
keys:
  - &user_dave age1upzm9um3qljxlmxcg8vl35d7eyeqtnsfcnqlh3wtnj46dhfzwyrqa80avw
  - &host_machine age1wq5xj5mwv9xk4tp26cxc4xqjq9xd9hwqv0zeemawl2cc8sarmqesw366dh
creation_rules:
  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
    key_groups:
    - age:
      - *user_dave
      - *host_machine

Create new secrets file

sops secrets/github.yaml

# Inside the file put the key and value:

gh_token: 12345678910

Upon saving this will encrypt the secret. If you execute it again it will decrypt the file to revise.

# example.nix
...

  sops.secrets.gh_token = {
    sopsFile = ../../secrets/github.yaml ;
    path = "%r/gh-token" ;
    owner = dave.name ;
    group = dave.group ;
  };
}

Activate

NixOS

Upon generating new NixOS configuration the secrets will appear in /run/secrets/

[root@hostname:/]# ls -l /run/secrets/*
-r-------- 1 root root 46 Jul 19 09:21 /run/secrets/hostname
-r-------- 1 root root 25 Jul 19 09:21 /run/secrets/common
cat /run/secrets/common
supersecretpassword

Home Manager

Upon performing home-manager switch the secrets will appear in $XDG_RUNTIME_DIR/

[~/] $ ls -l $XDG_RUNTIME_DIR/secrets/
.r-------- dave users 13 B Fri Jun 23 16:29:52 2023  example_key
.r-------- dave users 40 B Fri Jun 23 16:29:52 2023  gh_token

[~/] $ cat $XDG_RUNTIME_DIR/secrets/gh_token
12345678910

Usage and Tips

Environment example

programs.bash.initExtra = ''
  export GITHUB_TOKEN=$(cat /$XDG_RUNTIME_DIR/secrets/gh_token)
'';

Nix Configuration

{ config, pkgs, lib, ...} :{

  services.example = {
    ...
    username = "dave";
    password = config.sops.secrets.example_key;
  };
};
'';

Reencrypting secrets

If ever adding or removing keys from .sops.yaml then you will need to reencrypt your secrets.

Use sops updatekeys path/to/secrets.yaml to re-encrypt the secrets contained in that .yaml file with all the keys that the file should use.

Encrypting a file

Make sure the path creation rule is set to something - path_regex: secrets/.* .

Copy the file into secrets.

sops -e secrets/yourfile.ext > yourfile.ext

Set it up in configuration as such:

  sops.secrets.secret_name
  = {
    format = "binary";
    sopsFile = ../../secrets/yourfile.ext;
    owner = "dave";
    #path = "/put/the/file/somewhere/on/filessystem/yourfile.ext"";
  };

Encrypting Password Hashes

Encrypt the hash not the plaintext password!

18:24:58 [dave@beef:~]└2 2 $ mkpasswd password
$y$j9T$S3QeKp0JnSOTV9Y0gpnIz0$Q1nmLXv61QLRhXMIE8Y69e5dcuRv7UpaJeVWB4Qqlt/

{
  sops.secrets."user" = {
    sopsFile = ../hosts/common/secrets/user.yaml;
    neededForUsers = true;
 };
Back to top