Skip to main content

Secrets Management

Managing secrets with SOPS-Nix.

NixOS

Generate Public Keys for target machines

AGE (Using SSH Host Keys)
nix-shell -p ssh-to-age --run 'ssh-keyscan servername | ssh-to-age'

# OR locally

nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
GPG (Using SSH Host Keys)
ssh user@server "sudo cat /etc/ssh/ssh_host_rsa_key" | nix-shell -p ssh-to-pgp --run "ssh-to-pgp -o server.asc"

# OR locally

nix-shell -p ssh-to-pgp --run "ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key -o $(hostname).asc"

Home-Manager

Install

# flake.nix

{
  inputs = {
    ...

    sops-nix = {
      url = "github:mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    
    ...
   
   outputs = { ..., sops-nix, ...} :
   
     imports = [
       sops-nix.homeManagerModules.sops
     ];
     
    ...
 };

Generate Private+Public Keypair

Choose one..

AGE

Need pkgs.age

mkdir -p ~/.config/sops/age
age-keygen -o ~/.config/sops/age/keys.txt

Get Public Key:

age-keygen -y ~/.config/sops/age/keys.txt
AGE (Convert exsiting SSH ed25519 key)

Need pkgs.age

mkdir -p ~/.config/sops/age
nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt"
age-keygen -y ~/.config/sops/age/keys.txt
GPG Key

Need some variant of pkgs.pinentry

gpg --full-generate-key

Get Public Key:

gpg --list-secret-keys

Generate Public Keys for target machines

AGE (Using SSH Host Keys)
nix-shell -p ssh-to-age --run 'ssh-keyscan servername | ssh-to-age'

# OR locally

nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
GPG (Using SSH Host Keys)
ssh user@server "sudo cat /etc/ssh/ssh_host_rsa_key" | nix-shell -p ssh-to-pgp --run "ssh-to-pgp -o server.asc"

# OR locally

nix-shell -p ssh-to-pgp --run "ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key -o $(hostname).asc"

Create SOPS configuration

Filling in the user public key, and the groups for a standard set of secrets to be found within the secrets folder.

# ./config/home-manager/.sops.yaml
keys:
  - &user_dave age1upzm9um3qljxlmxcg8vl35d7eyeqtnsfcnqlh3wtnj46dhfzwyrqa80avw
  - &host_beef age1wq5xj5mwv9xk4tp26cxc4xqjq9xd9hwqv0zeemawl2cc8sarmqesw366dh
creation_rules:
  - path_regex: secrets/[^/]+\.yaml$
    key_groups:
    - age:
      - *user_dave
      - *host_beef
      

Create new secrets file

nix-shell -p sops --run "sops secrets/github.yaml"

# Inside the file put the key and value:

gh_token: 12345678910

Upon saving this will encrypt the secret.

Configure Home Manager

# sops.nix
{ pkgs, ...}:
{
  home = {
    packages = with pkgs;
      [
        age
        gnupg
        pinentry.out
        ssh-to-age
        ssh-to-pgp
        sops
      ];
  };

  sops.defaultSopsFile = ../../secrets/example.yaml;
  sops.age.keyFile = "/home/$USER/.config/sops/age/keys.txt";

  sops.secrets.example_key = {};
  sops.secrets.gh_token = {
    sopsFile = ../../secrets/github.yaml ;
    path = "%r/gh-token" ;
    owner = dave.name ;
    group = dave.group ;
  };
}

Activate

Upon performing home-manager switch the secrets will appear in $XDG_RUNTIME_DIR/

[~/] $ ls -l $XDG_RUNTIME_DIR/secrets/
.r-------- dave users 13 B Fri Jun 23 16:29:52 2023  example_key
.r-------- dave users 40 B Fri Jun 23 16:29:52 2023  gh_token

[~/] $ cat $XDG_RUNTIME_DIR/secrets/gh_token
12345678910

Use in configuration

Environment example
programs.bash.initExtra = ''
  export GITHUB_TOKEN=$(cat /$XDG_RUNTIME_DIR/secrets/gh_token)
'';   
Nix Configuration
{ config, pkgs, lib, ...} :{

  services.example = {
    ...
    username = "dave";
    password = config.sops.secrets.example_key;
  };
};
'';