Secrets Management
Managing secrets with SOPS-Nix.
NixOS
Generate Public Keys for target machines
AGE (Using SSH Host Keys)
nix-shell -p ssh-to-age --run 'ssh-keyscan servername | ssh-to-age'
# OR locally
nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
GPG (Using SSH Host Keys)
ssh user@server "sudo cat /etc/ssh/ssh_host_rsa_key" | nix-shell -p ssh-to-pgp --run "ssh-to-pgp -o server.asc"
# OR locally
nix-shell -p ssh-to-pgp --run "ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key -o $(hostname).asc"
Home-Manager
Install
# flake.nix
{
inputs = {
...
sops-nix = {
url = "github:mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
...
outputs = { ..., sops-nix, ...} :
imports = [
sops-nix.homeManagerModules.sops
];
...
};
Generate Private+Public Keypair
Choose one..
AGE
Need pkgs.age
mkdir -p ~/.config/sops/age
age-keygen -o ~/.config/sops/age/keys.txt
Get Public Key:
age-keygen -y ~/.config/sops/age/keys.txt
AGE (Convert exsiting SSH ed25519 key)
Need pkgs.age
mkdir -p ~/.config/sops/age
nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt"
age-keygen -y ~/.config/sops/age/keys.txt
GPG Key
Need some variant of pkgs.pinentry
gpg --full-generate-key
Get Public Key:
gpg --list-secret-keys
Create SOPS configuration
Filling in the user public key, and the groups for a standard set of secrets to be found within the secrets folder.
# ./config/home-manager/.sops.yaml
keys:
- &user_dave age1upzm9um3qljxlmxcg8vl35d7eyeqtnsfcnqlh3wtnj46dhfzwyrqa80avw
- &host_beef age1wq5xj5mwv9xk4tp26cxc4xqjq9xd9hwqv0zeemawl2cc8sarmqesw366dh
creation_rules:
- path_regex: secrets/[^/]+\.yaml$
key_groups:
- age:
- *user_dave
- *host_beef
Create new secrets file
nix-shell -p sops --run "sops secrets/github.yaml"
# Inside the file put the key and value:
gh_token: 12345678910
Upon saving this will encrypt the secret.
Configure Home Manager
# sops.nix
{ pkgs, ...}:
{
home = {
packages = with pkgs;
[
age
gnupg
pinentry.out
ssh-to-age
ssh-to-pgp
sops
];
};
sops.defaultSopsFile = ../../secrets/example.yaml;
sops.age.keyFile = "/home/$USER/.config/sops/age/keys.txt";
sops.secrets.example_key = {};
sops.secrets.gh_token = {
sopsFile = ../../secrets/github.yaml ;
path = "%r/gh-token" ;
owner = dave.name ;
group = dave.group ;
};
}
Activate
Upon performing home-manager switch the secrets will appear in $XDG_RUNTIME_DIR/
[~/] $ ls -l $XDG_RUNTIME_DIR/secrets/
.r-------- dave users 13 B Fri Jun 23 16:29:52 2023 example_key
.r-------- dave users 40 B Fri Jun 23 16:29:52 2023 gh_token
[~/] $ cat $XDG_RUNTIME_DIR/secrets/gh_token
12345678910
Use in configuration
Environment example
programs.bash.initExtra = ''
export GITHUB_TOKEN=$(cat /$XDG_RUNTIME_DIR/secrets/gh_token)
'';
Nix Configuration
{ config, pkgs, lib, ...} :{
services.example = {
...
username = "dave";
password = config.sops.secrets.example_key;
};
};
'';
Reencrypting secrets
If ever adding or removing keys from .sops.yaml then you will need to reencrypt your secrets.
Use sops updatekeys path/to/secrets.yaml to re-encrypt the secrets contained in that .yaml file with all the keys that the file should use.