# ๐Ÿ” Secrets Management (with SOPS + Nix) This directory contains encrypted secrets used across the infrastructure managed by NixOS and [sops-nix](https://github.com/Mic92/sops-nix). Secrets are stored using [SOPS](https://github.com/mozilla/sops) and encrypted with an `age` key located on each host at `/etc/sops/age.key`. --- ## ๐Ÿ“ Directory Structure ``` secrets/ โ”œโ”€โ”€ forgejo/ โ”‚ โ””โ”€โ”€ secrets.yaml # Forgejo-specific secrets (admin password, DB password, secret key) โ”œโ”€โ”€ runner/ โ”‚ โ””โ”€โ”€ secrets.yaml # Forgejo runner secrets (tokens, etc.) โ”œโ”€โ”€ shared/ โ”‚ โ””โ”€โ”€ secrets.yaml # Shared secrets used across multiple VMs (SSH keys, tokens) ```` --- ## ๐Ÿ›  SOPS Basics ### โœ… Encrypt a **new secret file** ```bash sops --age -e > secrets/myservice/secrets.yaml ```` Example: ```bash sops --age $(cat ~/.config/sops/age/keys.txt | grep public) -e > secrets/forgejo/secrets.yaml ``` > Press `i` to enter edit mode if prompted, or fill it using YAML format: ```yaml admin-password: hunter2 db-password: supersecret ``` --- ### โœ๏ธ Edit secrets in an existing file ```bash sops secrets/forgejo/secrets.yaml ``` --- ## ๐Ÿงฌ Using Secrets in Nix ### ๐Ÿงฉ Option 1: Reference shared secrets (via `defaultSopsFile`) ```nix # shared-sops.nix { sops = { age.keyFile = "/etc/sops/age.key"; defaultSopsFile = ../secrets/shared/secrets.yaml; secrets = { "monitoring-token".owner = "prometheus"; }; }; } ``` Then in services: ```nix environment.etc."monitoring/token".source = config.sops.secrets."monitoring-token".path; ``` --- ### ๐Ÿงฉ Option 2: Reference per-service secrets with explicit `sopsFile` ```nix # forgejo/sops.nix { sops.secrets = { "admin-password" = { sopsFile = ./../secrets/forgejo/secrets.yaml; owner = "forgejo"; }; }; } ``` --- ## ๐Ÿงช Testing secrets setup Check which secrets will be applied: ```bash nixos-rebuild dry-activate --flake .#my-hostname ``` --- ## ๐Ÿ“š Resources * [sops-nix](https://github.com/Mic92/sops-nix) * [Mozilla SOPS](https://github.com/mozilla/sops) * [age encryption](https://github.com/FiloSottile/age)