plasmagoat/homelab
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions
homelab/nixos/secrets/README.md
plasmagoat a90630ecb6
All checks were successful
Hello World / test (push) Successful in 12s
Details
dump
2025-07-05 11:12:20 +02:00

104 lines
2.2 KiB
Markdown
Raw Blame History

# 🔐 Secrets Management (with SOPS + Nix)
This directory contains encrypted secrets used across the infrastructure managed by NixOS and [sops-nix](https://github.com/Mic92/sops-nix). Secrets are stored using [SOPS](https://github.com/mozilla/sops) and encrypted with an `age` key located on each host at `/etc/sops/age.key`.
---
## 📁 Directory Structure
```
secrets/
├── forgejo/
│ └── secrets.yaml # Forgejo-specific secrets (admin password, DB password, secret key)
├── runner/
│ └── secrets.yaml # Forgejo runner secrets (tokens, etc.)
├── shared/
│ └── secrets.yaml # Shared secrets used across multiple VMs (SSH keys, tokens)
````
---
## 🛠 SOPS Basics
### ✅ Encrypt a **new secret file**
```bash
sops --age <YOUR-AGE-PUBKEY> secrets/myservice/secrets.yml
````
Example:
```bash
sops --age $(cat ~/.config/sops/age/keys.txt | grep public) -e > secrets/forgejo/secrets.yml
```
> Press `i` to enter edit mode if prompted, or fill it using YAML format:
```yaml
admin-password: hunter2
db-password: supersecret
```
---
### ✏️ Edit secrets in an existing file
```bash
sops secrets/forgejo/secrets.yml
```
---
## 🧬 Using Secrets in Nix
### 🧩 Option 1: Reference shared secrets (via `defaultSopsFile`)
```nix
# shared-sops.nix
{
sops = {
age.keyFile = "/etc/sops/age.key";
defaultSopsFile = ../secrets/shared/secrets.yaml;
secrets = {
"monitoring-token".owner = "prometheus";
};
};
}
```
Then in services:
```nix
environment.etc."monitoring/token".source = config.sops.secrets."monitoring-token".path;
```
---
### 🧩 Option 2: Reference per-service secrets with explicit `sopsFile`
```nix
# forgejo/sops.nix
{
sops.secrets = {
"admin-password" = {
sopsFile = ./../secrets/forgejo/secrets.yaml;
owner = "forgejo";
};
};
}
```
---
## 🧪 Testing secrets setup
Check which secrets will be applied:
```bash
nixos-rebuild dry-activate --flake .#my-hostname
```
---
## 📚 Resources
* [sops-nix](https://github.com/Mic92/sops-nix)
* [Mozilla SOPS](https://github.com/mozilla/sops)
* [age encryption](https://github.com/FiloSottile/age)
Reference in a new issue View git blame Copy permalink