1.3 KiB
1.3 KiB
🔧 Using Secrets in NixOS Configurations
You can use decrypted SOPS secrets in your configuration.nix, service modules, and flake-based setups.
🔑 1. Use as environment variable (e.g. password)
systemd.services.my-service.serviceConfig.EnvironmentFile =
config.sops.secrets."my-password".path;
Your
secrets.yamlshould contain:my-password: PASSWORD=supersecret
🗂 2. Use as file source (e.g. private key or token)
environment.etc."ssh/id_ed25519".source =
config.sops.secrets."ssh-private-key".path;
This places the decrypted secret at
/etc/ssh/id_ed25519with appropriate permissions.
👤 3. Read a secret value directly (not recommended for sensitive data)
# Use a secret as a string value in a setting
services.myapp.settings.apiKey = builtins.readFile config.sops.secrets."api-key".path;
🛠 4. Use in systemd preStart scripts
systemd.services.my-service.preStart = ''
export PASSWORD=$(<${config.sops.secrets."my-password".path})
./myapp --auth $PASSWORD
'';
🧠 5. Use in Forgejo user creation
systemd.services.forgejo.preStart = ''
${lib.getExe cfg.package} admin user create \
--username admin \
--password "$(tr -d '\n' < ${config.sops.secrets."admin-password".path})"
'';