homelab/nixos/secrets/HOWTO.md at dcd11d4d66e1263028903a10120eb5c6aafdd94f

plasmagoat/homelab

Fork 0

plasmagoat 7dd5043b5d ready for runners

2025-06-06 23:32:17 +02:00

1.3 KiB

Raw Blame History

🔧 Using Secrets in NixOS Configurations

You can use decrypted SOPS secrets in your configuration.nix, service modules, and flake-based setups.

🔑 1. Use as environment variable (e.g. password)

systemd.services.my-service.serviceConfig.EnvironmentFile =
  config.sops.secrets."my-password".path;

Your secrets.yaml should contain:
my-password: PASSWORD=supersecret

🗂 2. Use as file source (e.g. private key or token)

environment.etc."ssh/id_ed25519".source =
  config.sops.secrets."ssh-private-key".path;

This places the decrypted secret at /etc/ssh/id_ed25519 with appropriate permissions.

👤 3. Read a secret value directly (not recommended for sensitive data)

# Use a secret as a string value in a setting
services.myapp.settings.apiKey = builtins.readFile config.sops.secrets."api-key".path;

🛠 4. Use in systemd preStart scripts

systemd.services.my-service.preStart = ''
  export PASSWORD=$(<${config.sops.secrets."my-password".path})
  ./myapp --auth $PASSWORD
'';

🧠 5. Use in Forgejo user creation

systemd.services.forgejo.preStart = ''
  ${lib.getExe cfg.package} admin user create \
    --username admin \
    --password "$(tr -d '\n' < ${config.sops.secrets."admin-password".path})"
'';

1.3 KiB Raw Blame History

🔧 Using Secrets in NixOS Configurations

🔑 1. Use as environment variable (e.g. password)

🗂 2. Use as file source (e.g. private key or token)

👤 3. Read a secret value directly (not recommended for sensitive data)

🛠 4. Use in systemd preStart scripts

🧠 5. Use in Forgejo user creation

1.3 KiB

Raw Blame History