59 lines
1.3 KiB
Markdown
59 lines
1.3 KiB
Markdown
### 🔧 Using Secrets in NixOS Configurations
|
|
|
|
You can use decrypted SOPS secrets in your `configuration.nix`, service modules, and flake-based setups.
|
|
|
|
#### 🔑 1. Use as environment variable (e.g. password)
|
|
|
|
```nix
|
|
systemd.services.my-service.serviceConfig.EnvironmentFile =
|
|
config.sops.secrets."my-password".path;
|
|
```
|
|
|
|
> Your `secrets.yaml` should contain:
|
|
>
|
|
> ```yaml
|
|
> my-password: PASSWORD=supersecret
|
|
> ```
|
|
|
|
---
|
|
|
|
#### 🗂 2. Use as file source (e.g. private key or token)
|
|
|
|
```nix
|
|
environment.etc."ssh/id_ed25519".source =
|
|
config.sops.secrets."ssh-private-key".path;
|
|
```
|
|
|
|
> This places the decrypted secret at `/etc/ssh/id_ed25519` with appropriate permissions.
|
|
|
|
---
|
|
|
|
#### 👤 3. Read a secret value directly (not recommended for sensitive data)
|
|
|
|
```nix
|
|
# Use a secret as a string value in a setting
|
|
services.myapp.settings.apiKey = builtins.readFile config.sops.secrets."api-key".path;
|
|
```
|
|
|
|
---
|
|
|
|
#### 🛠 4. Use in systemd preStart scripts
|
|
|
|
```nix
|
|
systemd.services.my-service.preStart = ''
|
|
export PASSWORD=$(<${config.sops.secrets."my-password".path})
|
|
./myapp --auth $PASSWORD
|
|
'';
|
|
```
|
|
|
|
---
|
|
|
|
#### 🧠 5. Use in Forgejo user creation
|
|
|
|
```nix
|
|
systemd.services.forgejo.preStart = ''
|
|
${lib.getExe cfg.package} admin user create \
|
|
--username admin \
|
|
--password "$(tr -d '\n' < ${config.sops.secrets."admin-password".path})"
|
|
'';
|
|
```
|