homelab/nixos/secrets/README.md

🔑 2. Generate an age Keypair

age-keygen -o secrets/age.key

This will output something like:

created: 2025-06-02T22:00:00Z

public key: age1abcdefghijk...

Copy that public key somewhere — you’ll need it for encrypting.

✅ You should now have:

secrets/ ├── age.key # keep this safe and private!

📝 3. Create Encrypted Secrets File

sops --age age1abcdefghijk... secrets/secrets.yaml

This opens a YAML file in your $EDITOR. Add secrets like:

forgejo-admin-password: "my-super-secret-password"

Save and close the file — it’s now encrypted using the public key.

✅ Now you should have:

secrets/ ├── age.key ├── secrets.yaml # encrypted file (safe to commit)

You can commit secrets.yaml, but do not commit age.key unless you're OK with putting it on a VM.

🧪 Test Decryption Locally

export SOPS_AGE_KEY_FILE=secrets/age.key

To test:

sops -d secrets/secrets.yaml

To edit:

sops secrets/secrets.yaml

[plasmagoat@forgejo:~]$ sudo chmod 400 /etc/sops/age.key && sudo chown root:root /etc/sops/age.key