From 832367e4e4d7c55538a95cac6cf2e09f430d94c3 Mon Sep 17 00:00:00 2001
From: Poby <87608318+smg1024@users.noreply.github.com>
Date: Wed, 13 May 2026 22:38:43 +0900
Subject: [PATCH] feat: install sops cli

---
 modules/aspects/system-packages.nix |  1 +
 secrets/README.md                   | 16 +++++++++-------
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/modules/aspects/system-packages.nix b/modules/aspects/system-packages.nix
index 8e21148..5630d09 100644
--- a/modules/aspects/system-packages.nix
+++ b/modules/aspects/system-packages.nix
@@ -7,6 +7,7 @@
         git
         neovim
         just
+        sops
         tree
         fastfetchMinimal
       ];
diff --git a/secrets/README.md b/secrets/README.md
index cadd0c2..82f501a 100644
--- a/secrets/README.md
+++ b/secrets/README.md
@@ -9,18 +9,13 @@ aspect. Do not commit plaintext secrets.
 - SOPS rules: `.sops.yaml`
 - Age key file: `~/.config/sops/age/keys.txt`
 - Environment variable: `SOPS_AGE_KEY_FILE`, exported by the `secrets` aspect
+- SOPS CLI: installed by the system packages aspect
 - Secret declarations: `modules/aspects/_secrets/sops.nix`
 - SSH host wiring: `modules/aspects/_ssh/ssh.nix`
 
 ## Add An SSH Private Key
 
-From the repository root, open a shell with `sops` and `age`:
-
-```bash
-nix-shell -p sops age
-```
-
-Open the encrypted secret file with the age key:
+From the repository root, open the encrypted secret file:
 
 ```bash
 sops secrets/poby.yaml
@@ -46,6 +41,13 @@ file explicitly for the command:
 SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/keys.txt" sops secrets/poby.yaml
 ```
 
+If the system package set has not been applied yet, run the command from a
+temporary shell with `sops`:
+
+```bash
+nix-shell -p sops --run 'sops secrets/poby.yaml'
+```
+
 ## Generate A New SSH Key First
 
 If the key does not exist yet, generate it before opening SOPS: