From d54f1b591ab5c757d83f1cb99532ab901162db3a Mon Sep 17 00:00:00 2001 From: Poby <87608318+smg1024@users.noreply.github.com> Date: Wed, 13 May 2026 22:27:15 +0900 Subject: [PATCH] feat: export sops age key file --- README.md | 8 ++++---- modules/aspects/_secrets/sops.nix | 10 ++++++++-- secrets/README.md | 13 ++++++++++--- 3 files changed, 22 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index b46679e..4977dec 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ Declarative macOS setup with `nix-darwin`, `home-manager`, `nix-homebrew`, and - SOPS age key at: ```bash -~/.config/sops/age/keys.txt +$HOME/.config/sops/age/keys.txt ``` ## Repository Layout @@ -78,9 +78,9 @@ just gc - `modules/flake/darwin-configurations.nix` assembles each host’s `darwinConfigurations.` output and embeds Home Manager for user `poby`. - `modules/aspects/` is the feature vocabulary for hosts. The current feature - set is `base`, `nix-core`, `system-packages`, `homebrew`, - `macos-defaults`, `activation`, `fonts`, `sudo-auth`, `shell`, `cli-tools`, - `git`, `ssh`, `secrets`, `terminal`, `editor`, `desktop`, and `fenrir`. + set is `base`, `nix-core`, `system-packages`, `homebrew`, `macos-defaults`, + `activation`, `fonts`, `sudo-auth`, `shell`, `cli-tools`, `git`, `ssh`, + `secrets`, `terminal`, `editor`, `desktop`, and `fenrir`. - The `cli-tools` aspect owns the CLI user tool set, including `zoxide`. - `modules/aspects/_*/` contains implementation files that are intentionally not auto-loaded. `import-tree` skips paths containing `/_`, which is the repo’s diff --git a/modules/aspects/_secrets/sops.nix b/modules/aspects/_secrets/sops.nix index ae6057f..31bcc9e 100644 --- a/modules/aspects/_secrets/sops.nix +++ b/modules/aspects/_secrets/sops.nix @@ -1,6 +1,12 @@ -{config, ...}: { +{config, ...}: let + ageKeyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt"; +in { + home.sessionVariables = { + SOPS_AGE_KEY_FILE = ageKeyFile; + }; + sops = { - age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt"; + age.keyFile = ageKeyFile; defaultSopsFile = config.repo.user.secretFile; diff --git a/secrets/README.md b/secrets/README.md index d19fcc7..cadd0c2 100644 --- a/secrets/README.md +++ b/secrets/README.md @@ -8,6 +8,7 @@ aspect. Do not commit plaintext secrets. - Secret file: `secrets/poby.yaml` - SOPS rules: `.sops.yaml` - Age key file: `~/.config/sops/age/keys.txt` +- Environment variable: `SOPS_AGE_KEY_FILE`, exported by the `secrets` aspect - Secret declarations: `modules/aspects/_secrets/sops.nix` - SSH host wiring: `modules/aspects/_ssh/ssh.nix` @@ -22,7 +23,7 @@ nix-shell -p sops age Open the encrypted secret file with the age key: ```bash -SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/keys.txt" sops secrets/poby.yaml +sops secrets/poby.yaml ``` Add a top-level key name and paste the private key as a YAML block scalar: @@ -38,6 +39,13 @@ Save and quit the editor. SOPS will re-encrypt the file automatically. Do not edit the `sops:` metadata block manually. +If this machine has not applied the Home Manager config yet, set the age key +file explicitly for the command: + +```bash +SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/keys.txt" sops secrets/poby.yaml +``` + ## Generate A New SSH Key First If the key does not exist yet, generate it before opening SOPS: @@ -89,8 +97,7 @@ Confirm the encrypted file contains the expected top-level secret names without printing secret values: ```bash -SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/keys.txt" \ - sops -d secrets/poby.yaml \ +sops -d secrets/poby.yaml \ | awk -F: '/^[A-Za-z0-9_]+:/ { print $1 }' ```