smg1024/nix-darwin
1
0
Fork 0
mirror of https://github.com/smg1024/nix-darwin.git synced 2026-05-22 20:32:59 +09:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: export sops age key file

Browse source
This commit is contained in:
Poby 2026-05-13 22:27:15 +09:00
parent 725e9f6d87
commit d54f1b591a
No known key found for this signature in database
3 changed files with 22 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

8
README.md
View file

@ -20,7 +20,7 @@ Declarative macOS setup with `nix-darwin`, `home-manager`, `nix-homebrew`, and
- SOPS age key at:
```bash
~/.config/sops/age/keys.txt
$HOME/.config/sops/age/keys.txt
```
## Repository Layout
@ -78,9 +78,9 @@ just gc
- `modules/flake/darwin-configurations.nix` assembles each hosts
`darwinConfigurations.<host>` output and embeds Home Manager for user `poby`.
- `modules/aspects/` is the feature vocabulary for hosts. The current feature
set is `base`, `nix-core`, `system-packages`, `homebrew`,
`macos-defaults`, `activation`, `fonts`, `sudo-auth`, `shell`, `cli-tools`,
`git`, `ssh`, `secrets`, `terminal`, `editor`, `desktop`, and `fenrir`.
set is `base`, `nix-core`, `system-packages`, `homebrew`, `macos-defaults`,
`activation`, `fonts`, `sudo-auth`, `shell`, `cli-tools`, `git`, `ssh`,
`secrets`, `terminal`, `editor`, `desktop`, and `fenrir`.
- The `cli-tools` aspect owns the CLI user tool set, including `zoxide`.
- `modules/aspects/_*/` contains implementation files that are intentionally not
auto-loaded. `import-tree` skips paths containing `/_`, which is the repos

10
modules/aspects/_secrets/sops.nix
View file

@ -1,6 +1,12 @@
{config, ...}: {
{config, ...}: let
ageKeyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
in {
home.sessionVariables = {
SOPS_AGE_KEY_FILE = ageKeyFile;
};
sops = {
age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
age.keyFile = ageKeyFile;
defaultSopsFile = config.repo.user.secretFile;

13
secrets/README.md
View file

@ -8,6 +8,7 @@ aspect. Do not commit plaintext secrets.
- Secret file: `secrets/poby.yaml`
- SOPS rules: `.sops.yaml`
- Age key file: `~/.config/sops/age/keys.txt`
- Environment variable: `SOPS_AGE_KEY_FILE`, exported by the `secrets` aspect
- Secret declarations: `modules/aspects/_secrets/sops.nix`
- SSH host wiring: `modules/aspects/_ssh/ssh.nix`
@ -22,7 +23,7 @@ nix-shell -p sops age
Open the encrypted secret file with the age key:
```bash
SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/keys.txt" sops secrets/poby.yaml
sops secrets/poby.yaml
```
Add a top-level key name and paste the private key as a YAML block scalar:
@ -38,6 +39,13 @@ Save and quit the editor. SOPS will re-encrypt the file automatically.
Do not edit the `sops:` metadata block manually.
If this machine has not applied the Home Manager config yet, set the age key
file explicitly for the command:
```bash
SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/keys.txt" sops secrets/poby.yaml
```
## Generate A New SSH Key First
If the key does not exist yet, generate it before opening SOPS:
@ -89,8 +97,7 @@ Confirm the encrypted file contains the expected top-level secret names without
printing secret values:
```bash
SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/keys.txt" \
sops -d secrets/poby.yaml \
sops -d secrets/poby.yaml \
| awk -F: '/^[A-Za-z0-9_]+:/ { print $1 }'
```