smg1024/nix-darwin
1
0
Fork 0
mirror of https://github.com/smg1024/nix-darwin.git synced 2026-05-22 20:32:59 +09:00
Code Issues Projects Releases Packages Wiki Activity Actions
nix-darwin/secrets/README.md
Poby d54f1b591a
feat: export sops age key file
2026-05-13 22:27:15 +09:00

2.9 KiB
Raw Blame History

Secrets

This directory stores SOPS-encrypted secrets used by the secrets Home Manager aspect. Do not commit plaintext secrets.

Current Setup

  • Secret file: secrets/poby.yaml
  • SOPS rules: .sops.yaml
  • Age key file: ~/.config/sops/age/keys.txt
  • Environment variable: SOPS_AGE_KEY_FILE, exported by the secrets aspect
  • Secret declarations: modules/aspects/_secrets/sops.nix
  • SSH host wiring: modules/aspects/_ssh/ssh.nix

Add An SSH Private Key

From the repository root, open a shell with sops and age:

nix-shell -p sops age

Open the encrypted secret file with the age key:

sops secrets/poby.yaml

Add a top-level key name and paste the private key as a YAML block scalar:

workstation_ssh_key: |
  -----BEGIN OPENSSH PRIVATE KEY-----
  ...
  -----END OPENSSH PRIVATE KEY-----

Save and quit the editor. SOPS will re-encrypt the file automatically.

Do not edit the sops: metadata block manually.

If this machine has not applied the Home Manager config yet, set the age key file explicitly for the command:

SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/keys.txt" sops secrets/poby.yaml

Generate A New SSH Key First

If the key does not exist yet, generate it before opening SOPS:

ssh-keygen -t ed25519 -f ~/.ssh/workstation_ssh_key -C "workstation"

Register the public key wherever the remote service expects it:

cat ~/.ssh/workstation_ssh_key.pub

Then copy the private key contents into secrets/poby.yaml with SOPS.

After the private key is stored in SOPS and deployed through sops-nix, remove any temporary plaintext private key if it is no longer needed outside this repo.

Declare The Secret In Nix

Add the secret name to modules/aspects/_secrets/sops.nix:

secrets = {
  "github_ssh_key" = {};
  "github_cli_token" = {};
  "workstation_ssh_key" = {};
};

Use The Secret For SSH

Reference the SOPS-managed secret path from the matching SSH host block in modules/aspects/_ssh/ssh.nix:

"workstation-host" = {
  hostname = "example.com";
  user = "example";
  identitiesOnly = true;
  identityFile = [config.sops.secrets."workstation_ssh_key".path];
};

Verify

Confirm the encrypted file contains the expected top-level secret names without printing secret values:

sops -d secrets/poby.yaml \
  | awk -F: '/^[A-Za-z0-9_]+:/ { print $1 }'

Confirm no plaintext private key was written into the encrypted file:

rg -n "BEGIN OPENSSH PRIVATE KEY|END OPENSSH PRIVATE KEY" secrets/poby.yaml

Expected result: no output.

Evaluate the Darwin configuration:

nix build .#darwinConfigurations.fenrir.system \
  --dry-run \
  --extra-experimental-features 'nix-command flakes'

Build and switch:

just darwin fenrir

Test the SSH alias:

ssh -o BatchMode=yes workstation-host true

No output means the SSH command succeeded.