Secrets management

This repo uses sops as the main secret management tool. For integrating this into NixOS, I use sops-nix.

To get started, you need to be familiar with using sops and then be intimately familiar with sops-nix NixOS module [1].

To get started using sops, I recommend to take a look at .sops.yaml file which secrets belong to whom. Then edit a secrets with sops PATH_TO_SECRET. Take note, you need to respective keys to edit the secret in the first place. If you edit ./secrets/backup-archive.yaml for example, it needs one of the keys (either my age and GPG key or the age key from host ni).

The recommended practice to manage them secrets is to have them consolidate into one file. However, once the namespace has a large number (preferably 7 or more) of secrets under it, you can separate them into a individual file with the namespace as the filename.

In order to use sops with NixOS, we have to use sops-nix NixOS module. The best practice for using this module (for this project anyways) is to not set sops.defaultSopsFile and set individual secrets with sopsFile. Obviously, this is tedious.

Which is why I have several functions in my custom library that helps with setting secrets. The star of the show is getSecrets which accepts a path to the sops file and an attribute set of secrets to be set with sops.secrets. As you might’ve guessed, getSecrets will set the sopsFile to the given secret.

{ config, lib, pkgs, ... }:

{
  sops.secrets = lib.getSecrets ./sops.yaml {
    ssh-key = { };
    "borg/ssh-key" = { };
    "wireguard/private-key" = {
      group = config.users.users.systemd-network.group;
      reloadUnits = [ "systemd-networkd.service" ];
      mode = "0640";
    };
  };
}
foodogsquared
foodogsquared

What about for secrets that have been separated into its own file, you ask. The files under that namespace will be moved up in the filesystem which is not nice for organizing your decrypted secrets.

Ezran
Ezran

I’m going to guess you also have a function in your library for that.

For secrets that have been eventually moved into its own file where the decrypted secrets location will be moved one parent up in the location, there is a function for it which is attachSopsPathPrefix. The following example assumes that Wireguard secrets has been moved into its own file.

{ config, lib, pkgs, ... }:

{
  sops.secrets =
    lib.getSecrets ./sops.yaml
      {
        ssh-key = { };
        "borg/ssh-key" = { };
      } //
    (lib.getSecrets ./wireguard.yaml
      (lib.attachSopsPathPrefix "wireguard" {
        "private-key" = {
          group = config.users.users.systemd-network.group;
          reloadUnits = [ "systemd-networkd.service" ];
          mode = "0640";
        };
      }));
}

1. There’s even a home-manager module available which is nice.