Skip to content

Instantly share code, notes, and snippets.

@andi242

andi242/configuration.nix

Last active October 25, 2025 15:42
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save andi242/ba2954d3329bc024a81b9cc511e681be to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save andi242/ba2954d3329bc024a81b9cc511e681be to your computer and use it in GitHub Desktop.
Download ZIP
nixos secrets with sops-nix
Raw
readme.md

scan target server for ssh public key:
nix-shell -p ssh-to-age --run "ssh-keyscan 192.168.1.103 | ssh-to-age"

the output will be like: age1whateverblablaxyz...
add output to .sops.yaml config file according to sops-nix docs.

and update the repo:

sops updatekeys secrets/*.yaml # given the secrets are in subfolder 'secrets'
git add --all
git commit -m "udpated secrets"
git push

to update the input to the lastest version:

nix flake update --update-input nix-secrets

then nixos-rebuild etcetc...

Raw
configuration.nix
{ config, pkgs, inputs, ... }:
let
secretspath = builtins.toString inputs.nix-secrets;
# ...
in
{
imports = [
inputs.sops-nix.nixosModules.sops
];
sops = {
defaultSopsFormat = "yaml";
age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # this is the private hostkey for decryption
keyFile = "/root/.config/sops/age/keys.txt"; # can be something else, but best root-only readable
generateKey = true;
};
secrets = {
my-secret = {
sopsFile = "${secretspath}/secrets/mysopsfile.yaml"; # path to the file, relative in the nix-secrets repo
key = "secret-entry-in-yaml";
};
};
};
nix.settings.trusted-users = [ "yourUser" ]; # allow this user to trigger remote builds. optional, not essential for sops
some-service-settings = {
hashedPasswordFile = config.sops.secrets.my-secret.path; # path to the my-secret on the host
};
}
Raw
flake.nix
{
inputs = {
nixpkgs.url = "nixpkgs/nixos-25.05";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
nix-secrets = {
url = "your git repo" # alternative for private repo with ssh: git+ssh://user@git/user/repo.git?shallow=1&ref=main";
flake = false;
};
};
# ...rest of flake.nix
}
@andi242
Copy link
Author

andi242 commented Sep 25, 2025

I think it's best to have the secret bound to the ssh host key config and not a user.

this enables to configure secrets without having to have a user on the target machine that is 'secrets enabled'.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment