This content originally appeared on DEV Community and was authored by Kir Axanov
Hi! Here are some notes about how to use secrets in NixOS configuration securely. As of now I use sops-nix with simple age keys (not generated from ssh keys).
Concept
We will generate a file with all our secrets (e.g. secrets.yaml). For example:
my_secret_auth: <plain-text secret>
secrets.yaml is stored encrypted. We can edit it with sops secrets.yaml which decrypts it and opens your editor from the $EDITOR environment variable.
For this encryption / decryption sops uses an age public and private keys - we generate those too.
For those secrets to be picked up by nixos we register them in nixos config (we can set secret's owner to allow access for needed service):
sops.secrets = {
my_secret_auth = {
owner = "nginx";
};
};
In the nixos configuration we now can use those secrets like so (an example for nginx basic auth):
basicAuthFile = config.sops.secrets.my_secret_auth.path;
That's basically it. Below are some details on how to setup all of this.
Local secrets with nixos-rebuild
For use on a local machine. We will use niv to install sops-nix.
1) Go to your configuration directory, init a niv project with sops-nix:
# where `configuration.nix` is located, adjust if needed
cd /etc/nixos
# init `niv` with `sops-nix` before installing anything
nix-shell -p niv --run "niv init && niv add Mic92/sops-nix"
2) Create the directory for age keys:
mkdir -p ~/.config/sops/age
3) Configure sops and other stuff in secrets.nix (you can choose another name, don't forget to import this file from your configuration), replace YOUR_USER:
{ pkgs, config, ... }:
{
imports = [ "${(import ./nix/sources.nix).sops-nix}/modules/sops" ];
environment.systemPackages = with pkgs; [
age sops
];
sops = {
defaultSopsFile = ./secrets/secrets.yaml;
defaultSopsFormat = "yaml";
age.keyFile = "/home/${config.users.users.YOUR_USER.name}/.config/sops/age/keys.txt";
};
}
4) Apply configuration above:
sudo nixos-rebuild switch
5) Generate an age key:
age-keygen -o ~/.config/sops/age/keys.txt
6) Create .sops.yaml and paste public key printed on the previous step (replace capslocked text), use arbitrarily username:
keys:
- &USERNAME PUBLIC_KEY
creation_rules:
- path_regex: secrets/secrets.yaml$
key_groups:
- age:
- *USERNAME
7) Register secrets to secrets.nix from step 3:
...
sops = {
# ...
secrets = {
my_secret_auth = {
owner = "nginx";
};
};
}
8) Use your secrets in nixos configuration (where the option expects a file path to the secret):
# ...
basicAuthFile = config.sops.secrets.my_secret_auth.path;
# ...
Remote secrets with flake
For use on a remote machine.
DISCLAIMER: I keep remote's configs locally and send them via scp when updating it.
1) Add this to your flake:
{
inputs = {
# ...
sops-nix.url = "github:Mic92/sops-nix"; # <--
};
outputs = {
# ...
sops-nix, # <--
...
}@inputs: # <--
{
nixosConfigurations.your_flake_name = nixpkgs.lib.nixosSystem {
# ...
specialArgs = { inherit inputs; }; # <--
modules = [
# ...
sops-nix.nixosModules.sops # <--
];
};
};
}
2) Create the directory for age keys:
mkdir -p ~/.config/sops/age
3) Configure sops and other stuff in secrets.nix (you can choose another name, don't forget to import this file from your configuration), replace YOUR_USER:
{ pkgs, config, inputs, ... }:
{
imports = [ inputs.sops-nix.nixosModules.sops ]; # <-- differs from the local setup
environment.systemPackages = with pkgs; [
age sops
];
sops = {
defaultSopsFile = ./secrets/secrets.yaml;
defaultSopsFormat = "yaml";
age.keyFile = "/home/${config.users.users.YOUR_USER.name}/.config/sops/age/keys.txt";
};
}
4) Apply configuration above:
# I'm copying the configuration via ssh and running update on a remote - you do you
nixos-rebuild switch --flake .#update
5) Generate an age key:
age-keygen -o ~/.config/sops/age/keys.txt
6) Create .sops.yaml and paste public key printed on the previous step (replace capslocked text), use arbitrarily username:
keys:
- &USERNAME PUBLIC_KEY
creation_rules:
- path_regex: secrets/secrets.yaml$
key_groups:
- age:
- *USERNAME
7) Register secrets to secrets.nix from step 3:
...
sops = {
...
secrets = {
my_secret_auth = {
owner = "nginx";
};
};
...
8) Use your secrets in nixos configuration (where the option expects a file path to the secret):
...
basicAuthFile = config.sops.secrets.my_secret_auth.path;
...
9) If you use sops on both local and remote, it's useful to copy age private key from the remote machine to your home keys.txt (so you'll have two keys there) - this way you can edit remote's secrets.yaml locally.
Resources
- sops-nix repo
- short tutorial from vimjoyer
- commands from tutorial above
- nice article from dade about this topic and some more
This content originally appeared on DEV Community and was authored by Kir Axanov
Kir Axanov | Sciencx (2025-02-21T07:36:23+00:00) NixOS. Managing secrets with sops-nix. Retrieved from https://www.scien.cx/2025/02/21/nixos-managing-secrets-with-sops-nix/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.