search

Mic92 / sops-nix

Atomic secret provisioning for NixOS based on sops
MIT License
1.55k stars 141 forks source link

Allow secrets to be used as strings not as file #624

Closed TheCataliasTNT2k closed 20 hours ago

TheCataliasTNT2k commented 1 week ago

I have a few secrets, which control the monitoring behaviour for my docker containers. These containers need to have labels, but I do not want to have these labels as clear text in my git repo.

Obviously, it is not a problem, that the secrets are readable for anyone, which has access to the server, because they already could read them right now. Sadly, sops does not provide a way, to use secrets as actual text, only as files, which does not work for docker labels. Is there a way to get this to work?

clementpoiret commented 1 day ago

This would be awesome. Currently I simply use a builtins.readFile to get the content of the mounted secret, and build with --impure flag, but maybe there is a cleaner way to do?

Mic92 commented 20 hours ago

No this doesn't work because secrets cannot be used as values by design: https://github.com/Mic92/sops-nix?tab=readme-ov-file#using-secrets-at-evaluation-time

TheCataliasTNT2k commented 20 hours ago

Thanks for your answer. Sad to see this, I will need another way then. You recommend "git-agecrypt" in the linked README, but it itself is not a solution according to their own README. I will have to look for a different approach then.

Mic92 commented 20 hours ago

I saw people using nix plugins to decrypt at eval time.

clementpoiret commented 2 hours ago

Thanks for pointing nix-plugins! I successfully managed to have sops-nix exposing secrets for the user, and nix-plugins to access them at eval time :+1:

Here is a minimal reproducible example:

Nix settings:

nix = {
  settings = {
    plugin-files = "${pkgs.nix-plugins}/lib/nix/plugins";
    extra-builtins-file = [ ../libs/extra-builtins.nix ];
  };
};

libs/extra-builtins.nix content (be sure you have sops installed :)):

{ exec, ... }: {
  readSops = name: exec [ "sops" "-d" name ];
}

Create and encrypt your secrets with sops secrets/eval-secrets.nix:

{
  dns = {
    desktop = "1.1.1.2";
  };
}

Read at eval time such as:

{ ... }:
let
  secrets = builtins.extraBuiltins.readSops ../secrets/eval-secrets.nix;
in
{
  networking.nameservers = [ secrets.dns.desktop ];
}

This way I can handle both a user-secrets.yaml to use with sops-nix in home-manager, and a eval-secrets.nix to use at eval time :+1:

Hope it'll help people reading this thread!