Closed TheCataliasTNT2k closed 20 hours ago
This would be awesome. Currently I simply use a builtins.readFile
to get the content of the mounted secret, and build with --impure
flag, but maybe there is a cleaner way to do?
No this doesn't work because secrets cannot be used as values by design: https://github.com/Mic92/sops-nix?tab=readme-ov-file#using-secrets-at-evaluation-time
Thanks for your answer. Sad to see this, I will need another way then. You recommend "git-agecrypt" in the linked README, but it itself is not a solution according to their own README. I will have to look for a different approach then.
I saw people using nix plugins to decrypt at eval time.
Thanks for pointing nix-plugins! I successfully managed to have sops-nix exposing secrets for the user, and nix-plugins to access them at eval time :+1:
Here is a minimal reproducible example:
Nix settings:
nix = {
settings = {
plugin-files = "${pkgs.nix-plugins}/lib/nix/plugins";
extra-builtins-file = [ ../libs/extra-builtins.nix ];
};
};
libs/extra-builtins.nix content (be sure you have sops installed :)):
{ exec, ... }: {
readSops = name: exec [ "sops" "-d" name ];
}
Create and encrypt your secrets with sops secrets/eval-secrets.nix
:
{
dns = {
desktop = "1.1.1.2";
};
}
Read at eval time such as:
{ ... }:
let
secrets = builtins.extraBuiltins.readSops ../secrets/eval-secrets.nix;
in
{
networking.nameservers = [ secrets.dns.desktop ];
}
This way I can handle both a user-secrets.yaml
to use with sops-nix in home-manager, and a eval-secrets.nix
to use at eval time :+1:
Hope it'll help people reading this thread!
I have a few secrets, which control the monitoring behaviour for my docker containers. These containers need to have labels, but I do not want to have these labels as clear text in my git repo.
Obviously, it is not a problem, that the secrets are readable for anyone, which has access to the server, because they already could read them right now. Sadly, sops does not provide a way, to use secrets as actual text, only as files, which does not work for docker labels. Is there a way to get this to work?