Secrets

Secrets in this flakes are managed with sops-nix in the modules.common.sops module.

Keys

How to make a key with your personal SSH key

I did this for my master key.

Create one with this command: ssh-keygen -t ed25519 -C "[email protected]". When prompted for a passphrase, give none. This is important.

Next, we'll make ourself an age key.

ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt

Then, run age-keygen -y ~/.config/sops/age/keys.txt to get the public age key, which goes into .sops.yaml.

Per-machine keys (user)

On each machine, we need an age key. These _admin keys are so that you can edit the secrets...

Run age-keygen -o ~/.config/sops/age/keys.txt.

Then, run age-keygen -y ~/.config/sops/age/keys.txt to get the public age key, which goes into .sops.yaml, named under the respective hostname followed by _admin (e.g., komashi_admin).

Per-machine keys (server)

Here, you don't need to generate an SSH key, as we're using the machine's host SSH key which is autogenerated.

Run cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age.

That will return the public age key, which goes into .sops.yaml named under the respective hostname followed by _server (e.g., komashi_server).

These machine specific keys do not need to be backed up, unlike the master key which you should create and place inside a USB or other safe location.

Interacting with the module

Example secrets.yaml:

my-secret: test
nested:
  secret: test

Example module usage:

modules.common.secrets.my-secret = {};
modules.common.secrets."nested/secret" = {
    # All below options are optional.
    path = "/home/orangc/secret";
    owner = "orangc";
    group = "fumos";
    mode = "0440";
};

Conclusion

Remember to refer back to the sops-nix documentation when confused.