eliaskohout/nix-los
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init by ai

Browse Source
This commit is contained in:
Elias Kohout
2026-04-07 02:34:03 +02:00
commit 0cec50d607
23 changed files with 2803 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
nixos/modules/secrets-example.nix Normal file
View File

@@ -0,0 +1,69 @@
{ config, lib, pkgs, sops-nix, ... }:
# Example: How to use sops-nix for secrets management
# This module is NOT imported by default - uncomment in nixos/default.nix to use
{
imports = [ sops-nix.nixosModules.sops ];
# Point to your encrypted secrets file
sops.defaultSopsFile = ../../../secrets/secrets.yaml;
# Age key location (sops-nix will decrypt using this)
sops.age.keyFile = "/home/youruser/.config/sops/age/keys.txt";
# Define which secrets to decrypt and where
sops.secrets = {
# SSH keys
"ssh/github_key" = {
owner = "youruser";
group = "users";
mode = "0600";
# Decrypted to: /run/secrets/ssh/github_key
};
# API keys
"api_keys/example_api" = {
owner = "youruser";
group = "users";
mode = "0600";
};
# Passwords (less recommended, use SSH keys when possible)
"passwords/example_password" = {
owner = "youruser";
group = "users";
mode = "0600";
};
};
# Example: Use decrypted secret in environment variable
environment.variables = {
# GITHUB_SSH_KEY = "${config.sops.secrets."ssh/github_key".path}";
};
# Example: Copy secret to user home (for Git, SSH, etc.)
system.activationScripts.installSecrets = lib.stringAfter [ "users" ] ''
mkdir -p /home/youruser/.ssh
cp ${config.sops.secrets."ssh/github_key".path} /home/youruser/.ssh/github
chown youruser:users /home/youruser/.ssh/github
chmod 0600 /home/youruser/.ssh/github
'';
}
# Usage in other modules:
#
# To use decrypted secrets in other config files, reference like:
# ${config.sops.secrets."ssh/github_key".path}
#
# Example in Git config:
# programs.git.extraConfig = {
# core.sshCommand = "ssh -i ${config.sops.secrets."ssh/github_key".path}";
# };
#
# Example in home-manager:
# programs.ssh.matchBlocks.github = {
# host = "github.com";
# identityFile = "${config.sops.secrets."ssh/github_key".path}";
# };