I’ve been setting up sops for secrets, I have some config files with multiple secrets in each of them inside my .config folder, that I want encrypted when I git commit (my age key is stored outside this folder). I want programs that depend on those configs to read the secrets though.
What would be the best solution? I did a bunch of looking up and didn’t find specific answers, so I guess I would just make a git pre-commit hook to encrypt the files, commit, then decrypt them afterwards. Is there a command or way to encrypt decrypt all files specified in .sops.yaml?
Clarify first: Do you want these secrets available at eval/build time? Or only at run time?
If you want them at eval/build time, then be aware that these secrets are essentially guaranteed to end up world-readable in your nix store anywhere you build or deploy the config. This is why sops-nix and agenix make no attempt to support this use model. Depending on how “secret” they are, this might be acceptable, in which case you can use something like git-crypt (Which uses gpg, but there’s a similar thing for age, I believe), which uses git smudge filtering to commit encrypted files and decrypt them in the work tree. Nix can handle building a flake from a local, unlocked git-crypted repo, but I’m uncertain if that ability extends to other smudge-filter-based tools.
If you want them only at run time, they should be encrypted in your config repo, as per that security model, so I’m not sure what you’re asking for here.