I have a private GitHub repo that I call nix-secrets, which contains my sops files (i.e. .sops.yaml and some secret files). Currently I pass this as an input to my nix-config. This setup has so far worked quite nicely: I have an age key on my MacBook and can encrypt/decrypt secrets as needed during builds, etc.
I would now like to use nixos-anywhere to install my config on a vm/remote server/etc. and as part of that also access my nix-secrets, in which the user-passwords for those machines are configured. My nixos-anywhere command looks something like this
nix run github:nix-community/nixos-anywhere -- \
--flake '.#hostname' \
--build-on-remote \
--build-on remote \
--disk-encryption-keys disko_key_local disko_key_remote \
--target-host root@hostname
During evaluation/build it will try to decrypt the nix-secrets but ofc. the remote machine does not have any secrets since it’s an empty NixOS installer boot.
It seems that the solution is to use the --extra-files flag when running nixos-anywhere to pass public and private ssh-keys to the installer, which are part of the sops setup…
Is this a good idea, safe to do? Do I need to take care of anything else? Is it recommended to have a separate key for just this purpose?