Hello, I’m new to nix. Currently, I’m learning nix flake on my archlinux laptop.
Before I started to use sops-nix
, everything worked just fine. Below are my files
➜ nix-flake git:(master) ✗ tree .
.
├── flake.lock
├── flake.nix
└── oracle-arm
├── apps
│ ├── matrix.nix
│ ├── nginx.nix
│ ├── postgresql.nix
│ ├── secrets
│ │ ├── matrix.pem
│ │ └── nginx.yaml
│ └── user-settings.nix
├── configuration.nix
└── hardware-configuration.nix
3 directories, 10 files
But when I use nix-sops
in nginx.nix
, I can’t deploy by nix run github:serokell/deploy-rs . -- -s
my nginx.nix
is like this
{
pkgs,
lib,
config,
inputs,
sops-nix,
services,
...
}: {
sops.defaultSopsFile = ./secrets/nginx.yaml;
# sops.secrets.domain = {};
# sops.secrets.my-email = {};
# sops.secrets.domain.owner = "${services.nginx.user}";
# sops.secrets.my-email.owner = "${services.nginx.user}";
# This will automatically import SSH keys as age keys
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
# This is using an age key that is expected to already be in the filesystem
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
# This will generate a new key if the key specified above does not exist
sops.age.generateKey = true;
networking.firewall.allowedTCPPorts = [80 443];
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"myexample.com" = {
locations."/".extraConfig = ''
charset utf-8;
default_type text/html;
return 200 "OK";
'';
enableACME = true;
forceSSL = true;
};
};
};
security.acme.acceptTerms = true;
security.acme.defaults.email = "my-email@gmail.com";
}
when I use sops-nix
I changed it to
{
pkgs,
lib,
config,
inputs,
sops-nix,
services,
...
}: {
sops.defaultSopsFile = ./secrets/nginx.yaml;
+ sops.secrets.domain = {};
+ sops.secrets.my-email = {};
+ sops.secrets.domain.owner = "${services.nginx.user}";
+ sops.secrets.my-email.owner = "${services.nginx.user}";
# This will automatically import SSH keys as age keys
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
# This is using an age key that is expected to already be in the filesystem
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
# This will generate a new key if the key specified above does not exist
sops.age.generateKey = true;
networking.firewall.allowedTCPPorts = [80 443];
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
+ "${config.sops.secrets.domain}" = { # I want this to be myexample.com
locations."/".extraConfig = ''
charset utf-8;
default_type text/html;
return 200 "OK";
'';
enableACME = true;
forceSSL = true;
};
};
};
security.acme.acceptTerms = true;
+ security.acme.defaults.email = "${config.sops.secrets.my-email}";
}
and then run nix run github:serokell/deploy-rs . -- -s
, an error occurred.
➜ nix-flake git:(master) ✗ nix run github:serokell/deploy-rs . -- -s
🚀 ℹ️ [deploy] [INFO] Evaluating flake in .
error: cannot coerce a set to a string
at /nix/store/sfi75lc3cxb6flpv014378h2gajp1x29-source/oracle-arm/apps/nginx.nix:30:8:
29| virtualHosts = {
30| "${config.sops.secrets.domain}" = {
| ^
31| locations."/".extraConfig = ''
(use '--show-trace' to show detailed location information)
🚀 ❌ [deploy] [ERROR] Failed to evaluate deployment data: Evaluation resulted in a bad exit code: Some(1)
And here is my ./secrets/nginx.yaml
domain: ENC[AES256_GCM,data:fPk5StFqBx+rDYM1TQheJoxEh90F3mBu0mIIq00=,iv:Fca+fNIoErmf2yQDeLjJs3WcvydGjFZWfk99gpKGyhc=,tag:uLtHtSTW4OScw+f8a3VJkw==,type:str]
#ENC[AES256_GCM,data:vJhFMIRE8E632us=,iv:zJyBGYvFfCCg2JLR3JVBCWZ1OYlgb5iHXJ3yr3PKph0=,tag:GtBpIUEVQo8Zylohr4W7ww==,type:comment]
my-email: ENC[AES256_GCM,data:ISJSaA19QTbW/0kwPe4DjbPgtfhv,iv:3Sjj7D6OQ3ZKNquJFSOzj3wpQPu7MAgiWz34pCthrlg=,tag:0/t4+BwHELuIY7U63DHkcA==,type:str]
sops:
kms: []
gcp_kms: []
...
I searched on this website (and tried sops.secrets.<name>.path
and others) and the homepage of sops-nix, but I didn’t find the answer.
https://search.nixos.org/flakes?channel=unstable&from=0&size=50&sort=relevance&type=options&query=sops.secrets
How can I directly use the value of the key in nix
files?