Reading/pulling secrets from private repo in public repo with flakes

Hello, all! :wave:

I have this in my private secrets repo:

{
  description = "A flake to provide access to secrets";

  outputs = { self, ... }:
    {
      # Exposes the secrets as an output
      secrets = { secretsFile = self.followFile "./secrets/secrets.yaml"; };
    };
}

The secrets exist inside nix-secrets/secrets/. Of course, followFile does not exist (it is just a placeholder).


This are the relevant files which exist in public repo:

flake.nix

{
  description = "A simple NixOS flake";

  inputs = {
    ...
    # Nix Secrets repo
    nix-secrets = {
      url = "git+ssh://git@github.com/myself/nix-secrets.git";
      # flake = false;
    };
    ...
  };

  outputs =
    inputs@{ self
    ...
    , nix-secrets
    , ...
    }:
    let
      myVars = import ./common/vars/vars.nix;

      hostConfigs = {
        desktop = [ ./hosts/desktop/configuration.nix ];
      };
    in
    {
      colmena = {
        meta = {
          # name = "homelab";
          # description = "My colmena homelab";
          nixpkgs = import nixpkgs {
            system = "x86_64-linux";
            overlays = [ ];
          };

          specialArgs = { inherit inputs myVars; };
        };

        desktop = ./hosts/desktop;
      };

      nixosConfigurations = {
        desktop = nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";

          modules = [
            # Start Home Manager configuration
            home-manager.nixosModules.home-manager
            {
              home-manager = {
                sharedModules = [
                  inputs.sops-nix.homeManagerModules.sops
                  inputs.hyprland.homeManagerModules.default
                ];

                useGlobalPkgs = true;
                useUserPackages = true;
                backupFileExtension = "hm-backup";

                extraSpecialArgs = { inherit inputs myVars; };

                users.${myVars.users.admin.user} = import ./common/users/main/home/home.nix;
              };
            }
          ] ++ hostConfigs.desktop;

          specialArgs = { inherit inputs myVars; };
        };
      };
    };
}

sops-nix.nix

{ config, inputs, lib, pkgs, ... }:

{
  imports = [ inputs.sops-nix.nixosModules.sops ];

  sops = {
    defaultSopsFile = inputs.nix-secrets.secrets.secretsFile;
    defaultSopsFormat = "yaml"; # Default format for sops files

    age = {
      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # Paths to the host ssh keys
      keyFile = "/var/lib/sops-nix/key.txt"; # Path to the key file
      generateKey = true; # Generate a new key if the keyFile does not exist
    };

    secrets = {
      "some/random/secret" = { };
    };
  };

  environment.systemPackages = with pkgs; [
    age
    sops
  ];
}

I would like to know how - and, if, it is possible - to pull and read the secrets from the nix-secrets private repository since, at the moment, it does not work. I have configured access tokens and all, so nix flake update works fine.

Much obliged :pray:

Are you running nixos-rebuild as root? You can use --option access-tokens github.com=<ACCESS_TOKEN> to pass tokens to nix.

1 Like

Yes, I am running it as root: sudo nixos-rebuild boot --flake <path/to/flake.nix>#desktop. Thank you for the tip; I didn’t know that you can pass options like that :smile: However, I don’t need to pass the token, since I have already defined them and they seem to work as intended.

I’m more curious to know how to pass the secrets from secret-repo to config-repo (if that makes sense). Please let me know whether you need more info.

Silly me. It was two things:

  1. Flake syntax.
  2. Directory structure of the repo.

As for #1, all I needed to do was:

{
  description = "A flake to provide access to secrets";

  outputs = { self, ... }:
    {
      # Exposes the secrets as an output
      secrets = { secretsFile = ./secrets/secrets.yaml; };
    };
}

So there was no need to use self.


For #2, the file/directory structure in the repo was wrong; I had:

nix-secrets/
β”œβ”€β”€ flake.nix
└── secrets
    └── secrets
        └── secrets.yaml

Instead of:

nix-secrets/
β”œβ”€β”€ flake.nix
└── secrets
    └── secrets.yaml

Which means that it was trying to find a non-existent file.

–Hope this helps someone in the future :smile: