Hello, all!
I have this in my private secrets repo:
{
description = "A flake to provide access to secrets";
outputs = { self, ... }:
{
# Exposes the secrets as an output
secrets = { secretsFile = self.followFile "./secrets/secrets.yaml"; };
};
}
The secrets exist inside nix-secrets/secrets/
. Of course, followFile
does not exist (it is just a placeholder).
This are the relevant files which exist in public repo:
flake.nix
{
description = "A simple NixOS flake";
inputs = {
...
# Nix Secrets repo
nix-secrets = {
url = "git+ssh://git@github.com/myself/nix-secrets.git";
# flake = false;
};
...
};
outputs =
inputs@{ self
...
, nix-secrets
, ...
}:
let
myVars = import ./common/vars/vars.nix;
hostConfigs = {
desktop = [ ./hosts/desktop/configuration.nix ];
};
in
{
colmena = {
meta = {
# name = "homelab";
# description = "My colmena homelab";
nixpkgs = import nixpkgs {
system = "x86_64-linux";
overlays = [ ];
};
specialArgs = { inherit inputs myVars; };
};
desktop = ./hosts/desktop;
};
nixosConfigurations = {
desktop = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
# Start Home Manager configuration
home-manager.nixosModules.home-manager
{
home-manager = {
sharedModules = [
inputs.sops-nix.homeManagerModules.sops
inputs.hyprland.homeManagerModules.default
];
useGlobalPkgs = true;
useUserPackages = true;
backupFileExtension = "hm-backup";
extraSpecialArgs = { inherit inputs myVars; };
users.${myVars.users.admin.user} = import ./common/users/main/home/home.nix;
};
}
] ++ hostConfigs.desktop;
specialArgs = { inherit inputs myVars; };
};
};
};
}
sops-nix.nix
{ config, inputs, lib, pkgs, ... }:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
sops = {
defaultSopsFile = inputs.nix-secrets.secrets.secretsFile;
defaultSopsFormat = "yaml"; # Default format for sops files
age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # Paths to the host ssh keys
keyFile = "/var/lib/sops-nix/key.txt"; # Path to the key file
generateKey = true; # Generate a new key if the keyFile does not exist
};
secrets = {
"some/random/secret" = { };
};
};
environment.systemPackages = with pkgs; [
age
sops
];
}
I would like to know how - and, if, it is possible - to pull and read the secrets from the nix-secrets
private repository since, at the moment, it does not work. I have configured access tokens and all, so nix flake update
works fine.
Much obliged