Sops-nix: how to manage array secret

mertyn · May 24, 2025, 9:50am

Hello :)
I have been trying to add sops-nix to my NixOS config to manage some secrets, but I have run into an issue and cannot find anything about it online.
How can one have a secret that is an array of strings? When creating a new secrets file à la sops secrets.yaml there is even an example array given:

example_array:
  - example_value1
  - example_value2

However, when trying to import the secret into my Nix config similar to this:

sops.secrets."example_array" = {
  sopsFile = ./secrets.yaml;
};

I get an error on system rebuild saying something like:

manifest is not valid: secret example_array in <path-to-secrets.yaml> is not valid: the value of key '' is not a string

Searching online and in the sops-nix documentation/readme, I have not found any mention of using arrays. I have also tried encrypting a secret using json, but I get the same kind of error.
In case this is relevant info: I am trying to import my secret using the sops-nix home-manager module, though I think I have already tried a system-wide secret and ran into the same problem.

Any hints, pointers and help at all with this are very much appreciated.
Thanks in advance :)

TLATER · May 24, 2025, 10:41am

What is the intended meaning of an “array secret”? The file is generated by sops, which has some features for this, but it makes no sense in the context of sops-nix as far as I can think. Either way, this is explicitly unsupported by sops-nix.

robsliwi · May 24, 2025, 11:05am

You could use a template to generate whatever textfile that suits your needs?

mertyn · May 25, 2025, 10:19am

My intent was to store a list of domains as a whitelist for cookies in Firefox. I was going to make an activation service for that, and an array makes the most sense for this application to me. But if sops-nix is not intended to work in this way, I will have to find another solution.

mertyn · May 25, 2025, 10:21am

I don’t really see how that would be applicable for my use case. As far as I understand, this is only meant for putting secrets kinda sorta half directly into config files?

NobbZ · May 25, 2025, 10:21am

Make it one entry per line and iterate over the lines in your script

mertyn · May 25, 2025, 10:23am

Was going to say I might just try something like that :)
Using an array in the yaml just felt a bit more elegant, since the structure can be used for lists…

TLATER · May 25, 2025, 10:24am

You can escape the string with the | syntax and then parse the yaml at runtime; that’s ultimately what you want here, to create a file containing a yaml list, not define a list of secrets with no contents.

mertyn · May 27, 2025, 4:52pm

Thanks for all the help so far, I think your answers should do it :)
I shall report back once I get to actually using/implementing this. Then I can also add some more specific details of how I did it.