Just wanted to share a tool I made recently called sopsidy. It’s an extension on sops-nix that adds new secret optons sops.secrets.*.collect
that let you either define a script that will pull a secret or use a plugin to describe where the secret can be pulled from. The only implemented plugin so far is rbw
which adds the option sops.secrets.*.collect.id
option and it will fill in the collect script for you to pull the entry with that id from bitwarden using rbw.
Once the collect scripts are defined for all secrets and you’ve set the sops.hostPubKey
you can run a collect-secrets
script that is built by sopsidy to build all your sops files. It will run the collection scripts for you and determine which age pub keys to encrypt each file with based on which secrets each host needs and the sops.hostPubKey
option.
All the specific details and usage instructions are in the readme. There is also a flake-parts module that handles creating the secrets collector script for you.
While this may not be the best solution for really large teams, for small teams, homelabs, and personal machines this works great in making bitwarden or a similar password manager a central source of truth for your secrets and sops/sops-nix is just a transport method for getting the secrets from you to the computer. It also makes it easy to collaborate on server deployments without having to rekey or manage ssh/gpg keys since access is just managed by bitwarden now.
website: GitHub - timewave-computer/sopsidy: Script based generation of sops files for sops-nix