Still struggling with sops (documentation)

Based on section 4 of the documentation, I created this .sops.yaml file:

  - &admin_biscotty agelong-string-key
  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
    - age:
      - *admin_biscotty

But then in section five, it gives this example for a secrets file:

# Files must always have a string value
example-key: example-value
# Nesting the key results in the creation of directories.
# These directories will be owned by root:keys and have permissions 0751.
    my_secret: password1

I really don’t see what I’m supposed to do here, since none of the values in the example file here seem to relate to the steps I followed so far. Naively using this file as-is results in secret example-key in /nix/store/p716md1lb35hkq9fqqdniijz4nqvky5a-example.yaml is not valid: the key 'example-key' cannot be found on rebuild. Do I repeat something here? I already entered my key in .sops.yaml. Does example-key git replaced by a hostname and example_value by my age key?

Thanks in advance for clarification.

example-key is an example of a secret you want to deploy, rather than an input for sops. You can put any free-form string (or anything valid in yaml) there and it will be encrypted for you. If everything is configured correctly up to that point, you should be able to make your secrets file with:

sops example.yaml

That should bring up your editor with a text file with some example values. In there you can put any secrets/passwords you need. Follow the rest of the documentation to see how to get a handle for where sops puts these secrets in your NixOS config.

I had to decipher the documentation and get my head around how it all works and it took me a fair while to do so. I think the documentation could be better for new people turning up and trying to learn sops-box.

The .sops.yaml file is a config file for sops that defines what keys to use to encrypt files that actually store the secrets. It should contain your age public key in your case. The path regex in that file defines the path to files that should use that key.

The secrets files are where actual secrets are defined. So this is where you would store I.e. a password for a network share etc.

To create a secrets file navigate in the terminal to a directory covered by your path regex and then you can do sops secrets/example.yaml as @TLATER lays out :slightly_smiling_face:

When you save the file sops will encrypt the contents with your age public key (defined in .sops.yaml) and then save it to disk.

The corresponding age private key must exist in the correct location for sops-nix to be able to decrypt the secrets file on rebuild. You can find out the default location by trying to open your encrypted secrets file after it has been created with: sops secrets/example.yaml it will error out and show the path it expects the private key to be located at.
I believe for the root user it is /root/.config/sops/age/keys.txt

Once it is all setup and working and you have defined a sops section in configuration.nix, if I remember correctly the secrets get decrypted into files that live at /run/secrets

1 Like

@kereru @TLATER thanks a lot to both of you. That helps fill in the gap for me. I’m not sure why I get the “not found” error I mentioned above in this case, though.

1 Like

You are welcome.
I would try the following

  • ensure your .sops.yaml file is in /etc/nixos/
  • ensure that “agelong-string-key” has the value of your age public key
  • then make sure you have a directory called secrets in /etc/nixos/
  • then try making a secrets file: sops secrets/test.yaml
  • remove all the example content and add: test: “test secret value”
  • save the file

Does that work?