Add input to flake.nix:
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";Add the module to modules list of nixosSystem calls:
inputs.sops-nix.nixosModules.sops{ lib, config, ... }:
let
secretsFile = ../secrets/${config.networking.hostName}.yaml;
hasHostSecrets = builtins.pathExists secretsFile;
in
lib.mkMerge [
{
sops.age.sshKeyPaths =
map (k: "/persist" + k.path) (
builtins.filter (k: k.type == "ed25519") config.services.openssh.hostKeys
)
++ [ "/persist/home/vlaci/.ssh/id_ed25519" ];
}
(lib.mkIf hasHostSecrets {
sops.defaultSopsFile = secretsFile;
})
]To set-up keys for editing (decrypting) existing secrets, run:
$ mkdir -p $(dirname $SOPS_AGE_KEY_FILE)
$ nix-shell -p ssh-to-age --run \
"ssh-to-age -private-key -i /path/to/id_ed25519 >> $SOPS_AGE_KEY_FILE"