sops

sops-nix

Add input to flake.nix:

sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";

flake.nix:inputs

Add the module to modules list of nixosSystem calls:

inputs.sops-nix.nixosModules.sops

nixos

{ lib, config, ... }:
 
let
  secretsFile = ../secrets/${config.networking.hostName}.yaml;
  hasHostSecrets = builtins.pathExists secretsFile;
in
lib.mkMerge [
  {
    sops.age.sshKeyPaths = map (k: "/persist" + k.path) (
      builtins.filter (k: k.type == "ed25519") config.services.openssh.hostKeys
    ) ++ ["/persist/home/vlaci/.ssh/id_ed25519"];
  }
  (lib.mkIf hasHostSecrets {
    sops.defaultSopsFile = secretsFile;
  })
]

nixos

To set-up keys for editing (decrypting) existing secrets, run:

$ mkdir -p $(dirname $SOPS_AGE_KEY_FILE)
$ nix-shell -p ssh-to-age --run \
    "ssh-to-age -private-key -i /path/to/id_ed25519 >> $SOPS_AGE_KEY_FILE"