Sops Nix

sops-nix is a declarative secret provisioner and management module for NixOS and Home Manager. It enables the storage of encrypted secrets directly in version control and decrypts them into a non-persistent ramfs during system activation to provide plaintext files to services without storing them on disk.

The project distinguishes itself through a tight integration with the NixOS activation hook and systemd, allowing it to delay service startup until decryption completes and automatically restart units when secret values are updated. It also provides utilities to transform existing SSH host keys into age or GPG compatible keys to authorize machine-based decryption.

The framework covers broad capability areas including multi-format secret parsing for YAML, JSON, and binary files, declarative permission control for user and group ownership, and build-time validation to catch configuration errors before deployment. It also supports atomic secret directory replacement to ensure consistent system rollbacks.

The module integrates with the sops CLI for encryption and decryption across GPG, age, and SSH backends.

Features

Declarative Secret Configurations - Defines encrypted secrets in YAML files and maps them to NixOS configuration attributes for service use.

Secret Provisioning - Implements a declarative secret provisioner that manages encrypted secrets in version control and deploys them with precise permissions.

Activation-Time Decryptions - Decrypts encrypted secrets during system activation as part of the NixOS deployment process.

Activation Hooks - Provides a NixOS activation hook that decrypts secrets into ramfs and restarts systemd units when secrets change.

Secret Management Modules - Provides a NixOS module for managing encrypted secrets with activation-time decryption and atomic rollbacks.

Secret Permission Declarations - Sets user, group, and file mode for each decrypted secret through declarative NixOS configuration.

Home Manager Secret Integrations - Manages encrypted secrets for individual users by decrypting them into the user runtime directory via Home Manager.

Secret Mounts - Exposes decrypted secrets as ephemeral files in a non-persistent ramfs for system services.

Sops Tooling Integrations - Leverages the sops CLI to create and edit encrypted secret files with transparent decryption and re-encryption.

Version-Controlled Secret Encryption - Provides a way to store encrypted secrets directly in a git repository with readable diffs.

Secret Provisioning - Manages secret files and environment variables through declarative NixOS module declarations.

Secret-Dependent Unit Ordering - Delays service startup until secret decryption completes and restarts units when secret values are updated.

Secret Directory Replacements - Replaces the active secret directory with a new one in a single operation to support consistent rollbacks.

Declarative Secret Permissions - Sets file ownership and permissions for decrypted secrets using declarative NixOS configuration.

Secret-Change-Triggered Restarts - Restarts or reloads specified system units automatically whenever a secret file is updated or initialized.

Secret Symlink Activations - Creates atomic symlinks from decrypted secrets in the Nix store to target paths for safe rollbacks.

Build-Time Validations - Checks encrypted secret files against configuration during evaluation to catch errors before deployment.

Multi-Backend Key Workflows - Supports decryption using GPG, age, or SSH-derived keys for flexible secret management.

Multi-Host Key Rotations - Updates encrypted secrets to include new host public keys across the configuration.

Self-Contained Secret Builds - Adds encrypted secrets to the build store without external dependencies or secret leakage.

Service-Ordered Decryptions - Runs secret decryption as a user service so user-level processes can access decrypted secrets in the runtime directory.

Binary Secret Handling - Supports encrypting arbitrary binary files as secrets for data formats that cannot be represented in structured text.

Multi-Format Secret Management - Supports reading and extracting values from encrypted secrets stored in YAML, JSON, dotenv, INI, or binary formats.

Format Conversions - Converts existing SSH host keys into age or GPG compatible keys to authorize machine-based secret decryption.

SSH-to-Age Conversions - Transforms existing SSH ed25519 private keys into compatible keys for secret encryption.

SSH-to-PGP Conversions - Converts existing SSH host keys into PGP or age compatible keys to authorize machine-based decryption.

Secret Restoration - Restores previous secret versions from the Nix store when secret files are included in the system build.

Secret Injection Tools - Substitutes placeholders in configuration files with decrypted secret content during the system activation phase.

Secret Key Mappings - Maps individual encrypted secret keys from a file to specific NixOS configuration attributes for service definitions.

Secret Value Extraction - Retrieves specific keys from encrypted documents or emits the entire decrypted file as needed.

Mic92sops-nix

Features

Star history