Skip to content

The Reliquary — Secrets & Encryption

Secrets are sealed with sops and age keys via the NixOS sops-nix pattern. Treat the reliquary with reverence — guard its keys with extreme care.

Each shrine bears its own age key (private/public pair). The private age key of exampleHost is the master key — it unseals all reliquaries across the Forge.

ShrineKey TypePrivate Location
exampleHostDedicated age file/etc/sops/age/keys.txt
clochetteDerived from SSH host keyDerived at runtime from /etc/ssh/ssh_host_ed25519_key
RogueLeaderDerived from SSH host keyDerived at runtime from /etc/ssh/ssh_host_ed25519_key
FileUnsealable by
secrets/kuri_exampleHost.yamlexampleHost only
secrets/clochette.yamlclochette + exampleHost
secrets/RogueLeader.yamlRogueLeader + exampleHost

sops-nix deposits decrypted secrets in /run/secrets/ when the shrine awakens. Secrets marked neededForUsers = true are deposited in /run/secrets-for-users/ before user creation (for hashed passwords).

On exampleHost, Home Manager places its secrets in /run/user/1000/secrets/.

keys:
- &desktop_examplehost age1xr32hdvanup0zk63v8hrcv2u2c09wplz6fd42w47mkjrd49j39xqaqqckq
- &server_clochette age18594hnd4mk3736a36a5fqc5w55sanac86tv8du0hz67rfk558srs3y9jwa
- &server_rogueleader age1nttxr633hf6r43szc9ffl2a0avmtmhtl7hhnjjuyd3sc4au705nqffyfwe

Each file’s sealing rules are defined under creation_rules.

Always reference via config.sops.secrets."<path>".path — never hardcode /run/secrets/...:

sops.secrets."services/papra/env" = {};
environmentFiles = [
config.sops.secrets."services/papra/env".path
];

For user passwords:

sops.secrets."users/kuri/hashed-password".neededForUsers = true;
users.users.kuri.hashedPasswordFile =
config.sops.secrets."users/kuri/hashed-password".path;