The Reliquary & sops-nix — Daily Secret Management
Reference for daily secret management with sops-nix.
For backup and restoration procedures, see Reliquary Backup & Restoration.
Unsealing a Secret File
Section titled “Unsealing a Secret File”# Open in $EDITOR (decrypt → edit → re-encrypt at close)sops secrets/clochette.yamlsops secrets/kuri_exampleHost.yamlsops secrets/RogueLeader.yaml
# Shortcuts via justjust secrets # kuri_exampleHost.yamljust secrets_clochette # clochette.yamljust secrets_rogueleader # RogueLeader.yamlReading a Secret Without Editing
Section titled “Reading a Secret Without Editing”# Decrypt and display plaintextsops -d secrets/clochette.yaml
# Extract a single value (nested YAML format with .)sops -d --extract '["services"]["ntfy"]["topic"]' secrets/clochette.yamlAdding a New Secret
Section titled “Adding a New Secret”- Unseal the file with
sops secrets/clochette.yaml - Add the key/value plaintext — sops encrypts it at save
- Declare the secret in the NixOS config of the target shrine:
# In docker-*.nix or default.nixsops.secrets."services/myservice/env" = {};- Reference in the container config:
virtualisation.oci-containers.containers."myservice" = { environmentFiles = [ config.sops.secrets."services/myservice/env".path ];};Decrypted Secret Locations at Runtime
Section titled “Decrypted Secret Locations at Runtime”When the shrine awakens, secrets are deposited in:
| Shrine | Location | Usage |
|---|---|---|
| clochette | /run/secrets/<name> | System secrets (containers, users) |
| exampleHost | /run/secrets/<name> | System secrets |
| exampleHost (HM) | /run/user/1000/secrets/<name> | Home Manager secrets (kuri) |
Reference a secret in systemd or shell:
cat /run/secrets/services/ntfy/topicIn NixOS config, always use config.sops.secrets."<name>".path
to get the path — never hardcode /run/secrets/....
Secret File Structure
Section titled “Secret File Structure”# secrets/clochette.yaml (structure when decrypted)users: guillaume: hashed-password: "..."services: ntfy: topic: "..." traefik: conf: traefik_dynamic.yml: "..." crowdsec: env: "..." immich: env: "..." borg: passphrase: "..." key: private: "..."Rotating a Secret
Section titled “Rotating a Secret”To change an existing secret’s value:
sops secrets/clochette.yaml# Modify the value, saveThen redeploy so sops-nix deposits the new value in /run/secrets:
just install_clochette --ask-sudo-passwordContainers reading via environmentFiles restart automatically
after redeployment thanks to systemd.
Adding a Machine to Encryption Rules
Section titled “Adding a Machine to Encryption Rules”When a new shrine is added to the flake, grant it the ability to unseal its secrets:
-
Obtain its public age key:
- If dedicated age file:
age-keygen -y /etc/sops/age/keys.txt - If derived from SSH:
ssh-to-age -i /etc/ssh/ssh_host_ed25519_key.pub
- If dedicated age file:
-
Add to
.sops.yaml:
keys: - &new_shrine age1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXcreation_rules: - path_regex: secrets/new_shrine.yaml$ key_groups: - age: - *new_shrine - *desktop_examplehost # always include exampleHost for editing- Create the secret file:
sops secrets/new_shrine.yaml