ALPHA: wire is a tool to deploy nixos systems
wire.althaea.zone/
add sops example (#412)
authored by
marshmallow
and committed by
GitHub
b152eac2
f71e2d71
+49
+16
doc/guides/keys.md
+16
doc/guides/keys.md
···
18
18
work well with wire keys include:
19
19
20
20
- GPG
21
+
- [sops](https://github.com/getsops/sops) ([Example](#encrypting-with-sops))
21
22
- [Age](https://github.com/FiloSottile/age)
22
23
- Anything that non-interactively decrypts to `stdout`.
23
24
···
93
94
[user@node-1]$ cat /run/keys/file.txt
94
95
Hello World!
95
96
```
97
+
98
+
### Encrypting with Sops
99
+
100
+
With some sops file:
101
+
102
+
```yaml:line-numbers [secret.yaml]
103
+
hive:
104
+
some_secret: XXXXXXXXXXXXXXXXXXXXXXX
105
+
something:
106
+
another_secret: XXXXXXXXXXXXXXXXXXXXXXX
107
+
```
108
+
109
+
You can easily create a function to grab values out of your encrypted sops file:
110
+
111
+
<<< @/snippets/guides/sops-example.nix [hive.nix]
96
112
97
113
### Encrypting with KeepassXC
98
114
+33
doc/snippets/guides/sops-example.nix
+33
doc/snippets/guides/sops-example.nix
···
1
+
let
2
+
sources = import ./npins;
3
+
wire = import sources.wire;
4
+
in
5
+
wire.makeHive {
6
+
meta.nixpkgs = import sources.nixpkgs {};
7
+
8
+
node-1 = {lib, ...}: let
9
+
mkSops = key: [
10
+
"sops"
11
+
"-d"
12
+
"--extract"
13
+
(lib.concatMapStrings (segment: ''["${segment}"]'') key)
14
+
"${./secrets.yaml}"
15
+
];
16
+
in {
17
+
deployment.key = {
18
+
"some_secret.txt" = {
19
+
source = mkSops [
20
+
"hive"
21
+
"some_secret"
22
+
];
23
+
};
24
+
25
+
"another_secret.txt" = {
26
+
source = mkSops [
27
+
"something"
28
+
"another_secret"
29
+
];
30
+
};
31
+
};
32
+
};
33
+
}