sops-install-secrets package to use.
Type: package
Default:
(pkgs.callPackage ../.. {}).sops-install-secrets
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
Whether or not to generate the age key. If this option is set to false, the key must already be present at the specified location.
Type: boolean
Default: false
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
Path to age key file used for sops decryption.
Type: null or path
Default: null
Example: "/var/lib/sops-nix/key.txt"
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
Paths to ssh keys added as age keys during sops description.
Type: list of path
Default: The ed25519 keys from
config.services.openssh.hostKeys
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
Default sops file used for all secrets.
Type: path
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
Default sops format used for all secrets.
Type: string
Default: "yaml"
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
Environment variables to set before calling sops-install-secrets.
The values are placed in single quotes and not escaped any further to allow usage of command substitutions for more flexibility. To properly quote strings with quotes use lib.escapeShellArg.
This will be evaluated twice when using secrets that use neededForUsers but in a subshell each time so the environment variables don’t collide.
Type: attribute set of (string or path)
Default: { }
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
Path to gnupg database directory containing the key for decrypting the sops file.
Type: null or string
Default: null
Example: "/root/.gnupg"
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
Path to ssh keys added as GPG keys during sops description. This option must be explicitly unset if <literal>config.sops.gnupg.sshKeyPaths</literal> is set.
Type: list of path
Default: The rsa keys from
config.services.openssh.hostKeys
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
Number of secrets generations to keep. Setting this to 0 disables pruning.
Type: unsigned integer, meaning >=0
Default: 1
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
What to log
Type: list of (one of “keyImport”, “secretChanges”)
Default:
[
"keyImport"
"secretChanges"
]Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
Path where the latest secrets are mounted to.
Type: attribute set of (submodule)
Default: { }
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
File format used to decrypt the sops secret. Binary files are written to the target file as is.
Type: one of “yaml”, “json”, “binary”, “dotenv”, “ini”
Default: "yaml"
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
Group of the file.
Type: string
Default: config.users.users.${owner}.group
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
Key used to lookup in the sops file. No tested data structures are supported right now. This option is ignored if format is binary.
Type: string
Default: "‹name›"
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
Permissions mode of the in octal.
Type: string
Default: "0400"
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
Name of the file used in /run/secrets
Type: string
Default: "‹name›"
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
Enabling this option causes the secret to be decrypted before users and groups are created. This can be used to retrieve user’s passwords from sops-nix. Setting this option moves the secret to /run/secrets-for-users and disallows setting owner and group to anything else than root.
Type: boolean
Default: false
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
User of the file.
Type: string
Default: "root"
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
Path where secrets are symlinked to. If the default is kept no symlink is created.
Type: string
Default:
"/run/secrets-for-users/$name when neededForUsers is set, /run/secrets/$name when otherwise."
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
Names of units that should be reloaded when this secret changes. This works the same way as <xref linkend=“opt-systemd.services.name.reloadTriggers” />.
Type: list of string
Default: [ ]
Example:
[
"sshd.service"
]Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
Names of units that should be restarted when this secret changes. This works the same way as <xref linkend=“opt-systemd.services.name.restartTriggers” />.
Type: list of string
Default: [ ]
Example:
[
"sshd.service"
]Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
Sops file the secret is loaded from.
Type: path
Default: "\${config.sops.defaultSopsFile}"
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
Hash of the sops file, useful in <xref linkend=“opt-systemd.services.name.restartTriggers” />.
Type: string (read only)
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
Templates for secret files
Type: attribute set of (submodule)
Default: { }
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/templates
Content of the file
Type: strings concatenated with “\n”
Default: ""
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/templates
Group of the file.
Type: (optionally newline-terminated) single-line string
Default:
"config.users.users.\${cfg.owner}.group"
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/templates
Permissions mode of the rendered secret file in octal.
Type: (optionally newline-terminated) single-line string
Default: "0400"
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/templates
Name of the file used in /run/secrets-rendered
Type: (optionally newline-terminated) single-line string
Default: "‹name›"
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/templates
User of the file.
Type: (optionally newline-terminated) single-line string
Default: "root"
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/templates
Path where the rendered file will be placed
Type: (optionally newline-terminated) single-line string
Default: "/run/secrets-rendered/‹name›"
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/templates
Check all sops files at evaluation time. This requires sops files to be added to the nix store.
Type: boolean
Default: true
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix
sops-install-secrets package to use when validating configuration.
Defaults to sops.package if building natively, and a native version of sops-install-secrets if cross compiling.
Type: package
Default: config.sops.package
Declared by: - /nix/store/dh37pgbrkmnd3gwwqaj6faic0s99hn2c-source/modules/sops/default.nix