Table of Contents
Defined in /modules/blocks/sops.nix.
This block sets up a sops-nix secret.
It is only a small layer on top of sops-nix options
to adapt it to the secret contract.
This block provides the following contracts:
secret contract under the shb.sops.secrets option.
It is not yet tested with contract tests but it is used extensively on several machines.
As requested by the contract, when asking for a secret with the shb.sops module,
the path where the secret will be located can be found under the shb.sops.secrets.<name>.result option.
First, a file with encrypted secrets must be created by following the secrets setup section.
This example shows how to use this sops block
to fulfill the request of a module using the secret contract under the option services.mymodule.mysecret.
shb.sops.secret
Secret following the secret contract.
Type: attribute set of (submodule)
Default:
{ }
Declared by:
<selfhostblocks/modules/blocks/sops.nix>
|
shb.sops.secret.<name>.request
Request part of the secret contract.
Options set by the requester module enforcing some properties the secret should have.
Type: submodule
Default:
""
Declared by:
<selfhostblocks/modules/blocks/sops.nix>
|
shb.sops.secret.<name>.request.group
Linux group owning the secret file.
Type: string
Default:
"root"
Declared by:
<selfhostblocks/modules/blocks/sops.nix>
|
shb.sops.secret.<name>.request.mode
Mode of the secret file.
Type: string
Default:
"0400"
Declared by:
<selfhostblocks/modules/blocks/sops.nix>
|
shb.sops.secret.<name>.request.owner
Linux user owning the secret file.
Type: string
Default:
"root"
Declared by:
<selfhostblocks/modules/blocks/sops.nix>
|
shb.sops.secret.<name>.request.restartUnits
Systemd units to restart after the secret is updated.
Type: list of string
Default:
[ ]
Declared by:
<selfhostblocks/modules/blocks/sops.nix>
|
shb.sops.secret.<name>.result
Result part of the secret contract.
Options set by the provider module that indicates where the secret can be found.
Type: submodule
Default:
{
path = "/run/secrets/<name>";
}
Declared by:
<selfhostblocks/modules/blocks/sops.nix>
|
shb.sops.secret.<name>.result.path
Path to the file containing the secret generated out of band.
This path will exist after deploying to a target host, it is not available through the nix store.
Type: path
Default:
"/run/secrets/<name>"
Declared by:
<selfhostblocks/modules/blocks/sops.nix>
|
shb.sops.secret.<name>.settings
Settings specific to the Sops provider.
This is a passthrough option to set sops-nix options.
Note though that the mode, owner, group, and restartUnits
are managed by the shb.sops.secret.<name>.request option.
Type: attribute set of anything
Default:
{ }
Declared by:
<selfhostblocks/modules/blocks/sops.nix>
|