| .. | ||
| autossh | ||
| openssh/nudelerde | ||
| qbittorrent | ||
| README.md | ||
Encrypted Secrets
This directory is intended for encrypted secret files managed with sops.
Phase 1 notes:
- Keep encrypted files in git under
secrets/. - Do not commit plaintext secret material.
- Update
.sops.yamlrecipients before creating real secrets.
Typical next step:
- Set real age recipients in
.sops.yaml. - Fill the template YAML files with real secret values.
- Encrypt them in place using
sops.
Phase 3 expected file
Create these encrypted files:
secrets/autossh/remote_proxy_keysecrets/autossh/remote_proxy_known_hostssecrets/openssh/authorized_keys
Expected YAML keys:
qbittorrent.vpn.usernameqbittorrent.vpn.password
These are materialized at runtime to:
/run/secrets/autossh/remote_proxy_key/run/secrets/autossh/remote_proxy_known_hosts/run/secrets/openssh_authorized_keys
File secrets are stored as encrypted whole files, so the decrypted runtime content is exactly the file body. That is the right choice for bigger files like SSH private keys and known_hosts files.
config/secrets.nix is the source of truth for the tree, and config/sops.nix is derived from it.
How to encrypt them
Fill in the placeholders, then run:
sops -e -i secrets/autossh/remote_proxy_key
sops -e -i secrets/autossh/remote_proxy_known_hosts
sops -e -i secrets/openssh/authorized_keys
For scalar secrets such as secrets/qbittorrent/vpn.yaml, use the same command and keep the YAML structure.
Template files to fill
secrets/autossh/remote_proxy.yamlsecrets/qbittorrent/vpn.yamlsecrets/openssh/authorized_keys.yaml
After editing, encrypt each file in place with sops -e -i <file>.