Secret Management on NixOS with sops-nix

You might wonder why I chose sops-nix over agenix, the other contender? The instructions for setting up sops-nix made more sense to me when I first looked at it, and I wanted to have the option to use sops in other ways, not just with age.

It’s funny, I had the opposite experience, but that’s resulted in my using both agenix (for host-level secrets) and sops (for k8s secrets, since FluxCD works with sops out of the box). They’re ultimately both pretty easy to work with, so I haven’t felt any pressing need to unify secret management under the one tool.

Thanks for this excellent writeup, as always @stapelberg!

I like the thoroughness here and the generosity of examples! I didn’t realize you could derive an age identity from your SSH private key. That’s a neat tip for avoiding another key to manage.

I’ve been using git-crypt based on @jeezy’s guide, which has the advantage of being simple, but the disadvantage of no longer being maintained and also making me go, “Oh no!” every time I see that I’ve committed my secrets to git and then I have to remember that I’ve filtered them through git-crypt. This might be the push I needed to move over to sops-nix.

It’s been a joy to see this use-case evolve, guiding users and contributers to clarify their threat models and adapt prior practices.

In my (quite scatter-brained, 2yo drive-by) Guix config, I’d written a SOPS-inspired system in <100 lines of Guile. I enjoyed doing so, partly to avoid YAML, but mostly for the practice: same reason I might write a three-line Makefile recipe as a fourty-line cargo xtask or Guile module. What I’d actually recommend is fishinthecalculator’s sops-guix:

https://fishinthecalculator.me/blog/secrets-management-with-sops-guix.html

He’s got a great repo of Guix OCI Services, too.

In Dec. ’24, I reached out to complement his work and shared these relevant entrypoints into my tangled mess (from least to most accessible): activation service, git hook, SCM hooks, data