mirror of
https://github.com/Mic92/sops-nix.git
synced 2025-12-26 14:14:58 +08:00
docs: expand a bit on user secrets + impermanence.
See also the discussion at https://github.com/Mic92/sops-nix/issues/149
This commit is contained in:
Nicolas Dumazet
Jörg Thalheim
parent
553c7cb22f
commit
4c4fb93f18
1 changed files with 12 additions and 3 deletions
15
README.md
15
README.md
|
|
@ -571,9 +571,18 @@ $y$j9T$WFoiErKnEnMcGq0ruQK4K.$4nJAY3LBeBsZBTYSkdTOejKU6KlDmhnfUV3Ll1K/1b.
|
|||
}
|
||||
```
|
||||
|
||||
**Note:** If you are using Impermanence, you must set `sops.age.keyFile` to a keyfile inside your persist directory or it will not exist at boot time.
|
||||
For example: `/nix/persist/var/lib/sops-nix/key.txt`
|
||||
Similarly if ssh host keys are used instead, they also need to be placed inside the persisted storage.
|
||||
**Note:** If you are using Impermanence, the key used for secret decryption (`sops.age.keyFile`, or the host SSH keys) must be in a persisted directory,
|
||||
loaded early enough during boot. For example:
|
||||
|
||||
```nix
|
||||
sops.age.keyFile = "/nix/persist/var/lib/sops-nix/key.txt";
|
||||
```
|
||||
|
||||
or:
|
||||
|
||||
```nix
|
||||
fileSystems."/etc/ssh".neededForBoot = true;
|
||||
```
|
||||
|
||||
## Different file formats
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue