From cda46de69a7acef8df1ac07d27c2c2b1a8be8f21 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Mon, 21 Feb 2022 10:14:00 +0100
Subject: [PATCH] README: add section about using sops-nix at evaluation time

---
 README.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/README.md b/README.md
index a132795..983d75f 100644
--- a/README.md
+++ b/README.md
@@ -832,3 +832,13 @@ before `nixos-rebuild switch` to provision initrd secrets
 before actually using them in the initrd.
 In the future, we hope to extend NixOS to allow keys to be
 provisioned in the bootloader install phase.
+
+### Using secrets at evaluation time
+
+It is not possible to use secrets at evaluation time of nix code. This is
+because sops-nix decrypts secrets only in the activation phase of nixos i.e. in
+`nixos-rebuild switch` on the target machine. If you rely on this feature for
+some secrets, you should also include solutions that allow secrets to be stored
+securely in your version control, e.g.
+[git-agecrypt](https://github.com/vlaci/git-agecrypt). These types of solutions
+can be used together with sops-nix.