mirror of
https://github.com/Mic92/sops-nix.git
synced 2025-03-16 13:38:20 +00:00
README: add section about using sops-nix at evaluation time
This commit is contained in:
parent
fc22eff320
commit
cda46de69a
1 changed files with 10 additions and 0 deletions
10
README.md
10
README.md
|
@ -832,3 +832,13 @@ before `nixos-rebuild switch` to provision initrd secrets
|
||||||
before actually using them in the initrd.
|
before actually using them in the initrd.
|
||||||
In the future, we hope to extend NixOS to allow keys to be
|
In the future, we hope to extend NixOS to allow keys to be
|
||||||
provisioned in the bootloader install phase.
|
provisioned in the bootloader install phase.
|
||||||
|
|
||||||
|
### Using secrets at evaluation time
|
||||||
|
|
||||||
|
It is not possible to use secrets at evaluation time of nix code. This is
|
||||||
|
because sops-nix decrypts secrets only in the activation phase of nixos i.e. in
|
||||||
|
`nixos-rebuild switch` on the target machine. If you rely on this feature for
|
||||||
|
some secrets, you should also include solutions that allow secrets to be stored
|
||||||
|
securely in your version control, e.g.
|
||||||
|
[git-agecrypt](https://github.com/vlaci/git-agecrypt). These types of solutions
|
||||||
|
can be used together with sops-nix.
|
||||||
|
|
Loading…
Add table
Reference in a new issue