1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2025-03-16 05:28:15 +00:00

README: add section about using sops-nix at evaluation time

This commit is contained in:
Jörg Thalheim 2022-02-21 10:14:00 +01:00
parent fc22eff320
commit cda46de69a
No known key found for this signature in database

View file

@ -832,3 +832,13 @@ before `nixos-rebuild switch` to provision initrd secrets
before actually using them in the initrd. before actually using them in the initrd.
In the future, we hope to extend NixOS to allow keys to be In the future, we hope to extend NixOS to allow keys to be
provisioned in the bootloader install phase. provisioned in the bootloader install phase.
### Using secrets at evaluation time
It is not possible to use secrets at evaluation time of nix code. This is
because sops-nix decrypts secrets only in the activation phase of nixos i.e. in
`nixos-rebuild switch` on the target machine. If you rely on this feature for
some secrets, you should also include solutions that allow secrets to be stored
securely in your version control, e.g.
[git-agecrypt](https://github.com/vlaci/git-agecrypt). These types of solutions
can be used together with sops-nix.