point sops at age key file
sops-nix's default identity discovery imports the host's SSH ed25519 key as an age identity, but secrets/tide.yaml is encrypted to the age key generated with age-keygen and stored at /var/lib/sops-nix/key.txt. Without sops.age.keyFile pointing at that path, activation fails with 'Error getting data key: 0 successful groups required, got 0'. Also blank the SSH/GPG fallback paths so the module never silently picks up an unintended identity.
This commit is contained in:
parent
bd417f5784
commit
f0259cfb96
1 changed files with 8 additions and 0 deletions
8
tide.nix
8
tide.nix
|
|
@ -20,6 +20,14 @@
|
|||
# the file is absent, which is the right place for that failure.
|
||||
sops.validateSopsFiles = false;
|
||||
|
||||
# Use the host's age key generated with age-keygen, not the
|
||||
# SSH-host-key-derived identity sops-nix falls back to by default.
|
||||
# The encrypted file's recipient is the public key paired with
|
||||
# this private key.
|
||||
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
||||
sops.age.sshKeyPaths = [ ];
|
||||
sops.gnupg.sshKeyPaths = [ ];
|
||||
|
||||
sops.secrets."tide-env" = {
|
||||
sopsFile = ./secrets/tide.yaml;
|
||||
# phpfpm reads this via EnvironmentFile, which runs as root
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue