https://github.com/ryanwalder/nixos-config
https://github.com/ryanwalder/nixos-config
Last synced: 29 days ago
JSON representation
- Host: GitHub
- URL: https://github.com/ryanwalder/nixos-config
- Owner: ryanwalder
- Created: 2026-03-23T11:55:18.000Z (3 months ago)
- Default Branch: main
- Last Pushed: 2026-05-06T21:18:07.000Z (about 2 months ago)
- Last Synced: 2026-05-17T12:03:14.520Z (about 2 months ago)
- Language: Nix
- Size: 188 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# NixOS Config
My config for NixOS.
## Secrets Management
Secrets are managed with [sops-nix](https://github.com/Mic92/sops-nix). Encrypted secrets live in the repo and are decrypted at activation time using host SSH keys.
### Structure
```
secrets/
common.yaml # shared across all hosts
host/.yaml # per-host secrets (only that host can decrypt)
role/.yaml # per-role secrets
```
### Key Files
- `.sops-keys.yaml` — source of truth for key management. Contains:
- **hosts** — map hostnames to age public keys (derived from SSH host keys)
- **scopes** — controls which hosts can decrypt which secret files
- `.sops.yaml` — generated from `.sops-keys.yaml` by `just sops update`. Do not edit directly.
### Key Management
```sh
just sops add [scope ...] # register host key, optionally add to scopes
just sops remove # remove host from all scopes
just sops edit # decrypt/edit/re-encrypt a secrets file
just sops update # regenerate .sops.yaml and re-encrypt all secrets
```
Scopes use dot notation matching the nested YAML structure:
- `common` — `scopes.common`
- `role.workstation` — `scopes.role.workstation`
### Adding a New Host
1. Boot the host and ensure it has an ed25519 SSH host key
2. Run `just sops add common` on that host
3. Add to role scopes if needed: edit `.sops-keys.yaml`, then run `just sops update`