Expose the values of unencrypted keys as-is

[srid]

A subset of keys in secrets.yaml can be marked as unencrypted by suffixing them with _unencryprted. This is useful for things like SSH public (not private) keys.

Can sops-nix expose these unencrypted values during evaluation? Not as .path (which points to /run/... path, accessible only during runtime), but as .text (accessible during evaluation time)?

I could then store public keys in secrets.yaml (along with the encrypted private keys) and use them to set options like users.user.<name>.authorizedKeys in a say container (that has no access to the host's /run directory).

[srid]

I could read config.sops.defaultSopsFile, run it through fromYAML then fromJSON ... but it would be nice to have sops-nix provide the raw text directly.

[Mic92]

I would accept this as a contribution but won't implement it as I don't have a use-case for it.

[srid]

@Mic92 What do you think about supporting a new format, secrets.nix?

sops-nix/pkgs/sops-install-secrets/main.go

Lines 71 to 75 in 4f308f7

	Yaml FormatType = "yaml"
	Json FormatType = "json"
	Binary FormatType = "binary"
	Dotenv FormatType = "dotenv"
	Ini FormatType = "ini"

Then, we won't need IFD to parse the yaml file in Nix, and can simply import the secrets file.

[Mic92]

sops-nix can only support formats also supported by sops. It relies on sops for editing secrets and it's unlikely that they will add nix. There is not import-from-derivation required to check yaml. It's just a normal nix derivation.

[srid]

Closing, because I no longer need this, as I'll just use JSON as the secrets format (though, that requires #328).