Advice for encrypt secrets that can't be encrypted with sops-nix because they are needed during runtime

[NovaViper]

Hey, I'm using your config as a template for my own but I have some submodules that have some secrets I want to encrypt within the file (and they must be available at runtime because it's being ran with Home Manager). I came across this utility, scalpel but I have no clue how to incorporate it within the flake (I'm still learning about NixOS but I haven't heard of anyone using this utility before). Do you have any advice for how I can modify the flake file to incorporate the utility? Thanks in advance!

flake.nix

{
  description = "My NixOS Multi-config";

  inputs = {
    # Nixpkgs
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";

    # Home manager
    home-manager = {
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.nixpkgs-stable.follows = "";
    };

    hardware.url = "github:nixos/nixos-hardware";

    # Shameless plug: looking for a way to nixify your themes and make
    # ieverything match nicely? Try nix-colors!
    nix-colors.url = "github:misterio77/nix-colors";

    firefox-addons = {
      url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  outputs = { self, nixpkgs, home-manager, ... }@inputs:
    let
      inherit (self) outputs;
      lib = nixpkgs.lib // home-manager.lib;
      systems = [ "x86_64-linux" ];
      forEachSystem = f: lib.genAttrs systems (sys: f pkgsFor.${sys});
      pkgsFor = nixpkgs.legacyPackages;
      dotfilesLib = rec {
        runtimeRoot = "/home/novaviper/Desktop/nix-config";
        runtimePath = path:
          let
            # This is the `self` that gets passed to a flake `outputs`.
            rootStr = toString self;
            pathStr = toString path;
          in assert lib.assertMsg (lib.hasPrefix rootStr pathStr)
            "${pathStr} does not start with ${rootStr}";
          runtimeRoot + lib.removePrefix rootStr pathStr;
      };
    in {
      inherit lib;
      # Your custom packages
      # Acessible through 'nix build', 'nix shell', etc
      packages = forEachSystem (pkgs: import ./pkgs { inherit pkgs; });

      # Devshell for bootstrapping
      # Acessible through 'nix develop' or 'nix-shell' (legacy)
      devShells = forEachSystem (pkgs: import ./shell.nix { inherit pkgs; });

      # Your custom packages and modifications, exported as overlays
      overlays = import ./overlays { inherit inputs outputs; };
      # Reusable nixos modules you might want to export
      # These are usually stuff you would upstream into nixpkgs
      nixosModules = import ./modules/nixos;
      # Reusable home-manager modules you might want to export
      # These are usually stuff you would upstream into home-manager
      homeManagerModules = import ./modules/home-manager;

      # NixOS configuration entrypoint
      # Available through 'nixos-rebuild --flake .#your-hostname'
      nixosConfigurations = {
        ryzennova = lib.nixosSystem {
          modules = [ ./hosts/ryzennova ];
          specialArgs = { inherit inputs outputs dotfilesLib; };
        };
        /* thinknova = lib.nixosSystem {
             modules = [ ./hosts/thinknova ];
             specialArgs = { inherit inputs outputs; };
           };
        */
      };

      # Standalone home-manager configuration entrypoint
      # Available through 'home-manager --flake .#your-username@your-hostname'
      homeConfigurations = {
        "novaviper@ryzennova" = lib.homeManagerConfiguration {
          modules = [ ./home/novaviper/ryzennova.nix ];
          pkgs = pkgsFor.x86_64-linux; # Home-manager requires 'pkgs' instance
          extraSpecialArgs = { inherit inputs outputs dotfilesLib; };
        };
        /* "novaviper@thinknova" = lib.homeManagerConfiguration {
             modules = [ ./home-manager/home.nix ];
             pkgs = pkgsFor.x86_64-linux; # Home-manager requires 'pkgs' instance
             extraSpecialArgs = { inherit inputs outputs; };
           };
        */
      };
    };
}

[Misterio77]

Hey!

It's my first time hearing of scalpel, it does seem interesting if the service you're using does not support a secrets file, but otherwise seems to be really complex to use (and most services do support a separate secrets file).

What's your usecase exactly? sops-nix for home-manager, or simply using a password manager might do the trick.

I personally use sops-nix with host SSH keys for system-wide secrets, and pass for user secrets (example).

[NovaViper]

Hey sorry for the delay! I actually have several secrets that are separate secret files which I encrypted with sops-nix and also user secrets system like, both of which I implemented in a similar way as in your repo. However I actually have one secret in particular that's actually in a .nix module file directly like this

  accounts.email = {
    maildirBasePath = "${config.xdg.cacheHome}/mail";
    accounts = {
      "uni" = {
        address = "{SECRET_REDTACTED}";
        userName = "{SECRET_REDTACTED}";
        passwordCommand =
          "gpg -q --for-your-eyes-only --no-tty -d ~/.authinfo.gpg | awk '/machine smtp.gmail.com login {SECRET_REDTACTED}/ {print $NF}'";
        flavor = "gmail.com";
... 

I also use sops-nix with gpg keys that's saved on my Yubikey but I recently stopped using it because I've had issues getting sops-nix to recognize my Yubikey. I know there's some work going on for getting age support added to sops, which would make it much possible to have sops-nix use my Yubikey with the age keys; but will have to wait til that happens. But the main thing I'm wondering is how to get the secrets to be read as the module is being evaluated

[Misterio77]

Hey, double extra sorry for the delay, life's been busy and I end up neglecting my issues a bit, apologies :(

---

I think there's not much you can do to read them in eval-time, as sops whole point is they only being decrypted on run-time, never read by the nix evaluator. So you'd have to use it (replace or together) with another secret scheme; perhaps a separate, private repo, a gitignored file, etc.