chore: add an example on how to use the sops feature

Author: weriomat

examples/sops/.sops.yaml

@@ -0,0 +1,7 @@
+keys:
+  - &primary age179s8jnppgy9kwakmva8av6frpnhgg9myrvk3xlfpanmhvvzyh96sdygfcm
+creation_rules:
+  - path_regex: passwords.yaml
+    key_groups:
+      - age:
+          - *primary

examples/sops/README.md

@@ -0,0 +1,18 @@
+# Example NixOS system deployment where password is passed via sops
+
+This is an example of how to use the sops integration for deploy-rs.
+
+To decrypt the password manually use `SOPS_AGE_KEY_FILE=$(pwd)/age_private.txt sops -d passwords.yaml`.
+Note that sops will try to search for the private key for age in `$XDG_CONFIG_HOME/sops/age/keys.txt` by default,
+but this can be overridden with `SOPS_AGE_KEY_FILE`. For more information please see the [sops documentation](https://getsops.io/docs/#encrypting-using-age).
+
+1. Run bare system from `.#nixosConfigurations.sops`
+
+- `nix build .#nixosConfigurations.sops.config.system.build.vm`
+- `QEMU_NET_OPTS=hostfwd=tcp::2221-:22 ./result/bin/run-sops-vm`
+- you can manually ssh into the machine via `ssh deploy@localhost -p 2221 -i ./hello_ed25519`
+
+2. Develop the devshell via `nix develop .` to get sops, age and `deploy` added to $PATH
+3. Run via `deploy .` to deploy the "new" Configuration updated
+4. ???
+5. PROFIT!!!

examples/sops/age_private.txt

@@ -0,0 +1,3 @@
+# created: 2025-06-05T11:36:08+02:00
+# public key: age179s8jnppgy9kwakmva8av6frpnhgg9myrvk3xlfpanmhvvzyh96sdygfcm
+AGE-SECRET-KEY-1L8HTRL2THGGZLXQQDTDLDG0U8EL4RSSAMVT9RYUG5JWPUJW49N9QS0EFSZ

examples/sops/age_public.txt

@@ -0,0 +1 @@
+age179s8jnppgy9kwakmva8av6frpnhgg9myrvk3xlfpanmhvvzyh96sdygfcm

examples/sops/configuration.nix

@@ -0,0 +1,44 @@
+{ pkgs, ... }:
+{
+  networking.hostName = "sops";
+  nix.settings = {
+    # allow the `deploy` user to push unsigned NARs
+    allowed-users = [ "deploy" ];
+    trusted-users = [ "deploy" ];
+  };
+
+  # setup a user for the deployment
+  users.users.deploy = {
+    isNormalUser = true;
+    password = "heloWorld";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFnXmG3pSC8+UfmrHH0L5UtT++KqTmLp+1B3oWIJ1IBB hello@localhost"
+    ];
+    extraGroups = [
+      "wheel"
+      "sudo"
+    ]; # for sudo su
+    uid = 1010;
+  };
+
+  # setup the rest of the system
+  boot.loader = {
+    systemd-boot.enable = true;
+    efi.canTouchEfiVariables = true;
+  };
+
+  services.openssh.enable = true;
+
+  nix.settings = {
+    substituters = pkgs.lib.mkForce [ ];
+    experimental-features = "nix-command flakes";
+    trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
+  };
+
+  # settings for the vm
+  virtualisation = {
+    useBootLoader = true;
+    writableStore = true;
+    useEFIBoot = true;
+  };
+}

examples/sops/flake.lock

@@ -0,0 +1,76 @@
+{
+  description = "Deploy a full system where the password is supplied via sops";
+
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    deploy-rs.url = "github:weriomat/deploy-rs/sops";
+  };
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      deploy-rs,
+      ...
+    }:
+    let
+      system = "x86_64-linux";
+      pkgs = import nixpkgs { inherit system; };
+    in
+    {
+      nixosConfigurations = {
+        sops = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            ./configuration.nix
+            (pkgs.path + "/nixos/modules/virtualisation/qemu-vm.nix")
+          ];
+        };
+        updated = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            (pkgs.path + "/nixos/modules/virtualisation/qemu-vm.nix")
+            ./configuration.nix
+            ./updated.nix
+          ];
+        };
+      };
+
+      # packages we need to inspect the encrypted files
+      devShells.x86_64-linux.default = pkgs.mkShell {
+        buildInputs = [
+          deploy-rs.packages.default
+          pkgs.sops
+          pkgs.age
+        ];
+      };
+
+      deploy.nodes.example = {
+        sshOpts = [
+          "-p"
+          "2221"
+        ];
+        hostname = "localhost";
+        fastConnection = true;
+        sudoFile = ./passwords.yaml;
+
+        profiles.system = {
+          user = "root";
+          sshUser = "deploy";
+
+          # sudo password is gotten via
+          sudoSecret = "password/deploy";
+
+          # we setup ssh auth with this key, these will get merged with the settings above
+          sshOpts = [
+            "-i"
+            "./hello_ed25519"
+          ];
+
+          path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.updated; # this is a bit hacky to get a "updated" configuration to deploy
+        };
+      };
+
+      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
+    };
+}

examples/sops/flake.nix

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBZ15ht6UgvPlH5qxx9C+VLU/viqk5i6ftQd6FiCdSAQQAAAJhLKSuiSykr
+ogAAAAtzc2gtZWQyNTUxOQAAACBZ15ht6UgvPlH5qxx9C+VLU/viqk5i6ftQd6FiCdSAQQ
+AAAECHxBqQ8m4mlSF5N83v6x2XxUZB1ao85TyroGq333v5v1nXmG3pSC8+UfmrHH0L5UtT
+++KqTmLp+1B3oWIJ1IBBAAAAD2hlbGxvQGxvY2FsaG9zdAECAwQFBg==
+-----END OPENSSH PRIVATE KEY-----

examples/sops/hello_ed25519

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFnXmG3pSC8+UfmrHH0L5UtT++KqTmLp+1B3oWIJ1IBB hello@localhost

examples/sops/hello_ed25519.pub

@@ -0,0 +1,17 @@
+password:
+    deploy: ENC[AES256_GCM,data:t8IlqzJr5v+A,iv:L3/+IQ6+gl/az3ya+rc/yFJ89vdjI6NvletIyhO5EcA=,tag:sCzIp1WvRlpLtlm/i1AXmw==,type:str]
+sops:
+    age:
+        - recipient: age179s8jnppgy9kwakmva8av6frpnhgg9myrvk3xlfpanmhvvzyh96sdygfcm
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTUjRhQ2pieU1XakR5eTFH
+            elpocXhFYUVBL3p4Z0RjcDhvcEZmNEtVWkNvCngvT21NNFpSNENwVVRsemROcGRN
+            aGJEVWhmWmI2dFQrRWw1RUhudElNMU0KLS0tIFYwUmQzLzVqVzdxSkdZTXIrMGVG
+            ZGZ4eS82bjZvWmxRRk1wbHFsZ2RlUGcKQeaupX894rGIal5ov0MOSaRVd4OQ7muQ
+            IkCtwZ+v2nn4xtd9MEdNur8z81civvCz907fmlKxtyk9NSLY8UP54w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-05T15:16:06Z"
+    mac: ENC[AES256_GCM,data:k7mANamp8envEFkAcsbbpvw3GoffaBBI4N7S90QFIX5bxdPsMQvQ9Lddh6nJAjYX0DGBUafVn3c2C1LXTJAmHbrLoqgn5uW18AHhNhnIt9M+5zXcT9olxoMt/aDd6OucCJ0N/vQ5fuD5HfFJwoANIg+2cEONfNoubspiI+K+Y/4=,iv:9GnnM7amxpmFGVpJ4q0pwJDFuldt5bAISrTxdJS9FbU=,tag:0AGdq2+jxQpjRv7zNIXFBg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2