nixlets/docs/secrets.md

# Secrets

When using Nixlets together with tools like [FluxCD](https://fluxcd.io) and
[SOPS](https://github.com/getsops/sops) it makes sense to apply the secrets on
their own (eg. with their own FluxCD's `Kustomization`).

To make secret management easier, Nixlets allow you to specify encrypted secret
files in your configuration like this:

```nix title="some_resource.nix"
  # ...
  kubernetes.secrets."name" = ./secret.sops.yaml;
  kubernetes.resources.configMaps. # ...
  # ...
```

In CI for example you can then retrieve all of these files at once and put them
in an OCI image for FluxCD to deploy:

```nix title="flake.nix"
packages.secrets = (<some nixlet>).secretsCombined; # (derivation)
```

```sh
nix build .#secrets
# result/ contains all yaml secret files
```
docs: write initial documentation 2025-04-28 13:06:28 +02:00			`# Secrets`

			`When using Nixlets together with tools like [FluxCD](https://fluxcd.io) and`
			`[SOPS](https://github.com/getsops/sops) it makes sense to apply the secrets on`
			their own (eg. with their own FluxCD's `Kustomization`).

			`To make secret management easier, Nixlets allow you to specify encrypted secret`
			`files in your configuration like this:`

			```nix title="some_resource.nix"
			`# ...`
			`kubernetes.secrets."name" = ./secret.sops.yaml;`
			`kubernetes.resources.configMaps. # ...`
			`# ...`
			```

			`In CI for example you can then retrieve all of these files at once and put them`
			`in an OCI image for FluxCD to deploy:`

			```nix title="flake.nix"
			`packages.secrets = (<some nixlet>).secretsCombined; # (derivation)`
			```

			```sh
			`nix build .#secrets`
			`# result/ contains all yaml secret files`
			```