SOPS Secrets Leaf
cells/secrets/default.nix wires sops-nix into both NixOS and Home Manager.
Up: secrets Down: system persistence | SSH leaf
What this leaf does
The leaf resolves a private secrets root from a flake input, asserts that the encrypted file exists, and sets the same defaultSopsFile and age key path for system and user modules.
let
secretsRoot = toString inputs.nix-secrets;
defaultSopsFile = "${secretsRoot}/secrets.yaml";
in {
config.my.branches.security.nixosModules = [
{
sops = {
inherit defaultSopsFile;
age.keyFile = "/persist/sops/age/keys.txt";
};
}
];
}Why it exists
The branch model keeps secret wiring out of individual application leaves. Application leaves can request secrets; this leaf provides the shared backend.
Privacy note
This public note uses generic paths. Never publish real decrypted values, private key material, token names that reveal services, or local filesystem paths that expose personal infrastructure.