Expose the values of unencrypted keys as-is

[srid]

A subset of keys in secrets.yaml can be marked as unencrypted by suffixing them with _unencryprted. This is useful for things like SSH public (not private) keys.

Can sops-nix expose these unencrypted values during evaluation? Not as .path (which points to /run/... path, accessible only during runtime), but as .text (accessible during evaluation time)?

I could then store public keys in secrets.yaml (along with the encrypted private keys) and use them to set options like users.user.<name>.authorizedKeys in a say container (that has no access to the host's /run directory).

[srid]

I could read config.sops.defaultSopsFile, run it through fromYAML then fromJSON ... but it would be nice to have sops-nix provide the raw text directly.

[Mic92]

I would accept this as a contribution but won't implement it as I don't have a use-case for it.

[Mic92]

sops-nix can only support formats also supported by sops. It relies on sops for editing secrets and it's unlikely that they will add nix. There is not import-from-derivation required to check yaml. It's just a normal nix derivation.

[srid]

Closing, because I no longer need this, as I'll just use JSON as the secrets format (though, that requires #328).