Configuration files to load besides the immutable one defined by the NixOS module. This can be used to avoid putting credentials in the Nix store, which can be read by any user. Each path can point to a JSON- or HCL-formatted file, or a directory to be scanned for files with .hcl or .json extensions. To upload the confidential file with NixOps, use for example: # https://releases.nixos.org/nixops/latest/manual/manual.html#opt-deployment.keys deployment.keys."vault.hcl" = let db = import ./db-credentials.nix; in { text = '' storage "postgresql" { connection_url = "postgres://${db.username}:${db.password}@host.example.com/exampledb?sslmode=verify-ca" } ''; user = "vault"; }; services.vault.extraSettingsPaths = ["/run/keys/vault.hcl"]; services.vault.storageBackend = "postgresql"; users.users.vault.extraGroups = ["keys"];

[ ]