Introduction
In this article, I will go over how to get sops-nix to work properly with
home-manager. One issue I noticed was that when I used with home-manager modules/options, I would see a string
like “%r/secrets/haseeb/…”. The %r
would not be replaced.
Relevant Issue: https://github.com/Mic92/sops-nix/issues/28
Assumption
I will assume you have already setup sops-nix and are using it. In the sense, you have a .sops.yaml
file and are already
using it with NixOS. The instructions in the README is mostly pretty clear how to get setup, but I may in future
create another article how I set up sops-nix. But in this post, we will simply go over how we can make it work with
home-manager. I will also assume you are using nix flakes and have passed sops-nix as an input.
Solution
So I have a file called home-manager/security/sops.nix
which looks like this:
{
inputs,
pkgs,
...
}: {
imports = [
inputs.sops-nix.homeManagerModules.sops
];
sops = {
gnupg = {
home = "~/.gnupg";
sshKeyPaths = [];
};
defaultSymlinkPath = "/run/user/1000/secrets";
defaultSecretsMountPoint = "/run/user/1000/secrets.d";
};
home.packages = with pkgs; [
sops
];
}
Where the key bit to making it work is the default
values here, which tell sops where to mount the secret in tmpfs.
The temporary file-system where are secrets will be stored in files.
ls -al /run/user/1000/secrets/atuin_key
Permissions Size User Group Date Modified Name
.r-------- 146 haseeb users 28 Jan 09:26 /run/user/1000/secrets/atuin_key
Other than that, we install sops so we can use the CLI tool to edit our sops files and add secrets. Where I have
a home-manager/secrets.yaml
file for storing all secrets related to home-manager.
Atuin
So first I do sops home-manager/secrets.yaml
, and add my Atuin secret encryption key to this file.
Having a look at how I use it in one of my modules, say home-manager/programs/atuin.nix
{
config,
pkgs,
...
}: {
programs.atuin = {
enable = true;
settings = {
# ...
key_path = config.sops.secrets.atuin_key.path;
};
};
sops.secrets.atuin_key = {
sopsFile = ../secrets.yaml;
};
}
Where we reference this secret in this module. Once this has been built using home manager, if we look at the config
for Atuin that is generated by nix. It will point to that /run/user/1000/secrets/atuin_key
file.