Introduction

In this article, I will go over how to get sops-nix to work properly with home-manager. One issue I noticed was that when I used with home-manager modules/options, I would see a string like “%r/secrets/haseeb/…”. The %r would not be replaced.

Relevant Issue: https://github.com/Mic92/sops-nix/issues/28

Assumption

I will assume you have already setup sops-nix and are using it. In the sense, you have a .sops.yaml file and are already using it with NixOS. The instructions in the README is mostly pretty clear how to get setup, but I may in future create another article how I set up sops-nix. But in this post, we will simply go over how we can make it work with home-manager. I will also assume you are using nix flakes and have passed sops-nix as an input.

Solution

So I have a file called home-manager/security/sops.nix which looks like this:

{
  inputs,
  pkgs,
  ...
}: {
  imports = [
    inputs.sops-nix.homeManagerModules.sops
  ];

  sops = {
    gnupg = {
      home = "~/.gnupg";
      sshKeyPaths = [];
    };
    defaultSymlinkPath = "/run/user/1000/secrets";
    defaultSecretsMountPoint = "/run/user/1000/secrets.d";
  };

  home.packages = with pkgs; [
    sops
  ];
}

Where the key bit to making it work is the default values here, which tell sops where to mount the secret in tmpfs. The temporary file-system where are secrets will be stored in files.

ls -al /run/user/1000/secrets/atuin_key

Permissions Size User   Group Date Modified Name
.r--------   146 haseeb users 28 Jan 09:26   /run/user/1000/secrets/atuin_key

Other than that, we install sops so we can use the CLI tool to edit our sops files and add secrets. Where I have a home-manager/secrets.yaml file for storing all secrets related to home-manager.

Atuin

So first I do sops home-manager/secrets.yaml, and add my Atuin secret encryption key to this file. Having a look at how I use it in one of my modules, say home-manager/programs/atuin.nix

{
  config,
  pkgs,
  ...
}: {
  programs.atuin = {
    enable = true;
    settings = {
      # ...
      key_path = config.sops.secrets.atuin_key.path;
    };
  };

  sops.secrets.atuin_key = {
    sopsFile = ../secrets.yaml;
  };
}

Where we reference this secret in this module. Once this has been built using home manager, if we look at the config for Atuin that is generated by nix. It will point to that /run/user/1000/secrets/atuin_key file.