You know, I’m not sure if its getting the UID of the builder or the home manager. I would assume its getting the UID of the home manager user since I build as root and its returning 1000 in my derivation. A simple two user test should reveal what it’s doing. It all depends on who pkgs.runCommand is run as.
Also I would like to note that from this thread: Home Manager Symlinking Directories - #3 by user2358, you shouldn’t readFile your secret since it would put it in the nix store visible to everyone. Instead you could symlink the file so that permission are retained.
If I’m reading home-manager/nixos/default.nix at 1e8c62c651242fc685b10efc4a48ab777635fb7f · nix-community/home-manager · GitHub correctly, home-manager sets up a systemd service per user that is run as that user. Perhaps pkgs.runCommand is run during this stage? I’m not super familiar with the build order of nix to know when and who the command is run as. If the command is run as root, then perhaps we can pass in the username to the command? The config.username, or home.username option seems to exist, home-manager/modules/home-environment.nix at 1e8c62c651242fc685b10efc4a48ab777635fb7f · nix-community/home-manager · GitHub. Then run id -u ${username}?