How to install sops-nix on linux-builder?

malloc · November 19, 2025, 2:24am

I am looking to setup my linux-builder instance on a macOS machine with a private key to sign the generated binary cache. I would like to get the key installed/managed with sops-nix rather than just using rsync and reference the file path.

Here is the minimal configuration to reproduce the issue:

# flake.nix
{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
    sops-nix.url = "github:Mic92/sops-nix";
    nix-darwin.url = "github:nix-darwin/nix-darwin/master";
    nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
    ...
  };
  outputs =  inputs@{ self, nixpkgs, nix-darwin, sops-nix, ...}: let {
    specialArgs = {
      inherit inputs;
      ...
    };
    extraSpecialArgs = {
      inherit inputs;
    };
  };
  in rec {
    darwinConfigurations."f" = nix-darwin.lib.darwinSystem  {
      system = "aarch64-darwin";
      inherit specialArgs;
      modules = [
        ./configuration.nix
        sops-nix.darwinModules.sops
      ];
    };
  }; 
}

# configuration.nix
{ 
  inputs, 
  pkgs, 
  ... 
}:
{
  sops = {
    defaultSopsFile = ./secrets/default.yaml;
    age = {
      keyFile = "/path/on/darwin-machine/to/age/key.txt";
    };
    secrets = {
      "builder/private_key" = { };
    };
  };
  nix = {
    linux-builder = {
      enable = true;
      ephemeral = true;
      maxJobs = 4;
      config = {
        virtualisation = {
          cores = 4;
          darwin-builder = {
            ...
          };
        };
        settings = {
          secret-key-files = config.sops.secrets."builder/private_key".path;
        };
      };
    };
  };
}

However, this results in an attribute missing error:

# nh darwin switch
...
┃        … while evaluating the option `nix.linux-builder.systems':
┃
┃        … while evaluating definitions from `/nix/store/d13a0wj4pqcsz6a3anwy4p2jy6krfjv9-source/modules/nix/l…
┃
┃        … while evaluating the option `nix.linux-builder.package':
┃
┃        … while evaluating the error message for definitions for `settings', which is an option that does not…
┃
┃        … while evaluating a definition from `/nix/store/2gig690mdka8crca2f0kc33rcsbyixxi-source/machines/fes…
┃
┃        … while evaluating an attribute `secret-key-files`
┃
┃        (stack trace truncated; use '--show-trace' to show the full, detailed trace)
┃
┃        error: attribute '"builder/private_key"' missing
┃        at /nix/store/2gig690mdka8crca2f0kc33rcsbyixxi-source/machines/festoon/configuration.nix:25:30:
┃            24|         settings = {
┃            25|           secret-key-files = config.sops.secrets."builder/private_key".path;
┃              |                              ^
┃            26|         };

malloc · November 19, 2025, 2:35am

I also tried importing sops-nix directly as part of nix.linux-builder.config as such:

# configuration.nix
{
  inputs,
  pkgs,
  config,
  ...
}:
{
  nix = {
    linux-builder = {
      enable = true;
      ephemeral = true;
      maxJobs = 4;
      config = {
        virtualisation = {
          cores = 4;
          darwin-builder = {
            ...
          };
        };
        imports =
          let
            commit = "3f66a7fb9626a9a9c077612ef10a0ce396286c7d";
          in
          [
            "${
              builtins.fetchTarball {
                url = "https://github.com/Mic92/sops-nix/archive/${commit}.tar.gz";
                sha256 = "...";
              }
            }/modules/sops"
          ];
        sops = {
          defaultSopsFile = ../../secrets/festoon.yaml;
          age = {
            sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
            generateKey = true;
          };
          secrets = {
            "builder/private_key" = { };
          };
        };
        settings = {
          secret-key-files = config.sops.secrets."builder/private_key".path;
        };
      };
    };
  };
}

Same result.

malloc · November 19, 2025, 3:10am

By some miracle, I was able to find the “right” configuration:

# configuration.nix

{
  inputs,
  pkgs,
  config,
  ...
}:
{
  nix = {
    linux-builder = {
      enable = true;
      ...
      config = (
        {
          config,
          ...
        }:
        {
          imports =
            let
              # no special reason for this commit, I copied the current commit at master
              commit = "3f66a7fb9626a9a9c077612ef10a0ce396286c7d";
            in
            [
              "${
                builtins.fetchTarball {
                  url = "https://github.com/Mic92/sops-nix/archive/${commit}.tar.gz";
                  # replace this with actual hash value
                  sha256 = "0xdeadbeef";
                }
              }/modules/sops"
            ];
          sops = {
            defaultSopsFile = ../../secrets/festoon.yaml;
            age = {
              sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
              generateKey = true;
            };
            secrets = {
              "builder/private_key" = {
                owner = config.users.users."builder".name;
              };
            };
          };
          virtualisation = {
            ...
          };
          nix = {
            settings = {
              secret-key-files = config.sops.secrets."builder/private_key".path;
            };
          };
        }
      );
    };
  };
}

With this configuration, nh darwin switch did not complain and sops-nix was installed on the local linux-builder.

# nh darwin switch
...
launchd> building '/nix/store/860ya49z7slm1zcbpx418i1sgfncigzl-launchd.drv'
darwin-system-25.11.c48e> building '/nix/store/5gcj8kvfn8275yqpz76xcs43xyjyq3kl-darwin-system-25.11.c48e963.drv'
┏━ Dependency Graph:
┃                         ┌─ ✔ closure-info
┃                      ┌─ ✔ closure-info
┃                   ┌─ ✔ run-nixos-vm
┃                ┌─ ✔ nixos-vm
┃             ┌─ ✔ run-builder
┃          ┌─ ✔ create-builder
┃       ┌─ ✔ linux-builder-start
┃    ┌─ ✔ org.nixos.linux-builder.plist
┃ ┌─ ✔ launchd
┃ ✔ darwin-system-25.11.c48e963
┣━━━ Builds           │ Downloads        │ Uploads   │ Host
┃        │ ✔ 21 │     │     │      │     │     │     │ localhost
┃        │      │     │     │ ↓  4 │     │     │     │ [1]: https://cache.nixos.org
┃        │      │     │     │ ↓ 12 │     │     │ ↑ 2 │ [2]: ssh-ng://
┗━ ∑ ⏵ 0 │ ✔ 21 │ ⏸ 0 │ ↓ 0 │ ↓ 16 │ ⏸ 0 │ ↑ 0 │ ↑ 2 │ Finished at 20:51:03 after 42s
<<< /run/current-system
>>> /nix/store/59hcixc1bhyg3pvrvvyjfbzql13rp757-darwin-system-25.11.c48e963

CHANGED
[U.] age                  1.2.1 -> 1.2.1 ×2
[U.] cyrus-sasl           2.1.28 -> 2.1.28 ×2
[U.] gnupg                2.4.8 ×2 -> 2.4.8 ×3
[U.] libksba              1.6.7 -> 1.6.7 ×2
[U.] libtool              2.5.4-lib -> 2.5.4-lib ×2
[U.] libusb               1.0.29 -> 1.0.29 ×2
[U.] manifest.json        <none> -> <none> ×2
[U.] openldap             2.6.9 -> 2.6.9 ×2
[U.] sops-install-secrets 0.0.1 -> 0.0.1 ×2

ADDED
[A.] festoon.yaml         <none>

SIZE: 15.5 GiB -> 15.6 GiB
DIFF: 68.5 MiB
...
> Activating configuration
...

While this is technically solved, I would ideally like to keep sops-nix managed in the flake.nix rather than importing it in this anonymous function (is that the right term for ( ... ) in nix?) at nix.linux-builder.config.

Will wait a week or so for community to review, otherwise will mark this as solved.