`lib.file.mkOutOfStoreSymlink` + sops-nix broken

malloc · January 30, 2026, 5:41pm

I have been using this configuration to link a sops-nix secret to my home directory:

{ ... }:
{
  home.file."filepath/relative/to/home" = {
    enable = true;
    source = config.lib.file.mkOutOfStoreSymlink config.sops.secrets."my/secret".path;
  };
}

It used to work but lately mkOutOfStoreSymlink would point to a non-existent file:

 ❯ ls -hal ~/.ssh/config.d/festoon
lrwxr-xr-x 1 me staff 84 Jan 29 03:36 /Users/me/filepath/relative/to/home -> /nix/store/8aa11vkkxcfyb41gmfyr0dai3vavhdq5-home-manager-files/filepath/relative/to/home
❯ cat ~/filepath/relative/to/home
cat: /Users/me/filepath/relative/to/home: No such file or directory

I ended up switching to home.file."<name>".text = ''...'' to “fix” it, but I would prefer to not store them in plain text in remote version control system.

Information:

sops-nix @ 2eb9eed7ef48908e0f02985919f7eb9d33fa758f
nixpkgs @ 88d3861acdd3d2f0e361767018218e51810df8a1
nix-darwin @ 0fc4e7ac670a0ed874abacf73c4b072a6a58064b
home-manager @ c37679d37bdbecf11bbe3c5eb238d89ca4f60641

NobbZ · January 30, 2026, 8:20pm

What have you set this to?

And if you go step by step, what do the links resolve to?

The default value for sops.secrets.<name>.path in HM is depending on systemd variable expansion and therefore useless outside of systemd-units.