Problems with setup sops-nix in home-manager

Nixfox · April 21, 2024, 5:27pm

Does someone uses sops-nix in their home-manager config and could help me with integrating secret management into it?
My main problem focuses on declaring the variables in the final config (see git.nix below), which I encrypted with sops-nix.

My sops.nix file

{
  inputs,
  pkgs,
  config,
  ...
}: {
  imports = [
    inputs.sops-nix.homeManagerModules.sops
  ];

  home.activation.setupEtc = config.lib.dag.entryAfter [ "writeBoundary" ] ''
    /run/current-system/sw/bin/systemctl start --user sops-nix
  '';

  systemd.user.services.mbsync.Unit.After = [ "sops-nix.service" ];

  sops = {
    age.keyFile = "/home/tom/.ssh/sops/age/keys.txt"; # must have no password!
   
    defaultSopsFile = ../secrets/git.yaml;

    defaultSymlinkPath = "/run/user/1000/secrets";
    defaultSecretsMountPoint = "/run/user/1000/secrets.d";
  };

  home.packages = with pkgs; [
    sops
  ];
}

My git.nix file:

{ pkgs, 
  config,
  inputs,
  ... 
}:
{
  sops.secrets.CB_USERNAME = {
    format = "yaml";
    sopsFile = ../secrets/git.yaml;
  }; 

  sops.secrets.CB_EMAIL = {
    format = "yaml";
    sopsFile = ../secrets/git.yaml;
  }; 

  programs.git = {
    enable = true;
    userEmail = (builtins.readFile "${config.sops.secrets."CB_EMAIL".path}"); # not working all the time
    userName = # Is there an alternative way?
  }; 

}

zoechi · May 12, 2024, 6:10pm

I think readFile is not working as you expect. The file you are referring to exists only after the result of the config was applied, but readFile is executed during the evaluation of the config. At least this is how I understand it (still a Nix and even more sops-nix user).

I usually run nixos-rebuild for machine B on machine A using --target-host B. This makes this behavior more apparent.

I don’t see a way to do what you want.
Actually Git - git-config Documentation with sops templates might get you there. Make sure you set the owner or group of the secret to the user that includes it.