Does someone uses sops-nix in their home-manager config and could help me with integrating secret management into it?
My main problem focuses on declaring the variables in the final config (see git.nix
below), which I encrypted with sops-nix
.
My sops.nix
file
{
inputs,
pkgs,
config,
...
}: {
imports = [
inputs.sops-nix.homeManagerModules.sops
];
home.activation.setupEtc = config.lib.dag.entryAfter [ "writeBoundary" ] ''
/run/current-system/sw/bin/systemctl start --user sops-nix
'';
systemd.user.services.mbsync.Unit.After = [ "sops-nix.service" ];
sops = {
age.keyFile = "/home/tom/.ssh/sops/age/keys.txt"; # must have no password!
defaultSopsFile = ../secrets/git.yaml;
defaultSymlinkPath = "/run/user/1000/secrets";
defaultSecretsMountPoint = "/run/user/1000/secrets.d";
};
home.packages = with pkgs; [
sops
];
}
My git.nix
file:
{ pkgs,
config,
inputs,
...
}:
{
sops.secrets.CB_USERNAME = {
format = "yaml";
sopsFile = ../secrets/git.yaml;
};
sops.secrets.CB_EMAIL = {
format = "yaml";
sopsFile = ../secrets/git.yaml;
};
programs.git = {
enable = true;
userEmail = (builtins.readFile "${config.sops.secrets."CB_EMAIL".path}"); # not working all the time
userName = # Is there an alternative way?
};
}