[Solved] Syncoid with sshkey

Hello,
I want to use a sshkey with syncoid stored in sops. I had to setup a fixed user ‘recvuser’ and give it permissions to the sops password. I also setup a path /home/recvuser/.ssh so ssh can create a known_hosts file.

Unfortunately, systemd gives a warning Could not create directory '/home/recvuser/.ssh' (No such file or directory).

The config i came up with as follows,

  users.users.recvuser = {
  isNormalUser = true;
  description  = "Syncoid recvuser";  
  };
  
  systemd.tmpfiles.rules = [
    "d /home/recvuser/.ssh 700 recvuser recvuser -"
  ];

  users.groups.recvuser = {};
  users.users.recvuser.group = "recvuser";
  systemd.services.syncoid.serviceConfig.DynamicUser = lib.mkForce false;
  
  sops.secrets."ssh_keys/id_ed25519_recvuser_nas_passwordless" = {};
  sops.secrets."ssh_keys/id_ed25519_recvuser_nas_passwordless".owner = config.users.users.recvuser.name;
  sops.secrets."ssh_keys/id_ed25519_recvuser_nas_passwordless".group = config.users.users.recvuser.group;
    
  services.syncoid = {
  enable = true;    
  user = "recvuser"; 
  group = "recvuser";
  commonArgs = [ "--no-sync-snap" "--recursive" "--recvoptions=ux" ];
  sshKey = config.sops.secrets."ssh_keys/id_ed25519_recvuser_nas_passwordless".path;
  interval = "*-*-* *:0/5";
  commands."backup1" = {
    source = "senduser@remoteip:rpool/var/lib";
    target = "tank/backuphetznersfu/var/lib";
    extraArgs = [ "--sshoption=StrictHostKeyChecking=off" ];
  };
};
systemd.services.syncoid-backup1.serviceConfig.ProtectHome = lib.mkForce false;
systemd.services.syncoid-backup1.serviceConfig.ProtectSystem = lib.mkForce false;

The service reports,

Jul 07 03:16:45 nas syncoid[66721]: Could not create directory '/home/recvuser/.ssh' (No such file or directory).
Jul 07 03:16:45 nas syncoid[66721]: Failed to add the host to the list of known hosts (/home/recvuser/.ssh/known_hosts).
Jul 07 03:16:51 nas syncoid[66658]: INFO: no snapshots on source newer than autosnap_2025-07-06_21:00:15_hourly on target. Nothing to do, not syncing.
Jul 07 03:16:51 nas systemd[1]: syncoid-backup1.service: Deactivated successfully.
Jul 07 03:16:51 nas systemd[1]: syncoid-backup1.service: Consumed 1.425s CPU time, 24.3M memory peak, 10.1K incoming IP traffic, 7.8K outgoing IP traffic.

I simplified the config to the following and no longer have the warning,

  sops.secrets."ssh_keys/id_ed25519_recvuser_nas_passwordless" = {};
  sops.secrets."ssh_keys/id_ed25519_recvuser_nas_passwordless".owner = config.users.users.syncoid.name;
  sops.secrets."ssh_keys/id_ed25519_recvuser_nas_passwordless".group = config.users.users.syncoid.group;
    
  services.syncoid = {
  enable = true;
  commonArgs = [ "--no-sync-snap" "--recursive" "--recvoptions=ux" ];
  sshKey = config.sops.secrets."ssh_keys/id_ed25519_recvuser_nas_passwordless".path;
  commands."backup" = {
    source = "senduser@remoteip:rpool/var/lib";
    target = "tank/backuphetznersfu/var/lib";
  };
};