Sops failing to start

Im trying to configure sops but it fails to start.

❯ systemctl --user status sops-nix.service
○ sops-nix.service - sops-nix activation
     Loaded: loaded (/home/felipepinto/.config/systemd/user/sops-nix.service; enabled; preset: ignored)
     Active: inactive (dead) since Thu 2025-02-20 13:07:42 WET; 29min ago
 Invocation: 8e8e503234044545a586ba41acfab11e
    Process: 2005 ExecStart=/nix/store/lp7lnzws9sl3k6ysqk30y5xv89a256fh-sops-nix-user (code=exited, status=1/FA>
   Main PID: 2005 (code=exited, status=1/FAILURE)
   Mem peak: 25.6M
        CPU: 19ms

fev 20 13:07:42 gmktecK8 systemd[1985]: Starting sops-nix activation...
fev 20 13:07:42 gmktecK8 lp7lnzws9sl3k6ysqk30y5xv89a256fh-sops-nix-user[2005]: generating machine-specific age key...
fev 20 13:07:42 gmktecK8 lp7lnzws9sl3k6ysqk30y5xv89a256fh-sops-nix-user[2013]: /nix/store/wdap4cr3bnm685f27y9bb6q5b6q18msl-coreutils-9.5/bin/mkdir: cannot create directory ‘/var/lib/sops-nix’: Permission denied
fev 20 13:07:42 gmktecK8 lp7lnzws9sl3k6ysqk30y5xv89a256fh-sops-nix-user[2020]: age-keygen: error: failed to open output file "/var/lib/sops-nix/key.txt": open /var/lib/sops-nix/key.txt: no such file or directory
fev 20 13:07:42 gmktecK8 lp7lnzws9sl3k6ysqk30y5xv89a256fh-sops-nix-user[2020]: age-keygen: report unexpected or unhelpful errors at https://filippo.io/age/report
fev 20 13:07:42 gmktecK8 lp7lnzws9sl3k6ysqk30y5xv89a256fh-sops-nix-user[2029]: Cannot read ssh key '/etc/ssh/ssh_host_ed25519_key': open /etc/ssh/ssh_host_ed25519_key: permission denied
fev 20 13:07:42 gmktecK8 lp7lnzws9sl3k6ysqk30y5xv89a256fh-sops-nix-user[2029]: /nix/store/5l7m96290y8546fx7803i23v4lldfwd9-sops-install-secrets-0.0.1/bin/sops-install-secrets: cannot read keyfile '/var/lib/sops-nix/key.txt': open /var/lib/sops-nix/key.txt: no such file o>
fev 20 13:07:42 gmktecK8 systemd[1985]: sops-nix.service: Main process exited, code=exited, status=1/FAILURE
fev 20 13:07:42 gmktecK8 systemd[1985]: sops-nix.service: Failed with result 'exit-code'.
fev 20 13:07:42 gmktecK8 systemd[1985]: Failed to start sops-nix activation.
~

i configured sops like this:

{ lib, config, inputs, pkgs, ... }:
{
  imports = [ inputs.sops-nix.nixosModules.sops ];

  options.modules.security.sops.enable =
    lib.mkEnableOption "enable sops module";

  config = lib.mkIf config.modules.security.sops.enable {
    environment.systemPackages = [ pkgs.sops ];
    sops = {
      defaultSopsFormat = "yaml";
      # This will add secrets.yml to the nix store
      # You can avoid this by adding a string to the full path instead, i.e.
      # defaultSopsFile = ../../../secrets/secrets.yaml;
      defaultSopsFile = "/root/.sops/secrets/secrets.yaml";
      # defaultSopsFile = ./secrets/example.yaml;
      # This will automatically import SSH keys as age keys
      age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
      # This is using an age key that is expected to already be in the filesystem
      age.keyFile = "/var/lib/sops-nix/key.txt";
      # This will generate a new key if the key specified above does not exist
      age.generateKey = true;
    };
  };
}

Do you have ssh enabled? Does it use/create the key you want to use in sops?

i do on my nixos configuration, or at least i believe i do? how should i check?
this is my openssh.nix module

{ lib, config, ... }:
{
  options.modules.security.openssh.enable = 
    lib.mkEnableOption "enable openssh module";
  config = lib.mkIf config.modules.security.openssh.enable {
    services.openssh = {
      enable = true;
      startWhenNeeded = true; # systemd will start an instance for each incoming connection
      settings.PermitRootLogin = "no";
      settings.PasswordAuthentication = false; # require public key authentication
      hostKeys = [
        {
          comment = "${config.networking.hostName}.local";
          path = "/etc/ssh/ssh_host_ed25519_key";
          rounds = 64;
          type = "ed25519";
        }
      ];
    };
  };
}

Just to make sure: you enabled that module n your config as well, right?

Can you check if the key file exists on your system?

yup the host ssh key is there alright. and yeah double checked the module on my config, its enabled

Oh I did not read the error carefully enough. It complains that you don’t have permission to access the ssh keys.

Are you using a home-manager stand alone config?

yeah i am using the standalone
i made sure to add my personal home key to .sops.yaml file

Then you can’t use the ssh keys (at least not the system ones) for decryption. That only works when you use it as a NixOS home-manager module because the activation script is run as root.

You should then use your users age key as stated in the documentation: GitHub - Mic92/sops-nix: Atomic secret provisioning for NixOS based on sops

i tried to follow that tho, i have both my computer host key that was generated and my personal ssh key both converted to age added to the file .sops.yaml, they should both be able to decrypt files no?

But you are using the global ones which are only readable or writable (in case of the age key) by root. If you are using stand alone home-manager you should use ones that are readable by your user like in the example of the documentation I posted above:

age.keyFile = "/home/user/.age-key.txt"; # must have no password!

oh i think i understand, ok so how should i do this?
how can i config so that nixos can use the host key to decrypt its secrets and home-manager can use its home key to decrypt its own secrets?

You need to configure them separately. In the NixOS configuration you should be able to use the above configuration.

In your home-manager configuration you need to then reference just the key in your users home directory.