Sops-nix, directory tree access rights

Using sops-nix, NixOS stable 24.11. In secrets.yaml I have this section:

postgres:
    admin_pass: ...
    joplin_pass: ...
    opengist_pass: ...
    gitea_pass: ...
    atuin_pass: ...
...etc...

Then in postgres.nix I have:

  sops.secrets = {
    "postgres/admin_pass"  = { owner = config.users.users.postgres.name; };
    "postgres/joplin_pass" = { owner = config.users.users.postgres.name; };
    "postgres/opengist_pass" = { owner = config.users.users.postgres.name; };
    "postgres/gitea_pass" = { owner = config.users.users.postgres.name; };
  };

Everything was fine until I decided to auto-create/update roles/passwords. So I did:

    while IFS= read -r -d "" file; do
####some processing
    done < <(find /run/secrets/postgres -type f -print0)

However, although user postgress can read individual files, it can’t see the list of files in /run/secrets/postgres directory!

For now I just added this, but there surely must be a proper way do declare directory access rights in sops-nix?

  systemd.tmpfiles.rules = [
    "d /run/secrets.d/1/postgres 0550 postgres postgres - -"
  ];

Ideas?

1 Like

Also, is there a way to expose the whole directory, in this case “postgres/” in one declaration? I also have API keys stored in the same manner, and it’s a pain to expose it in three places.

1 Like

Yeah I don’t think there is a way to do directories with SOPS unfortunately.