Sops-nix managed secrets

I’m trying to set up sops-nix to manage secrets for gitlab

I’ve set up flakes, and installed sops-nix through that. I’m on 23.11

Beyond the install/setup guide at the sops-nix repo readme, I’ve also been looking at these guides:

I’ve set up the ./secrets/secrets.yaml. Here’s the relevant section from configuration.nix:

sops = {
  age.keyFile = "/root/.config/sops/age/keys.txt";
  defaultSopsFile = ./secrets/secrets.yaml;
  defaultSopsFormat = "yaml";

sops.secrets."gitlab/dbPass" = { };

The last line is the problem. If I comment it out, it builds. If I don’t, I get this:

       … while calling the 'head' builtin

         at /nix/store/dg2g5qwvs36dhfqj9khx4sfv0klwl9f0-source/lib/attrsets.nix:922:11:

          921|         || pred here (elemAt values 1) (head values) then
          922|           head values
             |           ^
          923|         else

       … while evaluating the attribute 'value'

         at /nix/store/dg2g5qwvs36dhfqj9khx4sfv0klwl9f0-source/lib/modules.nix:807:9:

          806|     in warnDeprecation opt //
          807|       { value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;                                                                 │    mirroredBoots = [
             |         ^
          808|         inherit (res.defsFinal') highestPrio;

       (stack trace truncated; use '--show-trace' to show the full trace)

       error: getting status of '/nix/store/nqjkmjqsgc7xrac9ywbwgq0a1dvqc6k5-source/secrets/secrets.yaml': No such file or directory

which according to this is supposed to communicate in the most unhelpful way that the option is of the wrong type.

But it’s not?


do you have a .sops.yaml in your Projects root?

This is the minimum you need:

  - &yourName agePublicKey

  - path_regex: ^secrets/secrets.yamll$
      - age:
        - *yourName

also try doing a git add on the file in case you are using flakes, since untracked files won’t be copied into the flake.

Yeah, I have it

It wasn’t added, but it is now, and I get the same error

It shouldn’t be the same error, since nix should at least be able to open the file if your added it to the git index now.

would you mind sharing the ouput of running the following command in your projects root:

nix-shell -p tree --run tree

(just want to verify that all the paths are correct and that no typos are in there.)
Other then that try replacing:

-  defaultSopsFile = ./secrets/secrets.yaml;
+  defaultSopsFile = "${./secrets/secrets.yaml}";

this should really be the same.

[root@server:/etc/nixos]# nix-shell -p tree --run "tree -a -I .git"
├── configuration.nix
├── flake.lock
├── flake.nix
├── .gitignore
├── gitlab.nix
├── hardware-configuration.nix
├── result -> /nix/store/xy95wam7wk7a4gbwvapjl2j1dllp0f6l-nixos-system-sentech-server-23.05.4853.d4b5a67bbe9e
├── secrets
│   └── secrets.yaml
└── .sops.yaml

2 directories, 8 files

lgtm, I’m probably missing something obvious but this should work.

  • sops is imported correctly (otherwise there would be an error about config.sops.* attributes missing
  • you have a .sops.yaml with a valid config, other wise the sops cli wouldn’t work as expected.
  • your nixos sops module config looks correct
  • you are tracking all the relevant files with git
  • there is no typos in the file-names

what am I missing?

You should not get the exact same error. The source directory hash should have changed:

error: getting status of '/nix/store/nqjkmjqsgc7xrac9ywbwgq0a1dvqc6k5-source/secrets/secrets.yaml': No such file or directory

This is splitting hairs, but if that didn’t change, is there any chance you added stuff to the wrong git repo? Can you check the contents of that directory in the store to maybe see what the mismatch is?

The hash has changed, but I get the same error: No such file or directory

If I knew that, I prob wouldn’t be here asking ;)

Is there anything the flake setup can mangle? I’m very new nix, and only set up flakes for sops … Are there any ‘similar’ flakes I can try to see if they fail in a similar way? Are there any diagnosis/consistency checks I can run?

There is a lot of examples, just take a look at:

Very dumb question, but does the secrets/secrets.yaml exist in your flake and did you remember to git add it?