Sops-nix managing wifi ssid/psk doesnt allow connection

ShockWave-1 · February 18, 2025, 7:19pm

Hi I am trying to get sops-nix to manage my wifi secrets for a device. It does seem to work if I add the ssid and the psk in plain text in the configuration.

People have gotten it working before but I cant tell whats wrong with mine.

Here is the config snippet for the wireless bit of the networking:

sops.secrets."wifi.env" = {};

networking = {
    hostName = "Hockeypuk";
    wireless = {
      enable = true;
      secretsFile = config.sops.secrets."wifi.env".path;
      networks = {
        "ext:home_ssid" = {
          psk = "ext:home_psk";
        };
      };
    };
  };

This is the snippet for the sops initialisation:

{pkgs, inputs, config, ... }:
{
  imports = [
    inputs.sops-nix.nixosModules.sops
  ];
  sops = {
    defaultSopsFile = ../../secrets/secrets.yaml;
    defaultSopsFormat = "yaml";
    validateSopsFiles = false;

    age = {
      sshKeyPaths = [ 
        "/etc/ssh/ssh_host_ed25519_key"
      ];

      keyFile = "/var/lib/sops-nix/key.txt";
      generateKey = true;
    };
    secrets = {
      "wifi.env" = {};
    };
  };
}

the secrets file:

wifi.env: |
  home_ssid=<name of network>
  home_psk=<passkey>

I dont get any error messages in console related to sops so that is working.

Im thinking that its got something to do with the order in which the wireless settings gets read and implemented and when sops decrypts the secrets. If this is the case how would I solve that.

ShockWave-1 · February 19, 2025, 3:47pm

Solved it.
Switched from wpa_supplicant to network manager so now the configuration looks like this:

  sops.secrets."wifi.env" = {};

  networking = {
    hostName = "Hckypk";
    networkmanager = {
      enable = true;
      ensureProfiles = {
        environmentFiles = [
	  config.sops.secrets."wifi.env".path
	];
        profiles = {
          "home-wifi" = {
            connection.id = "home-wifi";
            connection.type = "wifi";
            wifi.ssid = "$home_ssid";
	    wifi-security = {
              auth-alg = "open";
	      key-mgmt = "wpa-psk";
	      psk = "$home_psk";
	    };
          };
        };
      };
    };
  };

no idea why network manager works and wpa_supplicant doesnt. Maybe somebody else has the explanation.

choffmann · November 25, 2025, 5:33pm

Hey, I had the same issue but got it to work by converting the password to hex. I ran this command to convert it:

wpa_passphrase 'your-ssid' 'your-password'

This outputs a hex PSK (the line starting with psk=). I stored that hex string in my sops secret file:

networking:
  wifi_psk: "98d2801eb8a3d7a896dbc4724d0501432680e891eae515293e48591c39d7c665"

Now I can use it like this and it’s working perfectly:

sops = {
  secrets."networking/wifi_psk" = {
    owner = "root";
    mode = "0400";
  };

  templates."networking/wifi_psk_wpa" = {
    content = ''WIFI_PSK=${config.sops.placeholder."networking/wifi_psk"}'';
    owner = "root";
    mode = "0400";
  };
};

networking.wireless = {
  networks."your-ssid".pskRaw = "ext:WIFI_PSK";
  secretsFile = config.sops.templates."networking/wifi_psk_wpa".path;
};