I’ve had an incredibly frustrating few days with sops-nix, trying to figure out how to use my secrets in a config file so I can auto mount a couple of samba shares.
The secrets are available in /run/secrets, but something like:
wallyPass = ''$(cat ${config.sops.secrets."wally/password".path})'';
just inserts the literal command (according to the generated /etc/fstab):
password=$(cat\040/run/secrets/wally/password)
The sops-nix documentation suggests that templates are the answer.
# from configuration.nix
sops = {
defaultSopsFile = ./secrets/secrets.yaml;
defaultSopsFormat = "yaml";
secrets.main-keys = { };
secrets."wally/username" = {
owner = "me";
};
secrets."wally/password" = {
owner = "me";
};
templates."system/networking.nix".content = ''
wallyPass="${config.sops.placeholder."wally/password"}"
'';
};
#system/networking.nix
...
options = let
automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,rw,uid=1000";
in ["${automount_opts},username=me,password=${config.sops.templates."system/networking.nix".content}"];
};
The docs say to use the .path attribute, but this again returns the literal “/run/secrets/wally/password”. Using the .content attribute, I get:
password=wallyPass="<SOPS:fc28915c29b77b24313xx8324b3xx82165f0be5454bd8f97c56daxx85cc561xx:PLACEHOLDER>"
in the generated fstab.
I’m about 5 days into nix, so forgive my ignorance, but I’m out of googles…I think I’m making this harder than it needs to be or have a fundamental misunderstanding of how this works.
I’m using flakes and home-manager, but I’m not sure if that comes into play here.
Any help would be appreciated.