Sops-nix templates in config file

I’ve had an incredibly frustrating few days with sops-nix, trying to figure out how to use my secrets in a config file so I can auto mount a couple of samba shares.

The secrets are available in /run/secrets, but something like:

wallyPass = ''$(cat ${config.sops.secrets."wally/password".path})'';

just inserts the literal command (according to the generated /etc/fstab):


The sops-nix documentation suggests that templates are the answer.

  # from configuration.nix
  sops = {
   defaultSopsFile = ./secrets/secrets.yaml;
   defaultSopsFormat = "yaml";
   secrets.main-keys = { };
   secrets."wally/username" = {
     owner = "me";
    secrets."wally/password" = {
      owner = "me";
    templates."system/networking.nix".content = ''
   options = let
      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,rw,uid=1000";

      in ["${automount_opts},username=me,password=${config.sops.templates."system/networking.nix".content}"];

The docs say to use the .path attribute, but this again returns the literal “/run/secrets/wally/password”. Using the .content attribute, I get:


in the generated fstab.

I’m about 5 days into nix, so forgive my ignorance, but I’m out of googles…I think I’m making this harder than it needs to be or have a fundamental misunderstanding of how this works.

I’m using flakes and home-manager, but I’m not sure if that comes into play here.

Any help would be appreciated.

You can’t insert just a password into a configuration file. You can either create an entire file using the .path way and have all the values in that file contained in your secrets file OR you can create a template in your configuration for a complete file and fill in the secret values using the template and placeholder idea. For either way, the service configuration option needs to be able to accept a file path.

For example - .path way. For the traefik systemd service you can set the path to a file containing the cloudflare DNS API token: = {
      mode = "0440";
      owner =;
      group =;
    }; = {
      CF_DNS_API_TOKEN_FILE = "${}";

# in secrets.yaml
cf-api-token: r-sty67lkljkwhret678734hjkdjshsdf

Another example of creating an entire file using the secrets file and .path would be setting a bunch of mail server variables in an environment file for vaultwarden:

sops.secrets.vaultwarden-env = {};
services.vaultwarden = {
  enable = true;
  environmentFile = "${config.sops.secrets.vaultwarden-env.path}";
# In secrets.yml
vaultwarden-env: |

For my desktops where I want to generate a wireguard config file to import with networkmanager, I use a sops template which generates the entire file /etc/wireguard/wg0.conf:

sops.secrets.wg-private-key = {};
  sops.secrets.wg-preshared-key = {};
  sops.secrets.wg-address = {};
  sops.secrets.wg-allowed-ips = {};
  sops.templates."wg0.conf" = {
    content = ''
      Address = ${config.sops.placeholder.wg-address}
      ListenPort = 51820
      PrivateKey = ${config.sops.placeholder.wg-private-key}
      DNS =

      # pfsense
      PublicKey = gPdBkk+fw4z7YHjp7C1Hyy6f+jY7433E/RJu+aJ2w&ahj=
      PresharedKey = ${config.sops.placeholder.wg-preshared-key}
      AllowedIPs = ${config.sops.placeholder.wg-allowed-ips}
      Endpoint =
      PersistentKeepalive = 25
    path = "/etc/wireguard/wg0.conf";

I’m sorry I can’t explain it better, but I think this is why you can’t just use the contents of the secret and have to use the whole file.

Good luck!

Thank you so much! I ended up using a systemd service to generate the samba credentials file and that works for this case. Your post will help for the rest. Thanks again for the help. Much appreciated.