'users.users.<name>.descriptionFile' or equivalent

Sirius902 · July 16, 2024, 1:29am

I currently have a NixOS config using flakes and sops-nix, meaning it’s really simple to store my hashed password as a secret with the following.

users.users.<name>.hashedPasswordFile = config.sops.secrets.hashedPassword.path;

I would like to have users.users.<name>.description to be managed in a similar way using my full name as I don’t have it on my public GitHub and would rather not have it uploaded in an unencrypted form. Once I build my OS I don’t really mind if it would end up in the public nix store or anything.

I was expecting to see some option like users.users.<name>.descriptionFile but there doesn’t seem to be one. As I understand it, using something like builtins.readFile for users.users.<name>.description to read from some file would fail to evaluate by default in a flake because it’s an impure operation. What would be the best course of action here? Is adding something like users.users.<name>.descriptionFile to the spec the correct way forward here or is there a better alternative to achieve this?

TLATER · July 16, 2024, 10:36am

Easiest solution would be a private repo with a module that sets just that option that you then import from your config. Since you don’t really care about it being encrypted on disk, that should be sufficient?

Sirius902 · July 17, 2024, 5:56am

Thanks! This worked for me. For anyone else that’s wondering I made a flake in a private repo with a module that contains the “secret” configuration, used it as an input to my nix config with the url as git+ssh://..., then finally put it in the imports of my configuration.nix as inputs.secrets.nixosModules.secrets.