Way to generate "real" files in ${HOME} during HM generation (to have correct permissions set)

To get a “quick” result and get ~/.netrc generated by HM I just used

home.file.".netrc" = { ...; target = "${homeDirectory}/.netrc" };

(yes I know about secrets and /nix/store, when I find the time I’ll be diving into agenix)

However, this fails because programs using .netrc refuse to use it because the actual file is root:root 444 (as all store files) and it must be user:... 400 or similar.

  • Is there a way to “generate” the actual file with correct user:mode from HM?
  • Will/can moving to agenix make such things possible?


You can write a script in home.activation that reads some input file and then outputs it to $HOME.

This is also exactly what agenix does. It uses NixOS’ aquivalent of these activation scripts to read an encrypted file, decrypt it with age, and then writes it to /run/secrets.d. The problem is that it’s only implemented for NixOS’ activation scripts, so you can’t use it with home-manaer.

Writing an activation script that does that yourself isn’t terribly hard, though.

An alternative is maybe using systemd's credential features, but I don’t know if it supports user services either, there’s no mention of those in the description. Systemd is quite a bit more paranoid about this, by the way, well worth using over agenix and sops-nix if it’s not too cumbersome.

1 Like

Thanks for the pointers!

I’ll take a look at the attempts you linked and/or write the activation script, as you say at least something like that I should be abe to do in my sleep :wink: (as opposed to actually writing elegant (or merely working) nix modules :laughing: )