One reason I haven‘t started using flakes is that I haven‘t found an explanation to how nix flakes are seen e.g. where they are meant to be.
I want to start using sops-nix, but I don‘t want to have to redo all my config in flakes or however thats meant to work.
Flakes really aren‘t trivial to me. Can I just invoke the rest of my existing nixos config from the flake.nix? Can flakes also be split apart like nixos config?
If you want to use flakes for NixOS config:
If you don’t want to use flakes, use npins to fetch the sops-nix input.
2 Likes
Ok I tried, but it seems my config isn‘t compatible with flakes straight away because I‘m using home-manager as nixos module and when I try to rebuild with that hm nix config file I get this error:
error: in pure evaluation mode, 'fetchTarball' requires a 'sha256' argument
I gotta say I‘m really trying but all this is way too complicated with people leaving out too many important explanations.
And I can‘t believe there is no simpler way to get into secrets management.
Using home-manager was much more straight forward and didn‘t require learning a new concept or tool.
You also left out that you’re using home-manager, we’re not mind-readers.
The h-m manual has a section on setting up flakes-based hm config.
Providing home-manager’s sha256 is probably your easiest way out, if you actually want to use flakes.
The reason why it’s necessary is that otherwise you’re not guaranteeing deterministic builds, since the tarball could have changed content.
You can also switch to downloading home-manager via flakes. But it might change your workflow, and there’s quite a few ways to run home-manager already.
You can also install sops-nix without flakes and without other pinning libraries like npins or niv, just using fetchTarball:
{
imports = let
# replace this with an actual commit id or tag
commit = "298b235f664f925b433614dc33380f0662adfc3f";
in [
"${builtins.fetchTarball {
url = "https://github.com/Mic92/sops-nix/archive/${commit}.tar.gz";
# replace this with an actual hash
sha256 = "0000000000000000000000000000000000000000000000000000";
}}/modules/sops"
];
}
This is probably closer to how you fetch home-manager anyways.
Then you can follow the subsequent sops-nix steps.
I agree that secrets management on Nix is not easy.
I did however find that sops-nix is easier because its readme has well-defined steps and doesn’t assume you’re intimate with gpg, age, or sops for that matter, already.
I actually went with waffle’s approach and flakes first since I didn‘t like the tarball way as described in the sops-nix manual before, but when you said that again I realised I can just make it the way I have it with home-manager.
sops.nix
{ config, pkgs, ... }:
let
sops-nix = builtins.fetchTarball "https://github.com/Mic92/sops-nix";
in
{
imports = [
(import "${sops-nix}/nixos")
];
#
#};
}
I didn‘t want to have to update manually. But just maybe, having a security related tool auto update on master is not the best idea so I‘ll prob actually pin it to a commit anyway.
flake.nix:
{
description = "system flake";
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
inputs.sops-nix.url = "github:Mic92/sops-nix";
#inputs.sops-nix.inputs.nixpkgs.follows = "nixpkgs";
home-manager.url = "github:nix-community/home-manager";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
outputs = { self, nixpkgs, sops-nix, home-manager, ... }: {
# change `yourhostname` to your actual hostname
nixosConfigurations.supersecrethostname = nixpkgs.lib.nixosSystem {
# customize to your system
system = "x86_64-linux";
modules = [
./configuration.nix
sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager
];
};
};
}
1 Like
Since you’re using nixos-25.11 as your nixpkgs branch, you’ll want to use the corresponding branch of home-manager:
home-manager.url = "github:nix-community/home-manager/release-25.11";
2 Likes