From 76d79356c3b223624cbf873276e9025427b099c8 Mon Sep 17 00:00:00 2001
From: Trolli Schmittlauch <t.schmittlauch@orlives.de>
Date: Mon, 6 Apr 2026 22:36:50 +0200
Subject: [PATCH] sops: fix config for darwin

---
 common/nix-settings.nix |  4 ++--
 darwin/sops.nix         |  4 +++-
 home/modules/sops.nix   | 37 +++++++++++++++++++++++++++++++------
 3 files changed, 36 insertions(+), 9 deletions(-)

diff --git a/common/nix-settings.nix b/common/nix-settings.nix
index 1cd0aed..3f7fcba 100644
--- a/common/nix-settings.nix
+++ b/common/nix-settings.nix
@@ -21,7 +21,6 @@ in
   sops = {
     secrets."nix/access-tokens" = {
       owner = "root";
-      group = "users";
       mode = "0440";
       sopsFile = ./secrets.yaml;
     };
@@ -30,7 +29,8 @@ in
         access-tokens = ${config.sops.placeholder."nix/access-tokens"}
       '';
       owner = "root";
-      group = "users";
+      # secret needs to be readable by users (nix client) as well as nix-daemon (running as root)
+      group = if pkgs.stdenv.isDarwin then "localaccounts" else "users";
       mode = "0440";
     };
   };
diff --git a/darwin/sops.nix b/darwin/sops.nix
index a819347..5692f9e 100644
--- a/darwin/sops.nix
+++ b/darwin/sops.nix
@@ -6,7 +6,9 @@
 }:
 {
   sops = {
-    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    age.keyFile = "/Users/os/Library/Application Support/sops/age/keys.txt";
+    age.sshKeyPaths = lib.mkForce [ ]; # no host keys
+    gnupg.sshKeyPaths = lib.mkForce [ ]; # no host keys
     defaultSopsFile = lib.mkDefault ./secrets.yaml;
     defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice
   };
diff --git a/home/modules/sops.nix b/home/modules/sops.nix
index 0e18ffe..183d3cb 100644
--- a/home/modules/sops.nix
+++ b/home/modules/sops.nix
@@ -1,7 +1,32 @@
-{ inputs, ... }:
 {
-  sops = {
-    age.keyFile = "/home/user/.age-key.txt"; # must have no password!
-    # deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly.
-  };
-}
+  inputs,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  homeKeys =
+    if pkgs.stdenv.isDarwin then
+      "/Users/${config.home.username}/Library/Application Support/sops/age/keys.txt"
+    else
+      "/home/${config.home.username}/.config/sops/age/keys.txt";
+in
+lib.mkMerge [
+  {
+    home.ensureDirs."${builtins.dirOf homeKeys}".mode = "0700";
+    sops = {
+      age.keyFile = "/home/user/.age-key.txt"; # must have no password!
+      # deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly.
+    };
+  }
+  # linux machines: assumption: there is an OpenSSH server of which we are able to use the hostkey, like at the NixOS module. The `keyDir` is only used for the private admin key.
+  (lib.mkIf pkgs.stdenv.isLinux {
+    sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  })
+
+  # darwin: no SSH server, no hostkey => let's use the `keyDir` key both for encryption and decrpytion
+  (lib.mkIf pkgs.stdenv.isDarwin {
+    sops.age.keyFile = homeKeys;
+  })
+]