sops: fix config for darwin

2026-04-06 22:36:50 +02:00 · 2026-04-06 22:36:50 +02:00 · 76d79356c3
commit 76d79356c3
parent 281ca7ed03
3 changed files with 36 additions and 9 deletions
--- a/common/nix-settings.nix
+++ b/common/nix-settings.nix
@ -21,7 +21,6 @@ in
  sops = {
    secrets."nix/access-tokens" = {
      owner = "root";
-      group = "users";
      mode = "0440";
      sopsFile = ./secrets.yaml;
    };
@ -30,7 +29,8 @@ in
        access-tokens = ${config.sops.placeholder."nix/access-tokens"}
      '';
      owner = "root";
-      group = "users";
+      # secret needs to be readable by users (nix client) as well as nix-daemon (running as root)
+      group = if pkgs.stdenv.isDarwin then "localaccounts" else "users";
      mode = "0440";
    };
  };
--- a/darwin/sops.nix
+++ b/darwin/sops.nix
@ -6,7 +6,9 @@
 }:
 {
  sops = {
-    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    age.keyFile = "/Users/os/Library/Application Support/sops/age/keys.txt";
+    age.sshKeyPaths = lib.mkForce [ ]; # no host keys
+    gnupg.sshKeyPaths = lib.mkForce [ ]; # no host keys
    defaultSopsFile = lib.mkDefault ./secrets.yaml;
    defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice
  };
--- a/home/modules/sops.nix
+++ b/home/modules/sops.nix
@ -1,7 +1,32 @@
-{ inputs, ... }:
 {
+  inputs,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  homeKeys =
+    if pkgs.stdenv.isDarwin then
+      "/Users/${config.home.username}/Library/Application Support/sops/age/keys.txt"
+    else
+      "/home/${config.home.username}/.config/sops/age/keys.txt";
+in
+lib.mkMerge [
+  {
+    home.ensureDirs."${builtins.dirOf homeKeys}".mode = "0700";
    sops = {
      age.keyFile = "/home/user/.age-key.txt"; # must have no password!
      # deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly.
    };
  }
+  # linux machines: assumption: there is an OpenSSH server of which we are able to use the hostkey, like at the NixOS module. The `keyDir` is only used for the private admin key.
+  (lib.mkIf pkgs.stdenv.isLinux {
+    sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  })
+
+  # darwin: no SSH server, no hostkey => let's use the `keyDir` key both for encryption and decrpytion
+  (lib.mkIf pkgs.stdenv.isDarwin {
+    sops.age.keyFile = homeKeys;
+  })
+]