From 22ced0b1e36dbee38377be04bfc4b0a8dba6c48a Mon Sep 17 00:00:00 2001 From: Trolli Schmittlauch Date: Mon, 6 Apr 2026 22:36:50 +0200 Subject: [PATCH 1/2] sops: fix key path for darwin --- darwin/sops.nix | 2 +- home/modules/sops.nix | 37 +++++++++++++++++++++++++++++++------ 2 files changed, 32 insertions(+), 7 deletions(-) diff --git a/darwin/sops.nix b/darwin/sops.nix index a819347..3ffd153 100644 --- a/darwin/sops.nix +++ b/darwin/sops.nix @@ -6,7 +6,7 @@ }: { sops = { - age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + age.keyFile = "/Users/os/Library/Application Support/sops/age/keys.txt"; defaultSopsFile = lib.mkDefault ./secrets.yaml; defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice }; diff --git a/home/modules/sops.nix b/home/modules/sops.nix index 0e18ffe..183d3cb 100644 --- a/home/modules/sops.nix +++ b/home/modules/sops.nix @@ -1,7 +1,32 @@ -{ inputs, ... }: { - sops = { - age.keyFile = "/home/user/.age-key.txt"; # must have no password! - # deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly. - }; -} + inputs, + config, + lib, + pkgs, + ... +}: +let + homeKeys = + if pkgs.stdenv.isDarwin then + "/Users/${config.home.username}/Library/Application Support/sops/age/keys.txt" + else + "/home/${config.home.username}/.config/sops/age/keys.txt"; +in +lib.mkMerge [ + { + home.ensureDirs."${builtins.dirOf homeKeys}".mode = "0700"; + sops = { + age.keyFile = "/home/user/.age-key.txt"; # must have no password! + # deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly. + }; + } + # linux machines: assumption: there is an OpenSSH server of which we are able to use the hostkey, like at the NixOS module. The `keyDir` is only used for the private admin key. + (lib.mkIf pkgs.stdenv.isLinux { + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + }) + + # darwin: no SSH server, no hostkey => let's use the `keyDir` key both for encryption and decrpytion + (lib.mkIf pkgs.stdenv.isDarwin { + sops.age.keyFile = homeKeys; + }) +] From e6b96a9b2a88e4f7471ac9d993e90382c61b6cf5 Mon Sep 17 00:00:00 2001 From: Trolli Schmittlauch Date: Mon, 6 Apr 2026 22:39:49 +0200 Subject: [PATCH 2/2] sops_ update keys for workmac (reencrypt secret) --- common/secrets.yaml | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/common/secrets.yaml b/common/secrets.yaml index 6a9fc8c..233775d 100644 --- a/common/secrets.yaml +++ b/common/secrets.yaml @@ -5,20 +5,29 @@ sops: - recipient: age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4VmtBVGRNNTRuekxad24v - TmhpVm5BV2wwMkJVclNYd0RkcldtdHhQZlQ4CkVXeDRicStxdk9NdWZoWXRjUWdE - Q2ZibEpVMzR5MFMyalZqVklEajJtejQKLS0tIHhYczc2eFhuVVlQNGE1eTBuUURz - MEI3c2xoSmFneDNiMU40L2QwWC8zWGcKKpI1peaS0IVWxD/q52zDTbIBMkvsGSCy - 3PbuFXZ0ksPpC3nVwTYI4g79X54dECLHQ5bIf4mefREX6wlP+EzdtQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByRnd4VXRwWXpaK2piQW5C + b2xHSlYzb0VzLzJrNlFhanhTa2VScEIxc0RjCkhMSXJvbkR6Z3hUb2NzSmlTSUpJ + YWIwMTN3OXNWVi9IczRXK0ppSmtINk0KLS0tIGtHQmg0cnhIR2NkbC9QSzV4aGs2 + OGs2S295VklPUW1TSlJZWGVqbmJFbmMK42pKH+iTIhkKjgLuEtZamK0vxThXzmET + 521yJh5mOaJu7H55Fp+F4TWWjnwVKKqmipJ0k5eMXVoMTldcYWoOhg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1fft2ynhazjwtjmxsvt37qervtekktdln2968gjp4vcp5sp3jeg5segkz3x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkRFRLdFdOS2UzbWwrNDRu + Y0YwRDBkd2lnN1FyR0w1MTNYTldzUndqckNFCnlzSVQvNkx4WDk3RXhWNkdGMjFL + bjVsbHJ3VjZqRXFTZE9ma2lCQ2ZXNlkKLS0tIHlCMS8vYUhqMklGbk5oT2dEd2pl + MlJLSkt4azdkcW5rOWVIMm1HVW1uazAK45zntYris4tcP26DGCBmjIAIKUxMVrsR + mpSTAfK1nt8/UcGft+qqqrAEVzvYooUvBa5vxDsY7qTyAzibP4MFWw== -----END AGE ENCRYPTED FILE----- - recipient: age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bmtiREFLNmdmdVNOOXNm - YW5XbWJaMHJYMExMZlNEMHJjSlRXUWJ1bmhFCmNBT25odmtGS3oxRFB1U1V6MXo0 - WWVHRk5oTi9DZ0t1c21WcnpSNjd2SmsKLS0tIGphQlFoSWFMVXJObmRLejR0QU54 - S2orZUZqT1g4eGhEMXJQUHp0UDdhSTgK7w+ht6QrXN8fqgIgU/JCkrZW42JhfRp9 - WSnwD5pLJduGVbxVlTRw2+EXFEglDp1WL11UTRj3K9Q3sCH3tH+p2Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbUg1eUFuczJaR29UMyta + c0ZiNDNBTkxQSDNIZThhQ3ZUSmc4dGdKTkRjCmtlUTV0d3JkQzJXemxDMFEvM3Qr + UVRqdkZ2UDB5MVpva2FhUTlpelN2cjQKLS0tIE1kOVVXRjlFNDhxdC9HTGFjTENh + Zm9Wb1lrSSsvZ2gzVnZ0UnN0cUFVbUUK2Xqn6cjrUxK+ku3LgfbpUt+Vkdv9vEGe + R8iG40k2T4RSa53dHwfRG3eg3ubTA8d1NFZ5qUpkmhFPZ5cq89x4ig== -----END AGE ENCRYPTED FILE----- lastmodified: "2026-04-05T22:12:29Z" mac: ENC[AES256_GCM,data:5do9aK676jnIpaOldsL72W68BLKlWISBeeVglRCVtvYq/gmcmLAIESJli6XIRAURJmX7O61VnBDr5uGmH3jV0cb7s8zd6mxnWJOsnPIiKMNFiDg57W72R4iNsdeYINu6Y9HFfkXcI6HkP2eHdpzsVmmDvT7WuGS0Q6HgpbAbygM=,iv:DPdmA8LuSTNNsV0OTShi2pifhxpbITRbZAKYszDrFIU=,tag:fsOFaubD+LWG1pja6ttYYg==,type:str]