sops_ update keys for workmac (reencrypt secret)

sops: fix key path for darwin
2026-04-06 22:39:49 +02:00 · 2026-04-06 22:36:50 +02:00
2 changed files with 2 additions and 4 deletions
--- a/common/nix-settings.nix
+++ b/common/nix-settings.nix
@ -21,6 +21,7 @@ in
  sops = {
    secrets."nix/access-tokens" = {
      owner = "root";
      group = "users";
      mode = "0440";
      sopsFile = ./secrets.yaml;
    };
@ -29,8 +30,7 @@ in
        access-tokens = ${config.sops.placeholder."nix/access-tokens"}
      '';
      owner = "root";
-      # secret needs to be readable by users (nix client) as well as nix-daemon (running as root)
+      group = "users";
      group = if pkgs.stdenv.isDarwin then "localaccounts" else "users";
      mode = "0440";
    };
  };
--- a/darwin/sops.nix
+++ b/darwin/sops.nix
@ -7,8 +7,6 @@
 {
  sops = {
    age.keyFile = "/Users/os/Library/Application Support/sops/age/keys.txt";
    age.sshKeyPaths = lib.mkForce [ ]; # no host keys
    gnupg.sshKeyPaths = lib.mkForce [ ]; # no host keys
    defaultSopsFile = lib.mkDefault ./secrets.yaml;
    defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice
  };
Author	SHA1	Message	Date
Trolli Schmittlauch	e6b96a9b2a	sops_ update keys for workmac (reencrypt secret)	2026-04-06 22:39:49 +02:00
Trolli Schmittlauch	22ced0b1e3	sops: fix key path for darwin	2026-04-06 22:36:50 +02:00