sops: update keys for workmac (reencrypt secret)

common/nix-settings.nix

@@ -21,7 +21,6 @@ in
   sops = {
     secrets."nix/access-tokens" = {
       owner = "root";
-      group = "users";
       mode = "0440";
       sopsFile = ./secrets.yaml;
     };
@@ -30,7 +29,8 @@ in
         access-tokens = ${config.sops.placeholder."nix/access-tokens"}
       '';
       owner = "root";
-      group = "users";
+      # secret needs to be readable by users (nix client) as well as nix-daemon (running as root)
+      group = if pkgs.stdenv.isDarwin then "localaccounts" else "users";
       mode = "0440";
     };
   };

common/secrets.yaml

@@ -5,20 +5,29 @@ sops:
         - recipient: age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4VmtBVGRNNTRuekxad24v
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByRnd4VXRwWXpaK2piQW5C
-            TmhpVm5BV2wwMkJVclNYd0RkcldtdHhQZlQ4CkVXeDRicStxdk9NdWZoWXRjUWdE
+            b2xHSlYzb0VzLzJrNlFhanhTa2VScEIxc0RjCkhMSXJvbkR6Z3hUb2NzSmlTSUpJ
-            Q2ZibEpVMzR5MFMyalZqVklEajJtejQKLS0tIHhYczc2eFhuVVlQNGE1eTBuUURz
+            YWIwMTN3OXNWVi9IczRXK0ppSmtINk0KLS0tIGtHQmg0cnhIR2NkbC9QSzV4aGs2
-            MEI3c2xoSmFneDNiMU40L2QwWC8zWGcKKpI1peaS0IVWxD/q52zDTbIBMkvsGSCy
+            OGs2S295VklPUW1TSlJZWGVqbmJFbmMK42pKH+iTIhkKjgLuEtZamK0vxThXzmET
-            3PbuFXZ0ksPpC3nVwTYI4g79X54dECLHQ5bIf4mefREX6wlP+EzdtQ==
+            521yJh5mOaJu7H55Fp+F4TWWjnwVKKqmipJ0k5eMXVoMTldcYWoOhg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1fft2ynhazjwtjmxsvt37qervtekktdln2968gjp4vcp5sp3jeg5segkz3x
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkRFRLdFdOS2UzbWwrNDRu
+            Y0YwRDBkd2lnN1FyR0w1MTNYTldzUndqckNFCnlzSVQvNkx4WDk3RXhWNkdGMjFL
+            bjVsbHJ3VjZqRXFTZE9ma2lCQ2ZXNlkKLS0tIHlCMS8vYUhqMklGbk5oT2dEd2pl
+            MlJLSkt4azdkcW5rOWVIMm1HVW1uazAK45zntYris4tcP26DGCBmjIAIKUxMVrsR
+            mpSTAfK1nt8/UcGft+qqqrAEVzvYooUvBa5vxDsY7qTyAzibP4MFWw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bmtiREFLNmdmdVNOOXNm
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbUg1eUFuczJaR29UMyta
-            YW5XbWJaMHJYMExMZlNEMHJjSlRXUWJ1bmhFCmNBT25odmtGS3oxRFB1U1V6MXo0
+            c0ZiNDNBTkxQSDNIZThhQ3ZUSmc4dGdKTkRjCmtlUTV0d3JkQzJXemxDMFEvM3Qr
-            WWVHRk5oTi9DZ0t1c21WcnpSNjd2SmsKLS0tIGphQlFoSWFMVXJObmRLejR0QU54
+            UVRqdkZ2UDB5MVpva2FhUTlpelN2cjQKLS0tIE1kOVVXRjlFNDhxdC9HTGFjTENh
-            S2orZUZqT1g4eGhEMXJQUHp0UDdhSTgK7w+ht6QrXN8fqgIgU/JCkrZW42JhfRp9
+            Zm9Wb1lrSSsvZ2gzVnZ0UnN0cUFVbUUK2Xqn6cjrUxK+ku3LgfbpUt+Vkdv9vEGe
-            WSnwD5pLJduGVbxVlTRw2+EXFEglDp1WL11UTRj3K9Q3sCH3tH+p2Q==
+            R8iG40k2T4RSa53dHwfRG3eg3ubTA8d1NFZ5qUpkmhFPZ5cq89x4ig==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2026-04-05T22:12:29Z"
     mac: ENC[AES256_GCM,data:5do9aK676jnIpaOldsL72W68BLKlWISBeeVglRCVtvYq/gmcmLAIESJli6XIRAURJmX7O61VnBDr5uGmH3jV0cb7s8zd6mxnWJOsnPIiKMNFiDg57W72R4iNsdeYINu6Y9HFfkXcI6HkP2eHdpzsVmmDvT7WuGS0Q6HgpbAbygM=,iv:DPdmA8LuSTNNsV0OTShi2pifhxpbITRbZAKYszDrFIU=,tag:fsOFaubD+LWG1pja6ttYYg==,type:str]

darwin/sops.nix

@@ -6,7 +6,9 @@
 }:
 {
   sops = {
-    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    age.keyFile = "/Users/os/Library/Application Support/sops/age/keys.txt";
+    age.sshKeyPaths = lib.mkForce [ ]; # no host keys
+    gnupg.sshKeyPaths = lib.mkForce [ ]; # no host keys
     defaultSopsFile = lib.mkDefault ./secrets.yaml;
     defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice
   };

home/modules/sops.nix

@@ -1,7 +1,32 @@
-{ inputs, ... }:
 {
+  inputs,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  homeKeys =
+    if pkgs.stdenv.isDarwin then
+      "/Users/${config.home.username}/Library/Application Support/sops/age/keys.txt"
+    else
+      "/home/${config.home.username}/.config/sops/age/keys.txt";
+in
+lib.mkMerge [
+  {
+    home.ensureDirs."${builtins.dirOf homeKeys}".mode = "0700";
     sops = {
       age.keyFile = "/home/user/.age-key.txt"; # must have no password!
       # deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly.
     };
-}
+  }
+  # linux machines: assumption: there is an OpenSSH server of which we are able to use the hostkey, like at the NixOS module. The `keyDir` is only used for the private admin key.
+  (lib.mkIf pkgs.stdenv.isLinux {
+    sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  })
+
+  # darwin: no SSH server, no hostkey => let's use the `keyDir` key both for encryption and decrpytion
+  (lib.mkIf pkgs.stdenv.isDarwin {
+    sops.age.keyFile = homeKeys;
+  })
+]