sops: update keys for workmac (reencrypt secret)

sops: fix config for darwin
2026-04-06 23:19:52 +02:00 · 2026-04-06 23:19:44 +02:00
2 changed files with 4 additions and 2 deletions
--- a/common/nix-settings.nix
+++ b/common/nix-settings.nix
@ -21,7 +21,6 @@ in
  sops = {
    secrets."nix/access-tokens" = {
      owner = "root";
      group = "users";
      mode = "0440";
      sopsFile = ./secrets.yaml;
    };
@ -30,7 +29,8 @@ in
        access-tokens = ${config.sops.placeholder."nix/access-tokens"}
      '';
      owner = "root";
-      group = "users";
+      # secret needs to be readable by users (nix client) as well as nix-daemon (running as root)
      group = if pkgs.stdenv.isDarwin then "localaccounts" else "users";
      mode = "0440";
    };
  };
--- a/darwin/sops.nix
+++ b/darwin/sops.nix
@ -7,6 +7,8 @@
 {
  sops = {
    age.keyFile = "/Users/os/Library/Application Support/sops/age/keys.txt";
    age.sshKeyPaths = lib.mkForce [ ]; # no host keys
    gnupg.sshKeyPaths = lib.mkForce [ ]; # no host keys
    defaultSopsFile = lib.mkDefault ./secrets.yaml;
    defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice
  };
Author	SHA1	Message	Date
Trolli Schmittlauch	de64d0d8d6	sops: update keys for workmac (reencrypt secret)	2026-04-06 23:19:52 +02:00
Trolli Schmittlauch	76d79356c3	sops: fix config for darwin	2026-04-06 23:19:44 +02:00