From a9795d1959fe17a38bc901323d25f4e70acef511 Mon Sep 17 00:00:00 2001 From: Sebastian Sellmeier Date: Tue, 16 Apr 2024 17:09:00 +0200 Subject: [PATCH] home-manager: Change defaultSymlinkPath to "/sops-nix/secrets" --- README.md | 4 +++- modules/home-manager/sops.nix | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 9cd82a0d..4de1cb7f 100644 --- a/README.md +++ b/README.md @@ -734,7 +734,9 @@ sops-nix also provides a home-manager module. This module provides a subset of features provided by the system-wide sops-nix since features like the creation of the ramfs and changing the owner of the secrets are not available for non-root users. Instead of running as an activation script, sops-nix runs as a systemd user service called `sops-nix.service`. -And instead of decrypting to `/run/secrets`, the secrets are decrypted to `$XDG_RUNTIME_DIR/secrets` that is located on a tmpfs or similar non-persistent filesystem. +And instead of decrypting to `/run/secrets`, the secrets are stored decrypted to `$XDG_RUNTIME_DIR/secrets` that is located on a tmpfs or similar non-persistent filesystem. Additionally secrets are symlinked to the user home-directory in the `.secrets`-directory which is used as reference +for the `.path` value in nix. Because of that, the home-manager option `home.homeDirectory` is used to determinate the home-directory on evaluation, +this has to be set manually if home-manager is used standalone or on non NixOS systems. Depending on whether you use home-manager system-wide or using a home.nix, you have to import it in a different way. This example shows the `flake` approach from the recommended example [Install: Flakes (current recommendation)](#Flakes (current recommendation)) diff --git a/modules/home-manager/sops.nix b/modules/home-manager/sops.nix index ea48ce6c..941df431 100644 --- a/modules/home-manager/sops.nix +++ b/modules/home-manager/sops.nix @@ -143,7 +143,7 @@ in { defaultSymlinkPath = lib.mkOption { type = lib.types.str; - default = "%r/secrets"; + default = "${config.xdg.configHome}/sops-nix/secrets"; description = '' Default place where the latest generation of decrypt secrets can be found.