home-manager: Change defaultSymlinkPath to "<user-home>/.secrets" #530
Conversation
|
Also tried to automate/remove the step of adding service-restart to home-manager by the module as done for darwin. (Can split this out if that's easier/better 🙏🏻) |
|
@mergify queue |
✅ The pull request has been merged automaticallyThe pull request has been merged automatically at a9795d1 |
For anyone with temp-root or having general issues you might need to add this to the sops-nix service, I'm currently traveling and couldn't upstream it so far otherwise sops-nix will fail to create the symlink to the defaultSecretsMountPoint. Sorry for that ✌🏻 |
| @@ -734,7 +734,9 @@ sops-nix also provides a home-manager module. | |||
| This module provides a subset of features provided by the system-wide sops-nix since features like the creation of the ramfs and changing the owner of the secrets are not available for non-root users. | |||
|
|
|||
| Instead of running as an activation script, sops-nix runs as a systemd user service called `sops-nix.service`. | |||
| And instead of decrypting to `/run/secrets`, the secrets are decrypted to `$XDG_RUNTIME_DIR/secrets` that is located on a tmpfs or similar non-persistent filesystem. | |||
| And instead of decrypting to `/run/secrets`, the secrets are stored decrypted to `$XDG_RUNTIME_DIR/secrets` that is located on a tmpfs or similar non-persistent filesystem. Additionally secrets are symlinked to the user home-directory in the `.secrets`-directory which is used as reference | |||
There was a problem hiding this comment.
-
the secrets are stored decrypted to
$XDG_RUNTIME_DIR/secrets
ls -l $XDG_RUNTIME_DIR/secrets
"/run/user/1000/secrets": No such file or directory (os error 2)
Below it refers to "${config.xdg.configHome}/sops-nix/secrets"
-
Additionally secrets are symlinked to the user home-directory in the
.secrets-directory
Where exactly?
There was a problem hiding this comment.
Sorry need to update this
-
It's
ls -l $XDG_RUNTIME_DIR/secrets.d/and there are folders like e.g. "1" which contains the actual secrets-files. -
this is a left-over from my first proposal and changed later:
Correct is~/.config/sops-nix/secrets- will PR soonTM
will PR soonTM (otherwise if you want/can feel free) 🙏🏻
Motivation for the change: Using the ".path" notation in nix to get the secrets-path for a secret defined in the home-manager module will result in "%r/secret-name" if not specified different / with default config.
This is caused as $XDG_RUNTIME_DIR is not available/not necessarily the same on build-host and when deployed.
As this change only change the location of the symlinks no secrets are leaving the tmpfs or similar non-persistent filesystem.