2024 01 28 how to get sops nix working with home manager modules

hmajid2301 · Jan 28, 2024 · 6887da2 · 6887da2
1 parent c27a050
commit 6887da2
Show file tree

Hide file tree

Showing 3 changed files with 99 additions and 5 deletions.
diff --git a/archetypes/post-bundle/index.md b/archetypes/post-bundle/index.md
@@ -6,5 +6,3 @@ tags: []
 cover:
   image: images/cover.png
 ---
-cover:
-  image: images/cover.png
diff --git a/...posts/2024-01-28-how-to-get-sops-nix-working-with-home-manager-modules/index.md b/...posts/2024-01-28-how-to-get-sops-nix-working-with-home-manager-modules/index.md
@@ -0,0 +1,96 @@
+---
+title: How to Get sops-nix Working with home-manager Modules
+date: 2024-01-28
+canonicalURL: https://haseebmajid.dev/posts/2024-01-28-how-to-get-sops-nix-working-with-home-manager-modules
+tags:
+  - sops
+  - home-manager
+  - nix
+cover:
+  image: images/cover.png
+---
+
+## Introduction
+
+In this article, I will go over how to get [sops-nix](https://github.com/Mic92/sops-nix) to work properly with
+home-manager. One issue I noticed was that when I used with home-manager modules/options, I would see a string 
+like "%r/secrets/haseeb/...". The `%r` would not be replaced. 
+
+Relevant Issue: https://github.com/Mic92/sops-nix/issues/28
+
+## Assumption
+
+I will assume you have already setup sops-nix and are using it. In the sense, you have a `.sops.yaml` file and are already
+using it with NixOS. The instructions in the README is mostly pretty clear how to get setup, but I may in future 
+create another article how I set up sops-nix. But in this post, we will simply go over how we can make it work with
+home-manager. I will also assume you are using nix flakes and have passed sops-nix as an input.
+
+## Solution
+
+So I have a file called `home-manager/security/sops.nix` which looks like this:
+
+```nix
+{
+  inputs,
+  pkgs,
+  ...
+}: {
+  imports = [
+    inputs.sops-nix.homeManagerModules.sops
+  ];
+
+  sops = {
+    gnupg = {
+      home = "~/.gnupg";
+      sshKeyPaths = [];
+    };
+    defaultSymlinkPath = "/run/user/1000/secrets";
+    defaultSecretsMountPoint = "/run/user/1000/secrets.d";
+  };
+
+  home.packages = with pkgs; [
+    sops
+  ];
+}
+```
+
+Where the key bit to making it work is the `default` values here, which tell sops where to mount the secret in tmpfs.
+The temporary file-system where are secrets will be stored in files.
+
+```
+ls -al /run/user/1000/secrets/atuin_key
+
+Permissions Size User   Group Date Modified Name
+.r--------   146 haseeb users 28 Jan 09:26   /run/user/1000/secrets/atuin_key
+```
+
+Other than that, we install sops so we can use the CLI tool to edit our sops files and add secrets. Where I have 
+a `home-manager/secrets.yaml` file for storing all secrets related to home-manager.
+
+### Atuin
+
+So first I do `sops home-manager/secrets.yaml`, and add my Atuin secret encryption key to this file.
+ Having a look at how I use it in one of my modules, say `home-manager/programs/atuin.nix`
+
+```nix
+{
+  config,
+  pkgs,
+  ...
+}: {
+  programs.atuin = {
+    enable = true;
+    settings = {
+      # ...
+      key_path = config.sops.secrets.atuin_key.path;
+    };
+  };
+
+  sops.secrets.atuin_key = {
+    sopsFile = ../secrets.yaml;
+  };
+}
+```
+
+Where we reference this secret in this module. Once this has been built using home manager, if we look at the config
+for Atuin that is generated by nix. It will point to that `/run/user/1000/secrets/atuin_key` file.
diff --git a/flake.lock b/flake.lock
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,5 +6,3 @@ tags: [] @@
     cover:
       image: images/cover.png
     ---
-    cover:
-      image: images/cover.png