sops-nix
sops-nix copied to clipboard
Mic92
Missing secrets with home-manage module on macOS?
What am I missing from using sops-nix's home-manager module on macOS?
# home.nix
{
...
...
imports = [ inputs.sops-nix.homeManagerModules.sops ];
sops = {
defaultSopsFile = ./secrets/example.yaml;
defaultSopsFormat = "yaml";
age = {
keyFile = "/home/leonardlee/.config/sops/age/key.txt"; # must have no password!
};
secrets = {
example_key = {
sopsFile = ./secrets/example.yaml;
};
};
}
$ cat /Users/leonardlee/.config/sops/age/key.txt
# public key: age1za0k950xvqpefmfgnrtg0vv7zfah7zsfx53vdwlqwmrevfx88pvs9d547x
$
$ cat ./secrets/example.yaml
hello: ENC[AES256_GCM,data:Ogorh8yQrnBeY1hBptd2uDwU1dYLVnWSqkzHpn9ZTKyLkd4H2BZZsFAQ8jxOCA==,iv:VO68U3bjh4ye77pM6fsviKDnF/1ZoHNdo2tdq1mo1vg=,tag:Bz2Se3P0faHzYv5iD3nvsw==,type:str]
example_key: ENC[AES256_GCM,data:yGFIQVDQaCPFpRs7vg==,iv:f9rd7h7/qbG+FjLD/2zJYQ0I6iYg+kXvEikkkFHD+LQ=,tag:uOjxLUVPJoGngG/nMfcCTg==,type:str]
#ENC[AES256_GCM,data:gyFfv/tx23ZDT9B9/QuZvw==,iv:f5j9u3SgS8XeKXNLF0y9Ds/wt1jQ4fBDgwpElHsVpBk=,tag:y5Rb1NBVYaF7L7SwCMFA6g==,type:comment]
example_array:
- ENC[AES256_GCM,data:Dyk8/eUTBgBRnoWCMMg=,iv:5MeYLkWm8hHrL1rPGm7BCS+3i7F/HfG1ENUixqfNSJI=,tag:gzDOv2VHynUDDgpwyKsNQQ==,type:str]
- ENC[AES256_GCM,data:lELlsrqlaLp9hNvt2pM=,iv:BUfCY644IpjoQBHY+aPrOPV7UUfMC05m1gsh2mNieMI=,tag:+WccnK+htgfRErZDkQD3OA==,type:str]
example_number: ENC[AES256_GCM,data:tJCWsn2TkG24dg==,iv:Q5/wCXSs1r/AeVTP5t3vLhzgbO43CTS817kZjhWrY4o=,tag:TIBJdYWlXENq2P2AOqC/vQ==,type:float]
example_booleans:
- ENC[AES256_GCM,data:V4WflQ==,iv:4q6AzquP57hBXFx5V3D20E07IkAADmh2NeSkxXTRDKs=,tag:TrJpMEWAx5l+edmtgxXckQ==,type:bool]
- ENC[AES256_GCM,data:P/6R1jE=,iv:XrWAU/IDqP66zfe/SB1P6QcKbc/xj4dwp/yFcLF3TK4=,tag:0/L2vneyMtVv4Skb/hOuEg==,type:bool]
#ENC[AES256_GCM,data:lEhJBDRkzsgw/1O9XcmzK8g=,iv:+tGxGqqXq948hCs7mWlIEPMyMAzOYnIuDs/vqyJG+M8=,tag:huxPWLUuRh2jTZ7gXxuYLw==,type:comment]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1g97j42ls86c2326dlfqrdxzuw8wn72876tzwu4k73vz2hplte5nqt92rjk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBybHFqYW9qMUlaUHBpUjNl
ZEw4aFVKck94c2tvaU0xOUFySXZNMy9LWmhjCmc5OEQ3d1c3SERJVXpuVXg2VEZS
ZUFyK1QzQ2d6ckRxek93c3F6dUtpOGMKLS0tIGFxcmtJZnBxWXlnM3U3T280UHZI
WERNaWpqMk1RMHk5eHJBMng3Q0RTS00Khtt5AJgcYqBYBLQ4MkmQyQRJUu2Wm0eM
Njch0YG8tslazxlTwh5JCMDf/bXozNGjaeRYjttcuUzEnBXhJvytdQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m0kmjgwc30rhkfavuw5qnqv9km9r3npagl0ethsjte82qmqtx4esh3zwyl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxaHdVOHp1YWhmNm1oWmJR
OXlCMkVDVjZyMEhrSmFyM0hJcFdRekdZRUh3Ck5uV25aVndnK3Y1cDZ5SExGcVRk
TjJGMHNEV1IyWGgxMzBicVArNXVNQ0UKLS0tIHBuR0R4UHF5bHJsWUdXcVg4cXZl
R2NyTXNvSW9UNGNtUmRDSEpQMm9kNGMKT5Bn3Vn00US/9d/cQZ3dEYAF4G9jmTgR
xf5qMcNQ92DSqiRnTBnW2HKYhCdOKk1CsX0Tgg5pqLZaYYUtrNUODg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-16T11:50:36Z"
mac: ENC[AES256_GCM,data:qhqbH478VO2Y/WubhHjIOxoduMD+YR0H56CB3+xTJBTEQx/5BqqFOtqxZgjxLMei6AdXPCEHlgmqvPL2MjykpjQY3+QeUtiOA6MIRMBSsfMvdLiRq2quGn4V3uLKOH7rSFh77ubICXio/SeLYJ59wYimHuibGEm+AL7Yp6Ke5Ag=,iv:tXHdIALN7VjuJdcOLrDlrqwpDGXz0oexcmcSNSKo8NQ=,tag:djPRcaaWM3z2oCgHYIj+vw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.2
$
# my-packages.nix
{ config, pkgs, ... }:
home.packages = with pkgs; [
sops
(writeShellScriptBin "echo-example-key" (''
set -o xtrace # set -x
${coreutils}/bin/cat ${config.sops.secrets.example_key.path}
${coreutils}/bin/printf "\n%s\n" "--------"
${bat}/bin/bat ${config.sops.secrets.example_key.path}
set +o xtrace
''))
];
}
$ echo-example-key
+ /nix/store/s2cn7m2bsjssjyhl0xpmzm867qjkcv85-coreutils-9.5/bin/cat /Users/leonardlee/.config/sops-nix/secrets/example_key
cat: /Users/leonardlee/.config/sops-nix/secrets/example_key: No such file or directory
+ /nix/store/s2cn7m2bsjssjyhl0xpmzm867qjkcv85-coreutils-9.5/bin/printf '\n%s\n' --------
--------
+ /nix/store/5q3jij0wd0k455bfan3kxwmlsxha4vvf-bat-0.24.0/bin/bat /Users/leonardlee/.config/sops-nix/secrets/example_key
[bat error]: '/Users/leonardlee/.config/sops-nix/secrets/example_key': No such file or directory (os error 2)
+ set +o xtrace
$ launchctl list | sed --quiet '1p; /nix/p'
PID Status Label
- 1 org.nix-community.home.nix-gc
- 2 org.nix-community.home.gpg-agent
- 1 org.nix-community.home.sops-nix
$
$ launchctl start org.nix-community.home.sops-nix
$
$ log show --predicate 'process == "launchd"' --info --last 5m | sed --quiet --expression='1p' --expression='/sops-nix/p'
Timestamp Thread Type Activity PID TTL
2024-12-17 10:07:43.305712+0100 0x10209ca Default 0x0 1 0 launchd: [gui/501/org.nix-community.home.sops-nix:] internal event: WILL_SPAWN, code = 0
2024-12-17 10:07:43.305721+0100 0x10209ca Default 0x0 1 0 launchd: [gui/501/org.nix-community.home.sops-nix:] service state: spawn scheduled
2024-12-17 10:07:43.305721+0100 0x10209ca Default 0x0 1 0 launchd: [gui/501/org.nix-community.home.sops-nix:] service state: spawning
2024-12-17 10:07:43.305735+0100 0x10209ca Default 0x0 1 0 launchd: [gui/501/org.nix-community.home.sops-nix:] launching: one-shot
2024-12-17 10:07:43.306239+0100 0x10209ca Default 0x0 1 0 launchd: [gui/501/org.nix-community.home.sops-nix [49644]:] xpcproxy spawned with pid 49644
2024-12-17 10:07:43.306252+0100 0x10209ca Default 0x0 1 0 launchd: [gui/501/org.nix-community.home.sops-nix [49644]:] internal event: SPAWNED, code = 0
2024-12-17 10:07:43.306254+0100 0x10209ca Default 0x0 1 0 launchd: [gui/501/org.nix-community.home.sops-nix [49644]:] service state: xpcproxy
2024-12-17 10:07:43.306273+0100 0x10209ca Default 0x0 1 0 launchd: [gui/501/org.nix-community.home.sops-nix [49644]:] internal event: SOURCE_ATTACH, code = 0
2024-12-17 10:07:43.321192+0100 0x1020937 Default 0x0 1 0 launchd: [gui/501/org.nix-community.home.sops-nix [49644]:] service state: running
2024-12-17 10:07:43.321203+0100 0x1020937 Default 0x0 1 0 launchd: [gui/501/org.nix-community.home.sops-nix [49644]:] internal event: INIT, code = 0
2024-12-17 10:07:43.321211+0100 0x1020937 Default 0x0 1 0 launchd: [gui/501/org.nix-community.home.sops-nix [49644]:] Successfully spawned pvhx531068qmddpr8aif5zb7k33nizpk-sops-nix-user[49644] because one-shot
2024-12-17 10:07:43.372203+0100 0x1020937 Default 0x0 1 0 launchd: [gui/501/org.nix-community.home.sops-nix [49644]:] exited due to exit(1), ran for 66ms
2024-12-17 10:07:43.372214+0100 0x1020937 Default 0x0 1 0 launchd: [gui/501/org.nix-community.home.sops-nix [49644]:] service state: exited
2024-12-17 10:07:43.372220+0100 0x1020937 Default 0x0 1 0 launchd: [gui/501/org.nix-community.home.sops-nix [49644]:] internal event: EXITED, code = 0
2024-12-17 10:07:43.372224+0100 0x1020937 Default 0x0 1 0 launchd: [gui/501 [100020]:] service inactive: org.nix-community.home.sops-nix
2024-12-17 10:07:43.372227+0100 0x1020937 Default 0x0 1 0 launchd: [gui/501/org.nix-community.home.sops-nix [49644]:] service state: not running
$
I'm currently setting up my wsl based on NixOS for work with sops and got a similar issue. When using secrets with home manager that are dependend on shell/system start sops with HM won't work, I guess.
I assume this is due to the fact that sops-nix.service is started in the user context (see systemctl status --user sops-nix.service) while home-manager is started by systemd before the user is even having a session.
○ home-manager-username.service - Home Manager environment for username
Loaded: loaded (/etc/systemd/system/home-manager-username.service; enabled; preset: ignored)
Active: inactive (dead) since Mon 2025-05-19 09:06:02 CEST; 22min ago
Invocation: 01399c4d56934b78acafe33c49ccfaa1
Process: 262 ExecStart=/nix/store/8axxcgpnr78xkhy46yy2dxf5nwjwswv8-hm-setup-env /nix/store/brb22b87jxqlgxd4pn8ik6f0idfvlw99-home-manager-generation (code=exited, status=0/SUCCESS)
Main PID: 262 (code=exited, status=0/SUCCESS)
IP: 0B in, 0B out
Mai 19 09:06:02 nixos hm-activate-username[262]: No change so reusing latest profile generation
Mai 19 09:06:02 nixos hm-activate-username[262]: Activating installPackages
Mai 19 09:06:02 nixos hm-activate-username[262]: Activating linkGeneration
Mai 19 09:06:02 nixos hm-activate-username[262]: Cleaning up orphan links from /home/username
Mai 19 09:06:02 nixos hm-activate-username[262]: Creating home file links in /home/username
Mai 19 09:06:02 nixos hm-activate-username[262]: Activating onFilesChange
Mai 19 09:06:02 nixos hm-activate-username[262]: Activating reloadSystemd
Mai 19 09:06:02 nixos hm-activate-username[262]: User systemd daemon not running. Skipping reload.
Mai 19 09:06:02 nixos hm-activate-username[262]: Activating sops-nix
Mai 19 09:06:02 nixos hm-activate-username[262]: User systemd daemon not running. Probably executed on boot where no manual start/reload is needed.
this is what systemctl status home-manager-username.service is telling me.
once I restart the session all secrets are available.
Not sure if my assumptions are correct and if this applies to you as well.
Perhaps we're missing something.
neededForUsers = true does not work for HM, so perhaps init secrets need to be moved to the system config (which is a challenge on standalone HM configs)
/edit: readme says:
The secrets are decrypted in a systemd user service called sops-nix, so other services needing secrets must order after it:
{ systemd.user.services.mbsync.unitConfig.After = [ "sops-nix.service" ]; }
https://github.com/Mic92/sops-nix?tab=readme-ov-file#use-with-home-manager
so if secrets are needed on session startup by HM they have to be defined at system level because HM runs before the user services.
I am running in the same issue. macOS does not use systemd, but home-manager is set to use launchd, so I did some digging. If I run this command to get some info:
launchctl print gui/501/org.nix-community.home.sops-nix
I see that:
last exit code = 78: EX_CONFIG
I am not sure what this might be as the man file for launchctl! Maybe the shell used to run the script is not configured correctly.
