From 1170bbf857072c3124286114e558eba13b517c4b Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Thu, 25 Dec 2025 21:06:56 +0100 Subject: [PATCH] sops: Turn `secretsFile` into an absolute path --- flake-parts/sops.nix | 6 +++--- modules/system/sops.nix | 10 ++++------ 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/flake-parts/sops.nix b/flake-parts/sops.nix index 19772de..52689b7 100644 --- a/flake-parts/sops.nix +++ b/flake-parts/sops.nix @@ -10,13 +10,13 @@ { packages.sops-config = let - adminKey = "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5"; + adminPublicKey = "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5"; mkCreationRule = sopsCfg: { - path_regex = sopsCfg.secretsFile; + path_regex = self.lib.relativePath sopsCfg.secretsFile; key_groups = lib.singleton { age = [ - adminKey + adminPublicKey sopsCfg.agePublicKey ]; }; diff --git a/modules/system/sops.nix b/modules/system/sops.nix index 88661bf..a8f25be 100644 --- a/modules/system/sops.nix +++ b/modules/system/sops.nix @@ -7,8 +7,6 @@ }: let cfg = config.custom.sops; - - absoluteSecretsPath = "${self}/${cfg.secretsFile}"; in { imports = [ inputs.sops.nixosModules.sops ]; @@ -20,12 +18,12 @@ in default = "${self}/hosts/${config.networking.hostName}/keys/age.pub" |> lib.readFile |> lib.trim; }; secretsFile = lib.mkOption { - type = lib.types.nonEmptyStr; - default = "hosts/${config.networking.hostName}/secrets.json"; + type = lib.types.path; + default = "${self}/hosts/${config.networking.hostName}/secrets.json"; }; secrets = lib.mkOption { type = lib.types.anything; - default = absoluteSecretsPath |> lib.readFile |> lib.strings.fromJSON; + default = cfg.secretsFile |> lib.readFile |> lib.strings.fromJSON; }; }; @@ -34,7 +32,7 @@ in age.sshKeyPaths = [ "${lib.optionalString config.custom.persistence.enable "/persist"}/etc/ssh/ssh_host_ed25519_key" ]; - defaultSopsFile = absoluteSecretsPath; + defaultSopsFile = cfg.secretsFile; }; }; }