sops: Turn secretsFile into an absolute path

2026-01-21 12:51:34 +01:00 · 2025-12-25 21:06:56 +01:00 · 2025-12-25 21:06:56 +01:00 · 1170bbf857
commit 1170bbf857
parent 21b4e04613
2 changed files with 7 additions and 9 deletions
--- a/flake-parts/sops.nix
+++ b/flake-parts/sops.nix
@ -10,13 +10,13 @@
    {
      packages.sops-config =
        let
-          adminKey = "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5";
+          adminPublicKey = "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5";
          mkCreationRule = sopsCfg: {
-            path_regex = sopsCfg.secretsFile;
+            path_regex = self.lib.relativePath sopsCfg.secretsFile;
            key_groups = lib.singleton {
              age = [
-                adminKey
+                adminPublicKey
                sopsCfg.agePublicKey
              ];
            };
--- a/modules/system/sops.nix
+++ b/modules/system/sops.nix
@ -7,8 +7,6 @@
 }:
 let
  cfg = config.custom.sops;
  absoluteSecretsPath = "${self}/${cfg.secretsFile}";
 in
 {
  imports = [ inputs.sops.nixosModules.sops ];
@ -20,12 +18,12 @@ in
      default = "${self}/hosts/${config.networking.hostName}/keys/age.pub" |> lib.readFile |> lib.trim;
    };
    secretsFile = lib.mkOption {
-      type = lib.types.nonEmptyStr;
+      type = lib.types.path;
-      default = "hosts/${config.networking.hostName}/secrets.json";
+      default = "${self}/hosts/${config.networking.hostName}/secrets.json";
    };
    secrets = lib.mkOption {
      type = lib.types.anything;
-      default = absoluteSecretsPath |> lib.readFile |> lib.strings.fromJSON;
+      default = cfg.secretsFile |> lib.readFile |> lib.strings.fromJSON;
    };
  };
@ -34,7 +32,7 @@ in
      age.sshKeyPaths = [
        "${lib.optionalString config.custom.persistence.enable "/persist"}/etc/ssh/ssh_host_ed25519_key"
      ];
-      defaultSopsFile = absoluteSecretsPath;
+      defaultSopsFile = cfg.secretsFile;
    };
  };
 }