My nix-darwin and NixOS config
3
fork

Configure Feed

Select the types of activity you want to include in your feed.

chore: update docs

+26 -1
+26 -1
docs/secrets.md
··· 144 144 | `no matching keys` | Secret not encrypted for this key | Add key to `.sops.yaml`, run `sops updatekeys <file>` | 145 145 | `key not found` | Missing `~/.config/age/keys.txt` or host SSH key | Restore key or re-derive host key | 146 146 | `failed to decrypt` | Wrong key or corrupted file | Verify key with `age-keygen --to-public-key` | 147 - | Secret path is empty | sops-nix activation failed | Check `journalctl -b | grep sops` | 147 + | Secret path is empty | sops-nix activation failed | Check `journalctl -b \| grep sops` | 148 + | `attribute '<user>' missing` at eval time | Secret has `owner = "<user>"` but the service uses `DynamicUser` in its systemd unit, so no static entry exists in `config.users.users` | Declare the user/group explicitly (see below) | 149 + 150 + ### DynamicUser services and sops-nix 151 + 152 + Some NixOS services (including `cloudflared`) use systemd's `DynamicUser = true`, which means they do **not** create a static entry in `config.users.users`. sops-nix tries to derive `group` from that attribute at evaluation time and fails with `attribute '<user>' missing`. 153 + 154 + Fix: explicitly declare the user and group alongside the secret: 155 + 156 + ```nix 157 + users.users.cloudflared = { 158 + isSystemUser = true; 159 + group = "cloudflared"; 160 + }; 161 + users.groups.cloudflared = { }; 162 + 163 + sops.secrets."cf-tunnel.json" = { 164 + sopsFile = ../secrets/cf-tunnel.json; 165 + format = "binary"; 166 + owner = "cloudflared"; 167 + group = "cloudflared"; # must be set explicitly — cannot be derived from DynamicUser 168 + mode = "0400"; 169 + }; 170 + ``` 171 + 172 + This pattern is already applied in `modules/cloudflare-tunnel.nix`.