ewancroft.uk / nix
My nix-darwin and NixOS config
3
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix(sops): move forgejo-token to system level to resolve permission denied

The Home Manager sops module cannot access /etc/ssh/ssh_host_ed25519_key (600 root:root). By moving the secret to the system config and setting the owner attribute, the secret is correctly decrypted by root and made available to the user in /run/secrets/.

Ewan Croft 9d8a8d3b 0fdf197a

+15 -11
+4 -9
home/default.nix
··· 334 334 }; 335 335 336 336 # ── Encrypted secrets (sops-nix) ───────────────────────────────────────── 337 - # Tell the home-manager sops module to decrypt using the host's SSH ed25519 338 - # key as an age key — same source as the system-level sops in common.nix. 339 - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; 340 - 341 - sops.secrets."forgejo-user-token" = { 342 - sopsFile = ../secrets/forgejo-user-token; 343 - format = "binary"; 344 - path = "${config.home.homeDirectory}/.config/forgejo-user-token"; 345 - }; 337 + # The forgejo-user-token secret is decrypted at the system level (root) in 338 + # modules/common.nix and placed at /run/secrets/forgejo-user-token. 339 + # No home-manager sops config is needed — the HM sops service runs as the 340 + # user and cannot read /etc/ssh/ssh_host_ed25519_key (600 root:root). 346 341 }
+9
modules/common.nix
··· 81 81 # sops-nix: decrypt secrets using the host's SSH ed25519 key as an age key. 82 82 # This key is generated on first boot and lives outside the Nix store. 83 83 sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; 84 + 85 + # Forgejo user API token — decrypted at system level (root) so it lands at 86 + # /run/secrets/forgejo-user-token with user ownership, readable by the 87 + # home-manager activation script without requiring user-level sops access. 88 + sops.secrets."forgejo-user-token" = { 89 + sopsFile = ../secrets/forgejo-user-token; 90 + format = "binary"; 91 + owner = cfg.user.username; 92 + }; 84 93 }
+2 -2
modules/options.nix
··· 553 553 }; 554 554 userApiTokenFile = mkOption { 555 555 type = nullStr; 556 - default = null; 557 - description = "Path to a file containing a Forgejo user API token. Used to list private repos for ~/Developer/Local."; 556 + default = "/run/secrets/forgejo-user-token"; 557 + description = "Path to a file containing a Forgejo user API token. Used to list private repos for ~/Developer/Local. Defaults to the system sops-decrypted path from modules/common.nix."; 558 558 }; 559 559 }; 560 560