Secrets from sops-nix should be per user instead of owned by root, I think #1

New issue

Open

opened 2026-05-16 21:31:49 +01:00 by red · 0 comments

red commented

2026-05-16 21:31:49 +01:00

Owner

I dislike having to manage configuration for services specifically in two separate places (services user and the host config) and the only reason I do is because of the secrets.

The only thing stopping me having the secrets managed through the sops-nix hm module is the initial private key generation step for first deployment. The user needs a generated private SSH key to generate an age key (ssh-to-age), which i then add as a recipient to any relevant secrets files, then that user can decrypt them and we're off to the races.

But that is a pain, how do I deploy my configuration to create the user, which will also try to decrypt the secrets and fail? More to work out here, maybe I'm just tired.

I dislike having to manage configuration for services specifically in two separate places (services user and the host config) and the only reason I do is because of the secrets. The only thing stopping me having the secrets managed through the sops-nix hm module is the initial private key generation step for first deployment. The user needs a generated private SSH key to generate an age key (ssh-to-age), which i then add as a recipient to any relevant secrets files, then that user can decrypt them and we're off to the races. But that is a pain, how do I deploy my configuration to create the user, which will also try to decrypt the secrets and fail? More to work out here, maybe I'm just tired.

No labels

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

red/homelab#1

No description provided.

Rows
Columns