{ pkgs, inputs, config, userDetails, ... }: { imports = [ inputs.sops-nix.nixosModules.sops ]; sops = { defaultSopsFile = ./resources/secrets/secrets.yaml; defaultSopsFormat = "yaml"; age.keyFile = "${userDetails.home.root}/.config/sops/age/keys.txt"; secrets = { wpa_supplicant-conf = { }; hashed-root-password = { }; }; }; # This service is a workaround to ensure that secrets are available on # reboot when the secret keys are on a separate subvolume systemd.services.npcnix-force-rebuild-sops-hack = { wantedBy = [ "multi-user.target" ]; before = [ # List all services that require secrets "wpa_supplicant.service" ]; serviceConfig = { ExecStart = "/run/current-system/activate"; Type = "oneshot"; Restart = "on-failure"; # because oneshot RestartSec = "10s"; }; }; }