Fixup review comments

README.md

@@ -741,31 +741,51 @@ This module provides a subset of features provided by the system-wide sops-nix s
 
 Instead of running as an activation script, sops-nix runs as a systemd user service called `sops-nix.service`.
 And instead of decrypting to `/run/secrets`, the secrets are decrypted to `$XDG_RUNTIME_DIR/secrets`.
+**Since the secrets are decryted there, it's highly recommended to use a tmpfs for `$XDG_RUNTIME_DIR` if your distribution does not do that.**
+
+Depending on whether you use home-manager system-wide or using a home.nix, you have to import it in a different way.
+This example show the `channel` approach from the usage example above for simplicity, but all other methods work as well.
 
-Usage example:
 ```nix
 {
-  # NixOS home-manager configuration
+  # NixOS system-wide home-manager configuration
   home-manager.sharedModules = [
-    /path/to/sops-nix/modules/home-manager/sops.nix
+    <sops-nix/modules/home-manager/sops.nix>
   ];
+}
+```
 
+```nix
+{
   # Configuration via home.nix
   imports = [
-    /path/to/sops-nix/modules/home-manager/sops.nix
+    <sops-nix/modules/home-manager/sops.nix>
   ];
+}
+```
 
-  # Configuration of secrets
+The actual sops configuration is in the `sops` namespace in your home.nix (or in the `home-manager.users.<name>` namespace when using home-manager system-wide):
+```nix
+{
   sops = {
-    age.sshKeyPaths = [ "/home/user/path-to-ssh-key" ]; # must have no password!
+    age.keyFile = "/home/user/.age-key.txt" ]; # must have no password!
+    # It's alos possible to use a ssh key, but only when it has no password:
+    #age.sshKeyPaths = [ "/home/user/path-to-ssh-key" ];
     sops.secrets.test = {
       sopsFile = ./secrets.yml.enc;
-      path = "%r/test.txt"; # %r gets replaced with your $XDG_RUNTIME_DIR
+      path = "%r/test.txt"; # %r gets replaced with your $XDG_RUNTIME_DIR, use %% to specify a '%' sign
     };
   };
 }
 ```
 
+The secrets are decrypted in a systemd user service called `sops-nix`, so other services needing secrets must order after it:
+```nix
+{
+  systemd.user.services.mbsync.Unit.After = [ "sops-nix.service" ];
+}
+```
+
 ## Use with GPG instead of SSH keys
 
 If you prefer having a separate GPG key, sops-nix also comes with a helper tool, `sops-init-gpg-key`:

pkgs/sops-install-secrets/main.go

@@ -907,6 +907,19 @@ func parseFlags(args []string) (*options, error) {
 	return &opts, nil
 }
 
+func replaceRuntimeDir(path, rundir string) (ret string) {
+	parts := strings.Split(path, "%%")
+	first := true
+	for _, part := range parts {
+		if !first {
+			ret += "%"
+		}
+		first = false
+		ret += strings.ReplaceAll(part, "%r", rundir)
+	}
+	return
+}
+
 func installSecrets(args []string) error {
 	opts, err := parseFlags(args)
 	if err != nil {
@@ -921,13 +934,13 @@ func installSecrets(args []string) error {
 	if manifest.UserMode {
 		rundir, ok := os.LookupEnv("XDG_RUNTIME_DIR")
 		if !ok {
-			rundir = fmt.Sprintf("/run/user/%d", os.Getuid())
+			return fmt.Errorf("$XDG_RUNTIME_DIR is not set!")
 		}
-		manifest.SecretsMountPoint = strings.ReplaceAll(manifest.SecretsMountPoint, "%r", rundir)
-		manifest.SymlinkPath = strings.ReplaceAll(manifest.SymlinkPath, "%r", rundir)
+		manifest.SecretsMountPoint = replaceRuntimeDir(manifest.SecretsMountPoint, rundir)
+		manifest.SymlinkPath = replaceRuntimeDir(manifest.SymlinkPath, rundir)
 		var newSecrets []secret
 		for _, secret := range manifest.Secrets {
-			secret.Path = strings.ReplaceAll(secret.Path, "%r", rundir)
+			secret.Path = replaceRuntimeDir(secret.Path, rundir)
 			newSecrets = append(newSecrets, secret)
 		}
 		manifest.Secrets = newSecrets