More review fixups

README.md

@@ -741,7 +741,7 @@ This module provides a subset of features provided by the system-wide sops-nix s
 
 Instead of running as an activation script, sops-nix runs as a systemd user service called `sops-nix.service`.
 And instead of decrypting to `/run/secrets`, the secrets are decrypted to `$XDG_RUNTIME_DIR/secrets`.
-**Since the secrets are decryted there, it's highly recommended to use a tmpfs for `$XDG_RUNTIME_DIR` if your distribution does not do that.**
+**Since the secrets are decrypted there, it's highly recommended to use a tmpfs for `$XDG_RUNTIME_DIR` to avoid storing secrets in plain text on persistent storage. Linux distributions using systemd-logind do that out-of-the-box.**
 
 Depending on whether you use home-manager system-wide or using a home.nix, you have to import it in a different way.
 This example show the `channel` approach from the usage example above for simplicity, but all other methods work as well.
@@ -768,11 +768,11 @@ The actual sops configuration is in the `sops` namespace in your home.nix (or in
 ```nix
 {
   sops = {
-    age.keyFile = "/home/user/.age-key.txt" ]; # must have no password!
+    age.keyFile = "/home/user/.age-key.txt"; # must have no password!
     # It's alos possible to use a ssh key, but only when it has no password:
     #age.sshKeyPaths = [ "/home/user/path-to-ssh-key" ];
     sops.secrets.test = {
-      sopsFile = ./secrets.yml.enc;
+      # sopsFile = ./secrets.yml.enc; # optionally define per-secret files
       path = "%r/test.txt"; # %r gets replaced with your $XDG_RUNTIME_DIR, use %% to specify a '%' sign
     };
   };

modules/home-manager/sops.nix

@@ -147,7 +147,7 @@ in {
       keyFile = lib.mkOption {
         type = lib.types.nullOr lib.types.path;
         default = null;
-        example = "/var/lib/sops-nix/key.txt";
+        example = "/home/someuser/.age-key.txt";
         description = ''
           Path to age key file used for sops decryption.
         '';
@@ -166,7 +166,6 @@ in {
       sshKeyPaths = lib.mkOption {
         type = lib.types.listOf lib.types.path;
         default = [];
-        defaultText = lib.literalDocBook "The ed25519 keys from <option>config.services.openssh.hostKeys</option>";
         description = ''
           Paths to ssh keys added as age keys during sops description.
         '';
@@ -177,7 +176,7 @@ in {
       home = lib.mkOption {
         type = lib.types.nullOr lib.types.str;
         default = null;
-        example = "/root/.gnupg";
+        example = "/home/someuser/.gnupg";
         description = ''
           Path to gnupg database directory containing the key for decrypting the sops file.
         '';
@@ -186,7 +185,6 @@ in {
       sshKeyPaths = lib.mkOption {
         type = lib.types.listOf lib.types.path;
         default = [];
-        defaultText = lib.literalDocBook "The rsa keys from <option>config.services.openssh.hostKeys</option>";
         description = ''
           Path to ssh keys added as GPG keys during sops description.
           This option must be explicitly unset if <literal>config.sops.gnupg.sshKeyPaths</literal> is set.

pkgs/sops-install-secrets/main.go

@@ -933,7 +933,7 @@ func installSecrets(args []string) error {
 
 	if manifest.UserMode {
 		rundir, ok := os.LookupEnv("XDG_RUNTIME_DIR")
-		if !ok {
+		if opts.checkMode == Off && !ok {
 			return fmt.Errorf("$XDG_RUNTIME_DIR is not set!")
 		}
 		manifest.SecretsMountPoint = replaceRuntimeDir(manifest.SecretsMountPoint, rundir)