As home-manager does not restart the `sops-nix` unit automatically
a snippet to instruct home-manager to do so is added.
Home-manager could be instructed to restart the user service from the
sops-nix home-manager module instead. Usually home-manager restarts
units which changed. Since the sops-nix unit does not change when
secrets change this does not trigger automatically.
There are two options:
- let sops-nix home-manager module compute a chained hash over all
secrets and place it inside the unit file, so it changes every time
the secrets change
- use X-SwitchMethod and X-Restart-Triggers
See nix-community/home-manager#3865
Add home-manager usage example that is inline with current recommended sops-nix installation approach. The required import path is substantially different than that of the other example, which has been retained.
This line is left over from a set of instructions that were previously incorporated into an early console example under "you can generate yourself a key:" above.
A couple notes that tripped me up when initially trying this. I hope they can help make future journeys smoother :)
- Getting the syntax of `.sops.yaml` wrong can cause vague errors when it comes to encrypting secrets files.
- `path_regex` needs to include all file extensions that you intend to encrypt. `sops` supports YAML, JSON, ENV, INI and binary files, so suggesting that those be picked up by default seems sensible. Personally, I had trouble figuring out why `sops` wouldn't accept my `.env` file - again with a confusing error message.
The required code in nixpkgs was reverted so we should not advertise a
feature that does not work. We can revert this commit if the feature is
re-merged into 22.05 with the proper version in it.
This makes several changes to the README to make reading it clearer.
- General grammar, capitalization, and punctuation fixes.
- Change the usage example into collapsible sections so the README is
navigable.
- Merge steps 2a/2b and steps 3a/3b into steps 2 and 3, since they share
a lot in common.
- Use age examples for .sops.yaml, instead of just GPG fingerprints.
- Make sure there is only one consistent example throughout the
entirety of the usage example.
- Make the age/GPG/SSH trichotomy less confusing.
- Adds a source for the "GnuPG is not great software" claim.
