feat: export sops age key file

README.md

@@ -20,7 +20,7 @@ Declarative macOS setup with `nix-darwin`, `home-manager`, `nix-homebrew`, and
 - SOPS age key at:
 
 ```bash
-~/.config/sops/age/keys.txt
+$HOME/.config/sops/age/keys.txt
 ```
 
 ## Repository Layout
@@ -78,9 +78,9 @@ just gc
 - `modules/flake/darwin-configurations.nix` assembles each host’s
   `darwinConfigurations.<host>` output and embeds Home Manager for user `poby`.
 - `modules/aspects/` is the feature vocabulary for hosts. The current feature
-  set is `base`, `nix-core`, `system-packages`, `homebrew`,
-  `macos-defaults`, `activation`, `fonts`, `sudo-auth`, `shell`, `cli-tools`,
-  `git`, `ssh`, `secrets`, `terminal`, `editor`, `desktop`, and `fenrir`.
+  set is `base`, `nix-core`, `system-packages`, `homebrew`, `macos-defaults`,
+  `activation`, `fonts`, `sudo-auth`, `shell`, `cli-tools`, `git`, `ssh`,
+  `secrets`, `terminal`, `editor`, `desktop`, and `fenrir`.
 - The `cli-tools` aspect owns the CLI user tool set, including `zoxide`.
 - `modules/aspects/_*/` contains implementation files that are intentionally not
   auto-loaded. `import-tree` skips paths containing `/_`, which is the repo’s

modules/aspects/_secrets/sops.nix

@@ -1,6 +1,12 @@
-{config, ...}: {
+{config, ...}: let
+  ageKeyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
+in {
+  home.sessionVariables = {
+    SOPS_AGE_KEY_FILE = ageKeyFile;
+  };
+
   sops = {
-    age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
+    age.keyFile = ageKeyFile;
 
     defaultSopsFile = config.repo.user.secretFile;
 

secrets/README.md

@@ -8,6 +8,7 @@ aspect. Do not commit plaintext secrets.
 - Secret file: `secrets/poby.yaml`
 - SOPS rules: `.sops.yaml`
 - Age key file: `~/.config/sops/age/keys.txt`
+- Environment variable: `SOPS_AGE_KEY_FILE`, exported by the `secrets` aspect
 - Secret declarations: `modules/aspects/_secrets/sops.nix`
 - SSH host wiring: `modules/aspects/_ssh/ssh.nix`
 
@@ -22,7 +23,7 @@ nix-shell -p sops age
 Open the encrypted secret file with the age key:
 
 ```bash
-SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/keys.txt" sops secrets/poby.yaml
+sops secrets/poby.yaml
 ```
 
 Add a top-level key name and paste the private key as a YAML block scalar:
@@ -38,6 +39,13 @@ Save and quit the editor. SOPS will re-encrypt the file automatically.
 
 Do not edit the `sops:` metadata block manually.
 
+If this machine has not applied the Home Manager config yet, set the age key
+file explicitly for the command:
+
+```bash
+SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/keys.txt" sops secrets/poby.yaml
+```
+
 ## Generate A New SSH Key First
 
 If the key does not exist yet, generate it before opening SOPS:
@@ -89,7 +97,6 @@ Confirm the encrypted file contains the expected top-level secret names without
 printing secret values:
 
 ```bash
-SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/keys.txt" \
 sops -d secrets/poby.yaml \
   | awk -F: '/^[A-Za-z0-9_]+:/ { print $1 }'
 ```