Over the last week I’ve been integrating sops-nix into my personal setup,
and to begin with I wasn’t trying to do anything fancy, just replace passwordHash with a secret using passwordFile in my user config.

    users.users.brian = {
      isNormalUser = true;
      # passwordHash = "...";
      passwordFile = config.sops.secrets.password.path;
      ...
    };

After running sudo nixos-rebuild switch --flake .# it didn’t take long to discover that the password for my user was no longer working. I tried rolling back with sudo nixos-rebuild switch --rollback as you do when things go wrong, and was met with a password prompt… shit! 😰

I took a break, fired up the coffee machine, and by the time I was finished I had a cunning plan: restart and choose the previous generation on boot, problem solved 👍.

Narrator: “He did, but it didn’t work.”

My next step was to spin up a live USB and poke around, but after an hour or so I was none the wiser. So I reached out to Mic92, the author of sops-nix (and just about everything else NixOS) and explained the situation.

nixos-install is idempotent usually

It took me a bit to work out what he was getting at.

With the live USB I had been able to unlock my disk and mount both my root filesystem /mnt and boot /mnt/boot. This meant I could edit the bad config and revert back to using passwordHash instead of passwordFile.

    users.users.brian = {
      isNormalUser = true;
      passwordHash = "...";
      # passwordFile = config.sops.secrets.password.path;
      ...
    };

At this point you might be asking “Ok that’s cool and all, but how are you going to apply this new config?”.

$ nixos-install --flake .#

Et voila! I rebooted my machine and once again all was good and right in the world.

So if you ever find yourself in a bit of a pickle and rollback just isn’t working, remember: nixos-install can be your friend.