brizzbuzz · brizzbuzz · Mar 7, 2026
diff --git a/docs/configuration-reference.md b/docs/configuration-reference.md
@@ -354,7 +354,7 @@ programs.onepassword-secrets = {
 - **Type**: `attrsOf homeSecretOptions`
 - **Default**: `{}`
 - **Description**: Declarative secrets for Home Manager
-- **Notes**: Paths are relative to home directory
+- **Notes**: Relative paths are resolved from the home directory; absolute paths are used as-is
 
 **Example:**
 ```nix
@@ -377,7 +377,7 @@ programs.onepassword-secrets.secrets = {
 #### `path`
 - **Type**: `nullOr str`
 - **Default**: `null`
-- **Description**: Path relative to home directory. If null, uses secret name
+- **Description**: Path for the secret file. Relative paths are resolved from the home directory; absolute paths are used as-is. If null, uses secret name
 - **Example**: `".ssh/id_rsa"`
 
 #### `owner`

diff --git a/docs/getting-started.md b/docs/getting-started.md
@@ -258,7 +258,7 @@ ls -la ~/.config/myapp/
 ### Home Manager
 
 - Works on **any platform** (Linux, macOS, etc.)
-- Secrets stored relative to home directory
+- Relative secret paths resolve under the home directory; absolute paths are also supported
 - Runs during Home Manager activation
 - Can access system tokens or use separate token files
 

diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md
@@ -676,9 +676,9 @@ Home Manager activation completes but secrets aren't in expected locations.
 2. **Verify configuration:**
    ```nix
    programs.onepassword-secrets.secrets.sshKey = {
-     reference = "op://Personal/SSH/key";
-     path = ".ssh/id_rsa";  # Relative to home directory
-   };
+      reference = "op://Personal/SSH/key";
+      path = ".ssh/id_rsa";  # Relative paths resolve under the home directory
+    };
    ```
 
 3. **Check activation output:**
@@ -876,4 +876,4 @@ For production environments requiring guaranteed support:
 - Engage with NixOS professional services
 - Consider infrastructure consulting services
 
-Remember to never share actual tokens, secrets, or sensitive configuration details when seeking help. Always sanitize debug information before sharing publicly.
+Remember to never share actual tokens, secrets, or sensitive configuration details when seeking help. Always sanitize debug information before sharing publicly.
diff --git a/nix/hm-module.nix b/nix/hm-module.nix
@@ -6,6 +6,17 @@
 }: let
   cfg = config.programs.onepassword-secrets;
 
+  resolveHomeSecretPath = name: secret: let
+    secretPath =
+      if secret.path != null
+      then secret.path
+      else name;
+    secretPathStr = toString secretPath;
+  in
+    if builtins.substring 0 1 secretPathStr == "/"
+    then secretPathStr
+    else "${config.home.homeDirectory}/${secretPathStr}";
+
   # Validate that secret keys use proper Nix variable naming (camelCase)
   # Valid: databasePassword, sslCert, myApiKey
   # Invalid: "database/password", "ssl-cert", "my_api_key"
@@ -37,8 +48,9 @@
         type = lib.types.nullOr lib.types.str;
         default = null;
         description = ''
-          Path where the secret will be stored, relative to home directory.
-          If null, uses the secret name. For example: ".config/Yubico/u2f_keys" or ".ssh/id_rsa"
+          Path where the secret will be stored.
+          Relative paths are resolved from the home directory, while absolute paths are used as-is.
+          If null, uses the secret name. For example: ".config/Yubico/u2f_keys", ".ssh/id_rsa", or "/run/secrets/user/api-key"
         '';
         example = ".config/Yubico/u2f_keys";
       };
@@ -103,7 +115,8 @@ in {
       description = ''
         Declarative secrets configuration (GitHub #11).
         Keys are secret names, values are secret configurations.
-        Paths are relative to home directory.
+        Relative paths are resolved from the home directory.
+        Absolute paths are used as-is.
       '';
       example = {
         sshPrivateKey = {
@@ -138,11 +151,9 @@ in {
         then
           lib.mapAttrs (
             name: secret: let
-              secretPath =
-                if secret.path != null
-                then secret.path
-                else name;
-            in "${config.home.homeDirectory}/${secretPath}"
+              secretPath = resolveHomeSecretPath name secret;
+            in
+              secretPath
           )
           (validateSecretKeys cfg.secrets)
         else {};
@@ -207,12 +218,9 @@ in {
         # Create parent directories for all declarative secrets
         ${lib.concatMapStringsSep "\n" (name: let
           secret = cfg.secrets.${name};
-          secretPath =
-            if secret.path != null
-            then secret.path
-            else name;
+          secretPath = resolveHomeSecretPath name secret;
         in ''
-          $DRY_RUN_CMD mkdir -p "''${HOME}/${lib.escapeShellArg (builtins.dirOf secretPath)}"
+          $DRY_RUN_CMD mkdir -p ${lib.escapeShellArg (builtins.dirOf secretPath)}
         '') (builtins.attrNames cfg.secrets)}
       '';