Declarative flake secrets when sharing with non NixOS colleagues

G3zz · September 14, 2022, 9:24am

Hi all,
I am a nix-os (Darwin) user and have a work project flake that I’d like to share with some colleagues, who are not using NixOS but have the nix package manager installed. We are going to be using the flake to specify a devShell with the necessary OS dependencies to run our Python project with the secrets needed to access various APIs. I’d like to keep some secrets hidden from the nix store, but I am not sure of the best way to do this in my situation since not everyone is using Nix OS.

I’ve been looking into sops-nix and agenix, and the thread here https://discourse.nixos.org/t/flakes-secret-configs/14638, but as I would be sharing the flake with non NixOS users, I am not sure if they are appropriate.

What solution would you advise? So far, the only (bad) option I can think of for my situation is to encrypt the files using sops, add the encrypted files to gitignore and then forcefully add them to the git tree. Then, use a shellHook to decrypt them at runtime using sops…

Thanks

TLATER · September 14, 2022, 11:33am

Surely sops-nix/agenix will work fine then? Afaik it only needs NixOS in the deployed host, not for making the keys available during development.

G3zz · September 14, 2022, 11:48am

I’m not sure I’m following, sorry. How would the non NixOS users be expected to decrypt the secrets so that they can run locally (say, to run integration tests)? Ideally I’d like to avoid manual steps if possible

peterhoeg · September 14, 2022, 1:27pm

Are you just looking for secrets for local dev use? Assuming you’re already using nix-direnv, you can load them all from a .gitignore’d file in .env.creds (or whatever you choose to call it).

That of course still doesn’t deal with the distribution of the secrets but that could would be simple assuming the credentials to not change very often.

G3zz · September 14, 2022, 4:03pm

Thanks very much for nudging me towards direnv - I think I can configure it to do what I need, even if it’s not completely pure.

If I add a special suffix such as *.decrypted to .gitignore, then I can get direnv to decrypt the local dev secrets transparently for my colleagues. Here’s a sample .envrc, inspired by https://github.com/direnv/direnv/wiki/Sops :

use flake

use_sops() {
    for secret in $(find secrets -type f -not -name "*.decrypted"); do
	    nix-shell -p sops --run "umask 0377 && sops -d $secret > $secret.decrypted"
    	watch_file "$secret"
    done
}

use_sops

In this way, everyone gets the files read only on their machines, and they should be invisible to git.
Then, to use them, either I can pass the file path to Python as needed or configure any relevant environment variables either with the values themselves or as a path to the file. Meanwhile, for deployed hosts the paths can be the sops-nix ones.

Thanks