Hello. Is there a way to hide options like home-manager’s programs.git.userEmail in flakes so one can publish them without revealing such values?
agenix afaik works in runtime with services which must read secrets from files at runtime whereas I need to have ~/.config/git/config properly generated with decrypted values during activation.
git-crypt on the other hand is PITA because it does NOT work with git worktrees which is a feature is use heavily. And there’s also a pitfall… once you accidentally use such flake without decrypting it first it gets into nix store and decrypting it afterwards won’t help because nothing changed from git standpoint and you have to GC nix store or explicitly disregard git by using path:/flake in your command.
Is there some way which decrypts things during activation so it neither breaks nix’s purity nor git repos?
Thanks
I use a separate private repo with a flake that has all these sorts of “soft” secrets (that don’t really need encryption) and then my main config imports that repo as an input. You can check ryan4yin’s repo to see how he deals with his secrets repo for something similar.
If your requirement is that they don’t make it into the Nix store my suggestion won’t work though. In my case it’s just so I can publish a repo (which I haven’t yet), without exposing that type of info.