How to deal with private metadata on flake config?

Hi,

I want to know what’s your approach to having private information in your configuration.
Note that I don’t mean secrets. I know about different strategies for managing them.
This is solely related to private information that might constitute a metadata leak when exposed publicly.

Some examples:

  • Email configuration.
  • Some network settings.
  • accounts.* in H-M.
  • GPG trusted keys.
  • etc…

Ideas very much appreciates.

Thanks. :slight_smile:

Hi,
I personally think about such information as either public or secret (full disclosure principle). If you don’t want to encrypt them but still want to use them in your config repo the whole repo should be treated the same way you treat these private infos.
Having the repo as a private repo on Github or Codeberg might be enough if you trust those platforms with this specific information as well.

2 Likes

Thanks for your reply,

I didn’t know about the full disclosure principle. It makes sense. Sadly most of these options are fundamentally impossible to integrate with current nix secret management options.

I don’t like the idea of doxing myself but having a public configuration becomes really useful when asking for help…

I’ll ponder about it.

The system I use is to have a secret private repository (self hosted but you could put it on github depending on your sensibility), where I only include the configuration I do not want to be public on github.

Long story short, I add this input in flake.nix:

# Using an empty repository as default so the configuration is usable without secrets
nixos-secrets.url = "github:TheEaterr/nixos-secrets-empty";
nixos-secrets.inputs.nixpkgs.follows = "nixpkgs";

Then import them in configuration.nix:

imports = [
    inputs.nixos-secrets.nixosModules.networkingProfiles
    inputs.nixos-secrets.nixosModules.ssh
    ...
]

If you need it, you can see my full configuration here GitHub - TheEaterr/nixos-config

1 Like

I like to have my dotfiles public to share config, see my own config without being logged in etc.
I use git-crypt to “hide” stuff I would rather not be seen but dont mind being decyphered (ssh ports, email adresses).

I use sops for the secrets. I dont put the sops file on git though, I just give a path to the folder containing it:

  # to avoid the 'secrets.yaml' is not in the Nix store.
  sops.validateSopsFiles = false;

Recently, I’ve moved all my secrets (ssh, password-store to a single folder to more easily sync those between computers. It takes some extra work to configure the paths in each program but I hope that as a bonus, it protects me from naive scripts that just upload ~/.ssh.

1 Like

I just found out about an interesting project probably related to this.

I don’t know much about it yet but it looks promising.

1 Like

It is an interesting project indeed. I hope it’s compatible with Lix tho.

This basically does what other git based tools seem to do but in a more nixy way.

Thanks for sharing. : )

I recently made a blog post about this topic. The basic principal is the same as what TheEaterr does, however I also describe how to hide single values. Basically the premise is that you can import a Flake input to get the values in default.nix, which can then be passed to other modules:

nas = nixpkgs.lib.nixosSystem {
  inherit system pkgs;
  modules = [
    ./hosts/nas/configuration.nix
    nix-secrets.nixosModules.nas
  ];
  specialArgs = {
    secrets = import nix-secrets;
  };
};

Something else that is worth knowing is that you can locally override the input, so you don’t need to always update the lock file when trying things out locally:

--override-input nix-secrets ../nix-secrets