Newbie questions about workflow, secrets, and public git repo's

Hi friends.
Right now I am running NixOS on my laptop and am planning on managing my desktop as well. Ideally, I would like to be able to save changes on one device and be able to easily get the updated changes on another device through the Internet.

My first assumption is that I will need to create a public GitHub (or something else) repository in order to do this. Is this the right idea? What can I use to sync the GitHub repo with my local repo?

Another thing I’m unsure about is how to manage secrets in a public repo. Right now I’m using sops-nix with both a “.sops.yaml” and a “secrets.yaml” file in my local git repository. My understanding is that having these public is a security risk. What can I do about this?

If I’m misunderstanding something or haven’t provided enough information please let me know.
Thanks :slight_smile:

git push and git pull may be enough to get started if you don’t wanna get fancy, also you don’t need to make your config a public repository, it can be private, but it could help other people, who may take inspiration from you config :slight_smile:

A lot of people have their .sops.yaml and secrets.yaml files in public repositories, and while other people likely will not be able to read them anytime soon, in the future, those secrets may get broken when computers/cryptography advance to a point where the cryptography is insufficient to protect your secrets. Hopefully by that point, you will have changed your secrets (and upgraded whatever encryption you’re using), and so as long as you’re not storing something confidential there that doesn’t expire, it may be totally fine.

1 Like

I’ve created a dedicated user on a small server with a repository for nixos and home-manager:

    services = {
        openssh = {
            enable                              =  true;
            settings = {
                KbdInteractiveAuthentication    =  false;
                PasswordAuthentication          =  false;
                PermitRootLogin                 = "no";
    users = {
        mutableUsers                            =  false;
        users = {
            git = {
                hashedPassword                  = "";  # is actually empty, public/private-key access only
                isNormalUser                    =  true;
                openssh.authorizedKeys.keys = [ "<redacted>" ];
                shell                           = "${pkgs.git}/bin/git-shell";
                uid                             =  <redacted>;

git remote add origin git@<host>:nixos
git remote add origin git@<host>:home-manager