Hello all,
I have a nixos flake set up with sops-nix and I’m looking to store my full name with sops-nix to use with the “accounts.email.accounts..realName” option, but of course that would require the value at evaluation time, which as far as I’ve looked around, is infeasible.
I’ve gathered a lot of information by using the amazing Misterio77’s nixos-config as a reference. Unfortunately, the use of “pass” in their config has been abstracted beyond my current understanding (I think it is as a home-manager module which exposes a systemd module?). I’ve spent hours reading through it and I haven’t figured it out, so I apologize for any incorrect details.
I AM open to using other secret managing schemes alongside sops-nix. I’ve looked into using git-agecrypt, but as recommended in the README, I’m first reaching to see other management schemes before employing it. Another potential solution I found was using nix-plugins with pass as described in this blog post, but I’m somewhat uncomfortable with allowing execution of arbitrary code in my configuration.
I would appreciate any input or alternative methods. Thank you all!
P.S. I would be ok with this information being stored unencrypted in /nix/store since my other, more-pressing secrets should (theoretically haha) be safe with sops-nix
There are a few ways to create secrets in module configuration. One of the easiest ones is to create a flake input that just points to a repository in on your local system, or to a private repository that the nix daemon has access to (by setting nix.settings.access-tokens or similar). In the secret repo, you can create a module or a set of modules that contain all the sensitive settings.
Another alternative is to write the nix code in the same repository, but encrypt it before committing. You will have to decrypt it before building. There are probably a bunch of tools out there to help with encryption/decryption and automation thereof (like git-agecrypt), made specifically for storing stuff in repositories. Alternatively, you could come up with your own git-hooks or whatnot.
A third option would be to import nix code from outside the repository by using --impure, but I can’t really recommend it.
A fourth (and arguably hardest option) is to modify the modules you are interested in to inject your secrets in the configuration during activation or before use. This would include making “template” like configuration files without the secrets, and replacing the placeholders with secrets from sops and putting the “real” final config outside the nix store somewhere. Depending on the software and modules in question, this could either be very hard or very easy. In this case, it would probably mean you have to make modifications to every module that refers to accounts option in home-manager (at least the ones you are using).
Of course, there’s always the option of keeping your entire config private as well, but sharing it online is nice