I use NixOS on my desktop, and I now want to migrate my servers over to it. I’ve started refactoring my configuration to get a common base for all machines, but one area I’m having trouble with is secrets management.
On my desktop I use Home Manager for everything, with a minimal NixOS configuration. For secrets management I use homeage, which is simple but works great.
However, on my servers, I will need system-level secrets management, to apply to all of the services being run. This means no homeage, so I’ll probably have to go with agenix or sops-nix.
The problem is that creating a common config means both machines will be somewhat affected by adding a system-level secrets option. Plus the annoyance of having two different systems for essentially the same purpose.
The only option I know for handling both issues is to migrate fully to sops-nix. I attempted to use it originally before going with homeage, but had impure issues, trying to keep keys outside of the git repo.
I’m curious whether there are any other options that have surfaced that people can recommend? Or is using sops-nix redundantly in both NixOS and Home Manager the only way?
I point this out everytime this comes up, but systemd credentials are an interesting alternative.
I tried migrating to them recently; the main problem is that the secrets are tied to a single key, as it’s intended to support tpm-based encryption. This makes it hard to deploy the same secrets across multiple machines, as well as having user secrets that only users can decrypt, and not anyone using the system. I haven’t yet found a good mechanism to make this less of a problem.
But then I also didn’t dig too deep.
Sorry if I’m misunderstanding, a home-manager module was recently merged into agenix; personally I only use it for system-level secrets, but I believe it’s working for both.
I looked into it as well when you last mentioned it. Certainly interesting, but enough limitations for me to stick with the current Nix options. I like the idea of it being automatic in systemd, but it seems too limited right now.
That’s interesting. The last time I looked into agenix, it didn’t have the Home Manager module (which is how I ended up using homeage). I’ll have to take another look, thanks!
I haven’t looked at the new feature yet but my workaround can be seen here.
The downside is that you can’t use the config on home-manager only systems.
I do not have any problems with sops-nix on system and home level, and I do not have a single (private) key in the repo.
“Impure” issues with sops-nix I have seen so far, have always been misuse of sops-nix, and the same misuse happens with agenix as well.
Personally I use a keepass database to keep my actual encryption and decryption keys external.