Unsure if I am using sops-nix correctly - would this leak secrets?

charludo · March 9, 2024, 7:36pm

Hi,

after a lot of trial and error, I have gotten sops-nix to work. I understand that using builtins.readFile on a sops.secrets.my_secret.path would end up leaking the secret to the world.

Would the following do the same?

sops.secrets.hotspot = { sopsFile = ./wifi.yaml; };
  environment.etc."NetworkManager/system-connections/Hotspot.nmconnection" = {
    source = "${config.sops.secrets.hotspot.path}";
  };

It probably would, right?

If so, could I get around this by writing a systemd service that links the /run/secrets/hotspot file to the target from above after booting?

(Or maybe even better, is there an easier solution I’m not seeing for storing NetworkManager connections?)

Thank in advance, and sorry if this a stupid question, I’m definitely still learning…

aorith · March 9, 2024, 8:01pm

By leaking you mean that it ends up in the store?

AFAIK, if the source is a file that isn’t in the store, it won’t end up there because you use it with environment.etc.<name>.source.

You can check it with nix repl loading your flake with the configuration.

$ nix repl
nix-repl> :lf .
Added 13 variables.
nix-repl> outputs.nixosConfigurations.<hostname>.config.environment.etc."<name>".source

For example, if I create an etc file that is in my home dir:

nix-repl> outputs.nixosConfigurations.trantor.config.environment.etc."testfile".source
"/home/aorith/mrl.vcl"

❯ ls -lrt /etc/testfile
lrwxrwxrwx 1 root root 20 mar  9 20:56 /etc/testfile -> /etc/static/testfile
❯ ls -lrt /etc/static/testfile
lrwxrwxrwx 2 root root 20 ene  1  1970 /etc/static/testfile -> /home/aorith/mrl.vcl

charludo · March 9, 2024, 8:49pm

Oh wow, indeed! Thanks for the quick answer, this does give me some peace of mind

Would you say this is an acceptable solution to storing nm configs then? I’ve been looking online with not much luck.

aorith · March 10, 2024, 10:13am

I would use it, but I’m not an expert, if your concern is that the system will be multi-user, just ensure that the files can only be read by root. If you want to upload your configuration to a public git repo, you have to trust the encription used.

If this is not really required for your use-case, you can configure those secrets in a separate flake that is not public, or just keep the network manager connections as state outside of NixOS configuration.

lovirent · March 10, 2024, 1:44pm

With sops you can also set user permissions. So it does not have to be root that reads a secret but for example only one user or a service that runs as a system user.
for example like this

  sops.secrets."gitlab/database-password".owner = "gitlab";

charludo · March 10, 2024, 5:04pm

No, you were right, I’m concerned of the secrets being included in the nix store, any other user on the machine would know the secrets anyways; but at the same, time, as you said, I want to be able to upload to a public repo.

charludo · March 10, 2024, 5:05pm

Yep, I’m aware, my concern was more with having the secret in the store than with any user being able to read them