Vars: A framework for managing secrets and computed values

DavHau · March 31, 2025, 9:28am

phaer · March 31, 2025, 11:36am

There’s an effort to upstream this to nixpkgs. This is linked in the post above as well, just thought it might be worth highlighting that this isn’t tied to clan or so. Thanks for your work on this!

github.com/NixOS/nixpkgs

WIP: implement a secret vars store in nixpkgs

NixOS:master ← Lassulus:nixos-vars

opened 01:49AM - 03 Jan 25 UTC

Lassulus

+461 -0

This allows to create secrets (and public files) outside or inside the nix store… in a more delclarative way. This is shipped with an example (working) implementation of an on-machine storage. The vars options can easily be used to implement custom backends and extend the behaviour to integrate with already existing solutions, like sops-nix or agenix. I wanted to upstream this, since we use code similiar to this in https://clan.lol now for a while. Happy to discuss it a bit more. I'm not very fond of the name vars anymore, so maybe a first change could be to come up with a better name :) I'm not sure if this code is working yet, I will try to develop it a bit more in the next coming days, but I wanted to get this out earlier so other people can throw in some feedback already :)

TLATER · April 2, 2025, 5:26pm

So…

I love this and I think will single-handedly solve NixOS’ secrets issues
How can I start using it?

This might be my inexperience with flake-parts, but it doesn’t look like the module is exposed unless I fully buy into clan (not that I dislike it, seems like a cool project, just doesn’t suit my needs):

… unless flake-parts magically includes the default.nix, at which point it looks like it needs other parts of clan to function?

Is it a case of waiting for the PR/forking nixpkgs so I can get in on the action early?