sops-nix
agenix
Our great sponsors
sops-nix | agenix | |
---|---|---|
9 | 10 | |
1,141 | 1,187 | |
- | - | |
9.1 | 7.5 | |
4 days ago | 8 days ago | |
Nix | Nix | |
MIT License | Creative Commons Zero v1.0 Universal |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
sops-nix
-
Show me the way to cloud infra
For applications, I think environment variables are great. Especially if you adopt nomad because you could also use vault to populate secrets in. For machines that won't work so you'll need something else like https://github.com/Mic92/sops-nix
-
how to store secrets needed at install time
I've heard good things about and seen sops-nix used on a few really solid configs. Others tend to use Age or Homeage.
-
Nix way to recreate environments including authentication, configuration, etc?
You can use something like sops-nix if you're on NixOS https://github.com/Mic92/sops-nix.
-
Building a highly optimized home environment with Nix
Yeah, I don't know how to manage secrets yet. I've read about sops-nix, but I don't have the slightest clue how to integrate it into my own nix-config.
-
What would make NixOS more secure?
I use sops-nix for that. Secrets are stored encrypted in the store, and decrypted at runtime.
-
What to do...
One think I saw that I don't recommend is to change your password after installing; that's not very reporoducible, use users.users..hashedPassword or users.users..passwordFile with agenix or sops-nix.
- How to handle secrets in NixOS (for Docker container and Systemd Services)?
-
How do you manage your private keys?
So, I did some digging. According to the first Dicourse chat that popped up, it's "not possible". That's not an acceptable answer for me ;). I read through HM's appendix to see if there's a mention of private keys there (there weren't). I also know of SOPS (and sops-nix), but that seems to require an SSH/GPG key to decrypt :D.
-
A guide to build a Raspberry Pi cluster managed by NixOps
If you only need secrets management, there are quite a lot of bolt-on solutions with little overhead which are also agnostic to the form of deployment, like https://github.com/Mic92/sops-nix or https://github.com/ryantm/agenix. Personally for my machines I want unattended reboots, so I just copy all keys to the hard disk and manage secrets solely with file permissions.
agenix
-
password manager solution advice
How about: https://github.com/ryantm/agenix
-
how to store secrets needed at install time
I've heard good things about and seen sops-nix used on a few really solid configs. Others tend to use Age or Homeage.
-
Ask HN: A Better Docker Compose?
I don't have a write-up, just my code in git. But it's not public. I'm not using anything out of the ordinary - Nix containers, modules, and functions, and the Agenix module with uses a private key to decrypt secrets at start. The Nix language is inherently composable. Here are some links that explain:
Containers:
https://nixos.wiki/wiki/NixOS_Containers
Modules:
https://nixos.wiki/wiki/NixOS_modules
Functions:
https://www.reddit.com/r/NixOS/comments/zzstun/please_help_m...
Agenix:
-
ridiculously easy mail server setup with NixOS
For passwords I am using agenix which is also pretty awesome, an alternative could have been sops.nix.
-
What to do...
One think I saw that I don't recommend is to change your password after installing; that's not very reporoducible, use users.users..hashedPassword or users.users..passwordFile with agenix or sops-nix.
-
Understanding nixos secrets management/aws configuration
Answering your broader question (secret management) colmena does that for me outside the Nix store. I also use git-crypt to store secrets in the repo. There are also more Nix-y alternatives like agenix.
-
If you’re not using SSH certificates you’re doing SSH wrong
I feel that trying to make SSH keys short-lived is becoming more painful each year because there's an increase of tools that use SSH keys for purposes other than SSH logins. For example, age [1] encrypts files with SSH keys, agenix [2] does secrets management with it, Git can now sign commits with it [3], and even ssh-keygen can now sign arbitrary data [4]. All of these become useless the moment you start using short-lived keys.
[1]: https://github.com/FiloSottile/age
[2]: https://github.com/ryantm/agenix
[3]: https://calebhearth.com/sign-git-with-ssh
[4]: https://www.man7.org/linux/man-pages/man1/ssh-keygen.1.html
-
homeage: declarative runtime decrypted age secrets for home manager
I built this because I try to keep as much as possible outside of my system config but all of the secret managers I found were system only. I had no idea how to solve this until I found RaitoBezarius' awesome pull request to agenix where it all clicked. It also exposed me to the inner workings of home-manager which has definitely made me appreciate it more! I kept this separate from agenix because I am interested only in a module rather than a CLI and thus see it as having a different fit.
-
How do you manage your private keys?
I've been thinking about the same thing. I haven't gotten around to it yet but agenix looked the most promising to me so far
What are some alternatives?
vault-secrets - NixOS tooling for Hashicorp Vault
nixos-config - My NixOS configurations.
digga - A flake utility library to craft shell-, home-, and hosts- environments.
nixos-config - Mirror of https://code.balsoft.ru/balsoft/nixos-config
nixfiles - My NixOS configuration and assorted other crap.
morph - NixOS deployment tool
homeage - runtime decrypted age secrets for nix home manager
packages - Community maintained packages for OpenWrt. Documentation for submitting pull requests is in CONTRIBUTING.md
pass-import - A pass extension for importing data from most existing password managers
basedconfig - Configuration for servers/workstations