sops-nix VS nixpkgs

For applications, I think environment variables are great. Especially if you adopt nomad because you could also use vault to populate secrets in. For machines that won't work so you'll need something else like https://github.com/Mic92/sops-nix

I've heard good things about and seen sops-nix used on a few really solid configs. Others tend to use Age or Homeage.

You can use something like sops-nix if you're on NixOS https://github.com/Mic92/sops-nix.

Yeah, I don't know how to manage secrets yet. I've read about sops-nix, but I don't have the slightest clue how to integrate it into my own nix-config.

I use sops-nix for that. Secrets are stored encrypted in the store, and decrypted at runtime.

One think I saw that I don't recommend is to change your password after installing; that's not very reporoducible, use users.users..hashedPassword or users.users..passwordFile with agenix or sops-nix.

So, I did some digging. According to the first Dicourse chat that popped up, it's "not possible". That's not an acceptable answer for me ;). I read through HM's appendix to see if there's a mention of private keys there (there weren't). I also know of SOPS (and sops-nix), but that seems to require an SSH/GPG key to decrypt :D.

If you only need secrets management, there are quite a lot of bolt-on solutions with little overhead which are also agnostic to the form of deployment, like https://github.com/Mic92/sops-nix or https://github.com/ryantm/agenix. Personally for my machines I want unattended reboots, so I just copy all keys to the hard disk and manage secrets solely with file permissions.

I don't think so. The article is probably intended for the Nix community, so the author doesn't need to convince HN that something is going on. If as an outsider you are interested then you need to look into it yourself, the community has no obligation to make their internal conflicts legible to the outside world.

As an outsider myself, it certainly looks like something is going on as more than 20 Nixpkg maintainers left in a week: https://github.com/NixOS/nixpkgs/issues?q=label%3A%228.has%3...

https://github.com/NixOS/nixpkgs/commits?author=neon-sunset

I see two signers in the top 6 displayed on https://github.com/NixOS/nixpkgs/graphs/contributors

For a single file script, nix can make the package management quite easy: https://github.com/NixOS/nixpkgs/blob/master/doc/languages-f...

For example,

```

Yes, Nix doesn't actually ensure that the builds are deterministic. In fact it works just fine if they aren't. There are packages in nixpkgs that aren't reproducible: https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aiss...

I'm not familiar with Bazel, but Nix in it's current form wouldn't have solved this attack. First of all, the standard mkDerivation function calls the same configure; make; make install process that made this attack possible. Nixpkgs regularly pulls in external resources (fetchUrl and friends) that are equally vulnerable to a poisoned release tarball. Checkout the comment on the current xz entry in nixpkgs https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/comp...

NixOS uses a monorepo and I think everyone's love it.

I love being able to easily grep through all the packages source code and there's regularly PRs that harmonizes conventions across many packages.

Nixpkgs doesn't include the packaged software source code, so it's a lot more practical than what Debian is doing.

https://github.com/NixOS/nixpkgs

In this specific case, nix uses fetchFromGitHub to download the source archive, which are generated by GitHub for the specified revision[1]. Arch seems to just download the tarball from the releases page[2].

[1]: https://github.com/NixOS/nixpkgs/blob/3c2fdd0a4e6396fc310a6e...

[2]: https://gitlab.archlinux.org/archlinux/packaging/packages/ib...