Our great sponsors
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
git-crypt transparently encrypts everything in secrets/ on commit. You can see an example here on my config. To use the encrypted files on another machine, you'll need to git-crypt export your keys and import them on your other machines to make use of the files. If you're already using the devos template you should use the integrated deploy-rs functionality instead of cloning the repo on each machine you manage.
So, I did some digging. According to the first Dicourse chat that popped up, it's "not possible". That's not an acceptable answer for me ;). I read through HM's appendix to see if there's a mention of private keys there (there weren't). I also know of SOPS (and sops-nix), but that seems to require an SSH/GPG key to decrypt :D.
I use a custom pass-based hack: https://github.com/balsoft/nixos-config/blob/master/modules/secrets.nix and https://github.com/balsoft/nixos-config/blob/master/modules/secrets-envsubst.nix. My actual GPG key is on my yubi.
My solution - which is not great, mind you - is to have my NixOS config defined across two git repos: one is public, the other is private and has all the secrets.
https://github.com/legendofmiracles/dotnix inside the secrets dir
I use the secrets folder with git-crypt using the devos template
I've been thinking about the same thing. I haven't gotten around to it yet but agenix looked the most promising to me so far