Jul 17, 2022


This week I read:


I felt like fiddling with my NixOS configuration this week, and so I finally got around to implementing proper secrets management, using sops-nix. No longer do I symlink a git repository of plaintext secrets to /etc/nixos/secrets: secrets are now in my config repo directly, encrypted, and only made available to the things which need them.

I was initially worried about key management, as this sort of thing can just be a case of kicking the can down the road: “ok, the secrets are encrypted… but now I have a secret decryption key to distribute instead”. But sops-nix solves that nicely by making it trivial to use your SSH host key as the public key, and so your SSH private key (which is already on the machine) becomes the decryption key.

No need to distribute a separate key, very handy!

It does mean that I’ve introduced a bit of state to my config repo where there wasn’t any before—if I need to change a machine’s SSH host key for whatever reason I need to re-encrypt its secrets—but that’s an acceptable trade-off to not needing a separate mechanism to configuration-as-code the decryption key.

As part of this, I also switched to a flake-based configuration, which was almost trivially easy and not something I should have put off for as long as I did.