feat: remove git-agecrypt / semi-secret-vars
This commit is contained in:
Jay Looney
parent
fa53235842
commit
2d3168d438
5 changed files with 19 additions and 22 deletions
|
|
@ -7,20 +7,29 @@ This is my primary homelab host/NAS, previously powered by TrueNAS Scale/k3s.
|
|||
Even with fully declarative Nix/Nixpkgs/NixOS at the end of the day there are
|
||||
still some actions that need to be taken manually.
|
||||
|
||||
- secrets configuration (both for SOPS and git-agecrypt semi-secrets)
|
||||
- secrets configuration for `sops-nix`
|
||||
- kanidm user management
|
||||
- tailscale auth key
|
||||
- jellyfin configuration via web-ui
|
||||
|
||||
## Semi-Secrets
|
||||
## Secrets and "Private Information"
|
||||
|
||||
`semi-secret-vars.nix` is using [git-agecrypt](https://github.com/vlaci/git-agecrypt)
|
||||
and following a pattern I discovered here:
|
||||
- https://github.com/nyawox/arcanum/blob/4629dfba1bc6d4dd2f4cf45724df81289230b61a/var/README.md
|
||||
- https://github.com/vlaci/git-agecrypt
|
||||
Originally I had used two providers of secrets, `sops-nix` and `git-agecrypt`,
|
||||
and the reasoning for that was, with `git-agecrypt` I could directly encrypt an
|
||||
entire `.nix` file, and use it to conceal an arbitrary amount of my nix config.
|
||||
The #1 thing I was using it for was hiding details about the domain names that
|
||||
power various services. I know that's not real security, and domains aren't
|
||||
really private, but server logs prove that not including a domain in a GH repo
|
||||
means you get dramatically fewer spurious requests.
|
||||
|
||||
Essentially there are some details I won't want exposed in the repository, but
|
||||
I do want them available to all my nix modules. The main one being the domain.
|
||||
The reason for using `git-agecrypt` against a whole nix file like that was most
|
||||
importantly because it allowed me to *just use nix variables*. Compared to the
|
||||
invocationss SOPS & `sops-nix` require, it can be a lot more simple for setting
|
||||
values like a domain name.
|
||||
|
||||
While it's not really a secret in the way a password is, consider this effort a
|
||||
mitigation against ddos attacks and automated requests and login attempts.
|
||||
Now I'm going all in on `sops-nix` as the exclusive manager of secrets, and
|
||||
maintaining a separate flake which contains private nix configuration details.
|
||||
There are still issues with this, and now my overall nix config is essentially
|
||||
fractured between "flake-A" and "flake-B", which gives me all the same issues
|
||||
that any other software project faces with that arrangement. But I dislike
|
||||
using `git-agecrypt` even more than I dislike those problems.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue