35 lines
1.6 KiB
Markdown
35 lines
1.6 KiB
Markdown
# lithium
|
|
|
|
This is my primary homelab host/NAS, previously powered by TrueNAS Scale/k3s.
|
|
|
|
## Manual Actions
|
|
|
|
Even with fully declarative Nix/Nixpkgs/NixOS at the end of the day there are
|
|
still some actions that need to be taken manually.
|
|
|
|
- secrets configuration for `sops-nix`
|
|
- kanidm user management
|
|
- tailscale auth key
|
|
- jellyfin configuration via web-ui
|
|
|
|
## Secrets and "Private Information"
|
|
|
|
Originally I had used two providers of secrets, `sops-nix` and `git-agecrypt`,
|
|
and the reasoning for that was, with `git-agecrypt` I could directly encrypt an
|
|
entire `.nix` file, and use it to conceal an arbitrary amount of my nix config.
|
|
The #1 thing I was using it for was hiding details about the domain names that
|
|
power various services. I know that's not real security, and domains aren't
|
|
really private, but server logs prove that not including a domain in a GH repo
|
|
means you get dramatically fewer spurious requests.
|
|
|
|
The reason for using `git-agecrypt` against a whole nix file like that was most
|
|
importantly because it allowed me to *just use nix variables*. Compared to the
|
|
invocationss SOPS & `sops-nix` require, it can be a lot more simple for setting
|
|
values like a domain name.
|
|
|
|
Now I'm going all in on `sops-nix` as the exclusive manager of secrets, and
|
|
maintaining a separate flake which contains private nix configuration details.
|
|
There are still issues with this, and now my overall nix config is essentially
|
|
fractured between "flake-A" and "flake-B", which gives me all the same issues
|
|
that any other software project faces with that arrangement. But I dislike
|
|
using `git-agecrypt` even more than I dislike those problems.
|