| .. | ||
| secrets | ||
| services | ||
| configuration.nix | ||
| default.nix | ||
| hardware.nix | ||
| README.md | ||
lithium
This is my primary homelab host/NAS, previously powered by TrueNAS Scale/k3s.
Manual Actions
Even with fully declarative Nix/Nixpkgs/NixOS at the end of the day there are still some actions that need to be taken manually.
- secrets configuration for
sops-nix - kanidm user management
- tailscale auth key
- jellyfin configuration via web-ui
Secrets and "Private Information"
Originally I had used two providers of secrets, sops-nix and git-agecrypt,
and the reasoning for that was, with git-agecrypt I could directly encrypt an
entire .nix file, and use it to conceal an arbitrary amount of my nix config.
The #1 thing I was using it for was hiding details about the domain names that
power various services. I know that's not real security, and domains aren't
really private, but server logs prove that not including a domain in a GH repo
means you get dramatically fewer spurious requests.
The reason for using git-agecrypt against a whole nix file like that was most
importantly because it allowed me to just use nix variables. Compared to the
invocationss SOPS & sops-nix require, it can be a lot more simple for setting
values like a domain name.
Now I'm going all in on sops-nix as the exclusive manager of secrets, and
maintaining a separate flake which contains private nix configuration details.
There are still issues with this, and now my overall nix config is essentially
fractured between "flake-A" and "flake-B", which gives me all the same issues
that any other software project faces with that arrangement. But I dislike
using git-agecrypt even more than I dislike those problems.