| 18 Oct 2022 |
 Linux Hackerman | Shyim: only on the machine from which you're deploying | 09:06:01 |
 Shyim | AHHH. cool | 09:06:43 |
| Linux Hackerman | but I think I'll be switching to agenix or sops-nix at some point in the future, partly because this approach is colmena-specific and I'm not sure I want to stick with colmena | 09:06:57 |
| Linux Hackerman | and partly because the secrets are persisted unencrypted on the target machines' disks, which I'd also prefer not to do | 09:07:26 |
| Shyim | I currently join ssh and just do nixos-rebuild so. tbh: I don't care if it's in nix store. I just don't want to have them on Github publicly accessible as my nix files are public :D | 09:08:14 |
| Linux Hackerman | both agenix and sops-nix copy the encrypted secrets to the store as part of the system closure, and they're encrypted to a key that lies on the machine (often the SSH host key) to be decrypted only to a ramfs at runtime | 09:08:37 |
| Linux Hackerman | then again, having both the encrypted secrets and the unencrypted SSH host key on disk isn't much different from having the unencrypted secrets on disk I guess | 09:09:27 |
| Linux Hackerman | the next-level thing would be to add a TPM and measured boot into the setup, but I'm nowhere near getting there lol | 09:10:05 |
 @v:meowy.tech | In reply to @linus:schreibt.jetzt
then again, having both the encrypted secrets and the unencrypted SSH host key on disk isn't much different from having the unencrypted secrets on disk I guess the various permissions on the file also matter, the nix store is world readable but the ssh host key probably isnt | 09:10:16 |
| Linux Hackerman | right, but none of these approaches make the unencrypted secrets world-readable | 09:10:36 |
| Linux Hackerman | that's definitely off the table for me ^^ | 09:10:56 |
| @v:meowy.tech | My setup with a hashicorp vault is probably overkill, but when set up it does work quite nicely I have to say | 09:11:40 |
| Linux Hackerman | I kind of want to have something like that but I also don't want to set it up and maintain it x) | 09:12:05 |
| Shyim | I feel that too xD | 09:12:33 |
| Shyim | more services more pain | 09:12:42 |
