| 21 Aug 2021 |
 matthewcroughan - nix.zone | In reply to @6aa4fd:tchncs.de
okay, maybe nix-sops or this will save the day yeah, writing secrets to the nix store isn't really a problem, unless we assume people are dumb and will do it anyway | 03:12:14 |
 6aa4fd | but if we are talking about nixos/nixpkgs itself, it is no bueno | 03:12:15 |
| matthewcroughan - nix.zone | which happens with basically anything and everything else, can't account for those darn users. | 03:12:22 |
| 6aa4fd | sure, the users are dumb to use the secret configuration fields provided by the upstream modules | 03:12:51 |
| matthewcroughan - nix.zone | In reply to @6aa4fd:tchncs.de
but if we are talking about nixos/nixpkgs itself, it is no bueno That is fair. There is no secret management native to Nix, but agenix is pretty good. | 03:12:54 |
 dash | have a single global namespace for storage was a decision that made sense in the 70s but we can do better now | 03:13:05 |
| 6aa4fd | someone else is dumb or at least not writing their modules for production | 03:13:07 |
| 6aa4fd | which is ok, it is a labor of love | 03:13:14 |
| 6aa4fd | but agenix has sub 100 commits, and i don't think it had any a few months ago | 03:13:29 |
| matthewcroughan - nix.zone | In reply to @washort:greyface.org
have a single global namespace for storage was a decision that made sense in the 70s but we can do better now Not sure about that. The nix store is world readable by design, I don't see how you'd make the situation better by having granular permissions. | 03:13:37 |
| 6aa4fd | i don't think you'll meet anyone well qualified who will put that in front of a user regularly | 03:13:51 |
| matthewcroughan - nix.zone | You simply encrypt certain things in the nix store, that's the best possible solution. | 03:13:50 |
| dash | matthewcroughan - nix.zone: "permissions" are a leftover from old designs too | 03:13:53 |
| matthewcroughan - nix.zone | Because they need to be encrypted at rest anyway! | 03:13:57 |
| matthewcroughan - nix.zone | There is no situation in which unix permissions are going to help any of this. | 03:14:08 |
| matthewcroughan - nix.zone | You're going to store it unencrypted in git, and then rely on the nix store perms? | 03:14:21 |
| matthewcroughan - nix.zone | My secrets need to be in git. Nix store permissions won't help me keep that safe. | 03:14:30 |
| dash | matthewcroughan - nix.zone: how did you think agenix worked? | 03:14:37 |
| matthewcroughan - nix.zone | In reply to @washort:greyface.org
matthewcroughan - nix.zone: how did you think agenix worked? That's when decrypted. | 03:14:47 |
| 6aa4fd | In reply to @matthewcroughan:defenestrate.it
Because they need to be encrypted at rest anyway! encryption is a type of granular permission, and by the way you need granular r/w permissions to handle the keys that the permitted users decrypt their files with | 03:14:54 |
| matthewcroughan - nix.zone | Encrypting things at rest is the answer. Permissions for files inside the store, to me, doesn't make sense. | 03:15:09 |
| matthewcroughan - nix.zone | Because the files you're managing these perms for, need to be stored outside of Nix. | 03:15:27 |
| matthewcroughan - nix.zone | * Because the files you're managing these perms for, need to be stored outside of Nix in a proper way | 03:15:30 |
| matthewcroughan - nix.zone | so the whole thing is external to nix, in nature. | 03:15:35 |
| matthewcroughan - nix.zone | * so the whole problem is external to nix, in nature. | 03:15:38 |
| matthewcroughan - nix.zone | * Because the files you're managing these perms for, need to be stored outside of Nix in a proper way too | 03:15:58 |
| matthewcroughan - nix.zone | If these files need to be encrypted outside of Nix, in a git repository for example (which they absolutely do), then you may as well handle it outside of Nix in the first place. Nix providing functionality for you to manage the perms for these files is a little bit silly IMO. | 03:16:57 |
| matthewcroughan - nix.zone | If secrets were 100% generated and kept within a running NixOS system, sure, but they're not. | 03:17:17 |
| 6aa4fd | maybe in a limited way, but in reality until there is in-tree support for read-sensitive information in your derivation, you cannot put it in front of end users and expect to keep your job | 03:17:34 |
| 6aa4fd | it is just a nice experiment or hobby project until then. which is what nix was in the first place, so not really a knock | 03:18:03 |
