| 21 Aug 2021 |
 6aa4fd | read-sensitive, sorry | 03:09:40 |
 matthewcroughan - nix.zone | I disagree, what are you thinking of? | 03:09:51 |
| matthewcroughan - nix.zone | I mean, you can put it there yourself, but you'd be mad to. | 03:10:00 |
| 6aa4fd | so do you use environment variables instead | 03:10:18 |
| matthewcroughan - nix.zone | I use agenix which stores secrets encrypted in the store. | 03:10:36 |
| matthewcroughan - nix.zone | https://github.com/MatthewCroughan/nixcfg/commit/add19ff13691d39b0da7f1601f1d3299a05d986f | 03:10:57 |
| matthewcroughan - nix.zone | example of some usage | 03:10:59 |
| matthewcroughan - nix.zone | https://github.com/MatthewCroughan/nixcfg/commit/2d0b2a11a9bfd3a2d831fd13715c1bb16e191ef7 | 03:11:10 |
| matthewcroughan - nix.zone | a second example of some usage | 03:11:13 |
| 6aa4fd | okay, maybe nix-sops or this will save the day | 03:11:50 |
| matthewcroughan - nix.zone | The secrets are then decrypted in the activation script, to /run/secrets which the correct permissions | 03:11:52 |
| matthewcroughan - nix.zone | In reply to @6aa4fd:tchncs.de
okay, maybe nix-sops or this will save the day yeah, writing secrets to the nix store isn't really a problem, unless we assume people are dumb and will do it anyway | 03:12:14 |
| 6aa4fd | but if we are talking about nixos/nixpkgs itself, it is no bueno | 03:12:15 |
| matthewcroughan - nix.zone | which happens with basically anything and everything else, can't account for those darn users. | 03:12:22 |
| 6aa4fd | sure, the users are dumb to use the secret configuration fields provided by the upstream modules | 03:12:51 |
| matthewcroughan - nix.zone | In reply to @6aa4fd:tchncs.de
but if we are talking about nixos/nixpkgs itself, it is no bueno That is fair. There is no secret management native to Nix, but agenix is pretty good. | 03:12:54 |
 dash | have a single global namespace for storage was a decision that made sense in the 70s but we can do better now | 03:13:05 |
| 6aa4fd | someone else is dumb or at least not writing their modules for production | 03:13:07 |
| 6aa4fd | which is ok, it is a labor of love | 03:13:14 |
| 6aa4fd | but agenix has sub 100 commits, and i don't think it had any a few months ago | 03:13:29 |
| matthewcroughan - nix.zone | In reply to @washort:greyface.org
have a single global namespace for storage was a decision that made sense in the 70s but we can do better now Not sure about that. The nix store is world readable by design, I don't see how you'd make the situation better by having granular permissions. | 03:13:37 |
| 6aa4fd | i don't think you'll meet anyone well qualified who will put that in front of a user regularly | 03:13:51 |
| matthewcroughan - nix.zone | You simply encrypt certain things in the nix store, that's the best possible solution. | 03:13:50 |
| dash | matthewcroughan - nix.zone: "permissions" are a leftover from old designs too | 03:13:53 |
| matthewcroughan - nix.zone | Because they need to be encrypted at rest anyway! | 03:13:57 |
| matthewcroughan - nix.zone | There is no situation in which unix permissions are going to help any of this. | 03:14:08 |
| matthewcroughan - nix.zone | You're going to store it unencrypted in git, and then rely on the nix store perms? | 03:14:21 |
| matthewcroughan - nix.zone | My secrets need to be in git. Nix store permissions won't help me keep that safe. | 03:14:30 |
| dash | matthewcroughan - nix.zone: how did you think agenix worked? | 03:14:37 |
| matthewcroughan - nix.zone | In reply to @washort:greyface.org
matthewcroughan - nix.zone: how did you think agenix worked? That's when decrypted. | 03:14:47 |
