<DanielEbbert[m]>
How do you deal with secrets in configuration files? Given that you would like to have those configuration files available somewhere public in version control.
<patagonicus>
I don't have any in my home-manager configuration, but for a few NixOS systems where the system config is in git, I have them in a directory called secrets that's in .gitignore. That directory is then copied to /etc/secrets/ and the configs just reference the paths there, without it being added to the nix store.
Reventlov has joined #home-manager
<nf>
DanielEbbert[m]: sops-nix
<DanielEbbert[m]>
<nf "Daniel Ebbert: sops-nix"> That seems pretty cool. I'll give it a try.
<piegames>
DanielEbbert[m]: You need to distinguish between "secrets" that you don't want to share publicly vs "secrets" that you don't want to have in your Nix store.
<DanielEbbert[m]>
Okay, that might be a newbie question. I get why I wouldn't want some `secrets` publicly available. But why would I not want something in my local Nix store?
<Reventlov>
because the nix store is world-readable: any user can read it
<Reventlov>
so, if some service get compromised, it can access the secret from all of the store. If some user want to take look, it can
<DanielEbbert[m]>
Oh, I did not know that yet. Good to know. Thanks for the explanation!
<DanielEbbert[m]>
I'm the only user on my system so I don't have to worry about other users but the point about compromised services still applies.
<{^_^}>
nixpkgs#24288 (by basvandijk, 3 years ago, open): Provide options for storing secrets outside the Nix store
<Reventlov>
DanielEbbert[m]: same, and as my drive is encrypted, I do not care about this. But it's something to have in mind.
<DanielEbbert[m]>
<Reventlov "Daniel Ebbert: same, and as my d"> Mine is encrypted as well.
<patagonicus>
Reventlov: drive encryption is sort-of orthogonal to world readable files. It protects from someone reading the drive directly, without going through your OS, but at that point they can also just ignore any permissions on the file system. But if they get non-root access to your OS, drive encryption doesn't help, but permissions can.
<Reventlov>
patagonicus: it does matter because I can store secrets in file instead of having to type them each tiem
<Reventlov>
(files, including the store, which I would not do if my drive was not encrypted)
<patagonicus>
Just saying that it helps with different threat models. I also encrypt everything (minus stuff needed for booting, obviously).
<Reventlov>
of course. On my desktop, I assume everything pretty much runs as my user, and as soon as something is compromised for me, it's game over anyway, that's why I can still sleep at night for this :p
<piegames>
You don't need some compromised service for leaking out of the Nix store. Just think of all the remote builders and cache substitutions.
<piegames>
It is easy to lose control over what is built where, and accidentally build a derivation containing secrets on a remote machine.
<Reventlov>
well remote building is somehow some advanced thing that not everyone uses
<piegames>
Reventlov: Sure. Until they want to try it out, but forget about all those secrets.
ohhaimark[m] has joined #home-manager
<ohhaimark[m]>
I'm trying to use _module.args to pass my flake inputs into home-manager modules, to no prevail. Is anyone privy to this dark magic?
<ohhaimark[m]>
This is one of my attempts. However, this leads to infinite recursion when trying to resolve `input` as an argument to a home-manager module.
<piegames>
I've set `nixpkgs.config.allowUnfree = true;` in my hm-config, yet rebuilding fails due to a nonfree package
<piegames>
`nixpkgs.config.allowUnfreePredicate`, as suggested by the error message, does not work either. `NIXPKGS_ALLOW_UNFREE=1` however does
<piegames>
siraben: I don't pin all my nixpkgs, I have 20.09 as a channel. I pin unstable and nightly and use them to overwrite specific packages using an overlay.
<piegames>
siraben: Yep, does for me as well, thx.
<siraben>
No problem. I guess I didn't know that it the unfree configuration should be done where pkgs is imported.
<piegames>
Though I'm not really happy about the solution because this means that I have to manage my nixpkgs *per machine* if I want to allow unfree packages per machine.
<siraben>
you should be able to specify this in another Nix expression that can be shared across machines.
thibm has quit [Quit: WeeChat 2.6]
<evanjs>
Am I doing something wrong or should services.lorri.enable "Just work" on e.g. Arch with nix+home-manager?
<evanjs>
currently getting e.g. " ... error: file \'nixpkgs\' was not found in the Nix search path (add it using $NIX_PATH or -I) ..."
<evanjs>
NIX_PATH and everything seems fine. I rebooted after installing lorri, blablabla
<evanjs>
And `lorri daemon` seems to work okay outside of systemd