pbb has quit [Read error: Connection reset by peer]
pbb has joined #nixos-systemd
<Mic92>
mdlayher: cool!
<mdlayher>
Yep yep. Just merged thanks to flokli!
<Mic92>
mdlayher: I really needs for some machines that crashes in a building I am not allowed to access bc of covid.
<mdlayher>
Excellent. I am not surprised that systemd has this functionality but I didn't know about it until just recently, so I figured it would be good to add searchable options to enable that functionality
<Mic92>
I knew it before, but I thought that my hardware does not support it.
<Mic92>
Next on the list is to write documentation.
<Mic92>
And get the CI ready
<mdlayher>
Mic92: oooh, Go and Nix secrets management. Nice, these are problems relevant to my interests. What's your plan here?
<Mic92>
mdlayher: At the moment its an ssh key or gpg based secret management with atomic upgrades. It's compatible with all deployment frameworks: nixops/krops/morph/nixos-rebuild. I plan systemd integration to restart/reload changed services and GCP/AWS KMS. Since sops stores data in encrypted json/yaml files it is easy to integrate into version control. Once systemd services are restart also
<Mic92>
automatic key rotation can be implemented.
<mdlayher>
Sounds perfect for what I need
<Mic92>
mdlayher: I will finish up CI + docs today. Than it should be general usuable.
<mdlayher>
Sure thing
<flokli>
Mic92: is it possible to handle all this without having it inside the nix store one way or another?
<flokli>
as in, can I switch generations back and forth without switching secrets back and forth?
<Mic92>
flokli: yes. It's up to you if you add the sops file to the nix store.
<flokli>
so how do you detect which units to restart when swapping secrets?
<Mic92>
flokli: I have not implemented that yet but the new secrets will be put into a new directory so I can diff them.