pbb has quit [Read error: Connection reset by peer]
pbb has joined #nixos-systemd
<
aanderse>
Mic92: thanks for pinging me on this :)
<
aanderse>
/me reads
<
Mic92>
aanderse: if you finds some points that are unclear, let me know.
<
aanderse>
Mic92: looking good, seems relatively straightforward to follow :D
<
flokli>
Mic92: do we really want to default validateSopsFiles to true, and have it in the store by default?
<
Mic92>
flokli: its only there if gnupgHome != null
<
Mic92>
flokli: I find it useful. If you don't want it, you can disable it.
<
Mic92>
I plan to implement automatic key rotation as well in which case it's not checked in the future.
<
{^_^}>
rfcs#59 (by d-goldin, 35 weeks ago, open): [RFC 0059]: Systemd Service Secrets
<
{^_^}>
systemd/systemd#15778 (by flokli, 10 weeks ago, open): RFE: per-service credentials system
<
{^_^}>
#93659 (by ju1m, 21 hours ago, open): nixos/security.pass: provisioning GnuPG-protected secrets through the Nix store
<
flokli>
It'd be nice if those would at least share some of the concepts IMHO
<
Mic92>
It's orthogonal
<
Mic92>
The last time I read the rfc it says, it does not affect how services are provisioned
<
Mic92>
*how keys are provisioned
<
flokli>
the rfc doesn't specify the mechanism, but suggests some NixOS options, doesn't it?
<
flokli>
and #93659 is an implementation trying to solve things similar to yours, but using pass instead of krops
<
Mic92>
It uses pass
<
Mic92>
However for large deployments sops is probably better suited.
<
Mic92>
The rfc is almost open for a new and there is still nothing to test.
<
Mic92>
Ah ok. the poc is based on vault
pbb has joined #nixos-systemd