diff options
| author | ene <ene@sils.li> | 2023-02-18 22:07:50 +0100 |
|---|---|---|
| committer | ene <ene@sils.li> | 2023-02-18 22:07:50 +0100 |
| commit | 950b02ea003d377ed7bbdb1ce6a8963fd4229068 (patch) | |
| tree | 16e4249731109f8d5020b4fe5be3a677d88664df /home-manager/config/alacritty | |
| parent | Feat(home-manager): Add local packages (diff) | |
| download | nixos-config-950b02ea003d377ed7bbdb1ce6a8963fd4229068.tar.gz nixos-config-950b02ea003d377ed7bbdb1ce6a8963fd4229068.zip | |
Feat: Add encryption through agenix
There are other alternatives:
* [This blog post about NixOs secret encryption](https://xeiaso.net/blog/nixos-encrypted-secrets-2021-01-20)
* Directly to agenix:
* A [rewrite in rust](https://github.com/yaxitech/ragenix)
* A dead (?) [rewrite in rust](https://github.com/cole-h/agenix-cli)
* An implementation of Sops for nix: [Sops-nix](https://github.com/Mic92/sops-nix)
* See the [NixOs wiki entry](https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes) for further options.
Reasons for agenix:
I mostly just ruled other options out, until this was the only real
thing:
* The blog post was created in a time, where tools like agenix where
not available, and it (very simplified) just shows, how to
implement a basic version of agenix
* The rewrite are both in itself interesting, but lack community
support, this is however subject to change, and thus a migration
to a rewrite might be feasible in the future.
* Sops seems like a really nice thing, with support for nearly all
relevant encryption options, but the documentation for sops-nix
seems rather lack-luster for me, so I decided to stay with agenix,
especially because I should not need the extra encryption
options.
* And lastly most of the option on the wiki page need excessive
manual intervention on every reboot (maybe because the were written
with servers in mind), but I would like to be able to deploy once
and then never have to think about secret management.
So you see, I mostly just used what seemed to be the easiest for my
situation right now, and agenix works rather well. If there weren't one
big downside, I would really like it: Encrypting a file with age — which
is what agenix uses under the hood — requires a key, which in the case
of agenix is the public ssh key. Being asymmetric encryption, the
decryption requires the private key, which is in my case stored in an
ssh-agent, feed directly from KeepassXC. And this is where the problem
lives, I want to be able to decrypt the secrets (obviously), and this
only works if I copy the private key to a file, which, whilst being a
manual process, completely breaks the point behind using an ssh-agent
with KeepassXC integration in the first place.
There are however open Issues on both the rage an agenix issue
trackers, so the hope of fixing this is still there.
Diffstat (limited to 'home-manager/config/alacritty')
0 files changed, 0 insertions, 0 deletions