I never accepted the idea of committing encrypted secrets to a public git repository.
So when you publish your Nix infrastructure repositories (which there are many good reasons to do), having actual secrets in them this way seems insufficient.
Alternatively, one can put their secrets in a separate flake input that is unaccessible from the public. Since I cannot have a flake input that is conditional and have nixosModules that are enabled based on whether that conditional input is available, I have to publish configuration that can only be evaluated by me, or come up with some other way to dynamically use sops-nix.
While sops-nix is the most ergonomic secrets management I've found in Nix, I'm tempted to simply go with HashiCorp Vault and sacrifice the idea of self-containedness so that my secrets can live under management outside of my Nix config, and so that programs and services that depend on secrets will retrieve them at runtime.
Technically sops-nix doesn't require sops files to be added to the repo. It's just what most people choose because it makes deployment convenient - if you have your deployment tool uploading sops files that would be a way around. I have also heard people using private flake inputs. You may find https://github.com/numtide/systemd-vaultd useful if you go the vault route
Great tutorial.
I never accepted the idea of committing encrypted secrets to a public git repository.
So when you publish your Nix infrastructure repositories (which there are many good reasons to do), having actual secrets in them this way seems insufficient.
Alternatively, one can put their secrets in a separate flake input that is unaccessible from the public. Since I cannot have a flake input that is conditional and have nixosModules that are enabled based on whether that conditional input is available, I have to publish configuration that can only be evaluated by me, or come up with some other way to dynamically use sops-nix.
While sops-nix is the most ergonomic secrets management I've found in Nix, I'm tempted to simply go with HashiCorp Vault and sacrifice the idea of self-containedness so that my secrets can live under management outside of my Nix config, and so that programs and services that depend on secrets will retrieve them at runtime.
Technically sops-nix doesn't require sops files to be added to the repo. It's just what most people choose because it makes deployment convenient - if you have your deployment tool uploading sops files that would be a way around. I have also heard people using private flake inputs. You may find https://github.com/numtide/systemd-vaultd useful if you go the vault route