this post was submitted on 14 Nov 2023
2 points (100.0% liked)
Nix
10 readers
1 users here now
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I treat secrets like dependency injection: You don't make a thing that knows how to connect to the database / knows a secret / knows how to get a secret. Instead, you make a thing that takes an argument that is a database connection / secret. You bind late — at execution time. This keeps things very simple and needs no special frameworks / libraries / secrets-tools.
Concrete example:
In demo.nix:
Use:
and the VM logs:
Isn't sops / agenix basically the same thing except instead of you manually putting the secret in foo/secret it's stored encrypted in the Git repo and then it automatically decrypts it at execution time into /var/wherever?
No?
I've spent a significant amount of time over the past two weeks evaluating the differences and pros/cons between agenix and sops-nix. And a bit of time looking over your wall of text.
The reality is that your thinking/comic is completely backwards.