Mic92
commented
1 year ago I think the only change required for this is the symlink path here: https://github.com/Mic92/sops-nix/blob/1da7257baa1d6801c45d9d3dedae7ce79c0e6498/modules/sops/default.nix#L123
Open TLATER opened 1 year ago
Mic92
commented
1 year ago I think the only change required for this is the symlink path here: https://github.com/Mic92/sops-nix/blob/1da7257baa1d6801c45d9d3dedae7ce79c0e6498/modules/sops/default.nix#L123
Mic92
commented
1 year ago This would not include more advanced features such as TPM2 encrypted secrets as for this we would need to extend the sops format...
As of somewhat recently (documentation for this exists since a commit from 10 months ago, time flies), systemd supports loading credentials from
/run/credstorefor itsLoadCredentialsfeature.It would be really cool if sops-nix would put credentials there, so that systemd's more granular secret management can be used instead of having to set permissions for the full system runtime with sops-nix.
It would also be cool to be able to just deploy the credentials in their still-encrypted state, so that systemd can worry about decrypting them at the right time, but I'm not sure sops-nix is the right project for this.