Secret management and deployment (current good enough :grin: practices)?

[con-f-use]

I know this is a broad topic and there is no one way to skin this cat. It would be nice though to hear from veteran nix user what the current widely-used ways are to get secrets to deployed machines. Basically, I'd like an entry point for people who feel lost or overwhelmed with secret management, so they understand the issues and options better and can navigate their way to what is a good option for them.

Loose points:

• Why is it hard to do on NixOS?
• Why do NixOS and deploy tools not have a built-in option for secret management and secret deployment?
• Some NixOS modules don't play nice when secrets are not specified at build-time, any workarounds?
• On single user systems it's probably okay if secrets end up in nix store (though not ideal), right?
  • This one goes a little too deep: Even if it is encrypted, if something (by accident) ends up on a binary cache / substitutor, we have a problem with forward security if the encryption method ever becomes breakable because the secret text might also live long enough there and retain it's value. Is there a solution for secret rotation?
• How can you double-check (absolutely make sure) your secret doesn't end up in the store?
• Some solutions, I've come across: systemd.LoadCredential (docs PR), sops-nix, agenix, vault-secrets
• The last one is a bit "cloud solution-y". Cloud secret delivery is a whole different Pandora's Box, but if there's time, could you talk about that, too?

[con-f-use]

To anyone reading this, we got exactly to the systemd.LoadCredential(s) part in nix hour 24 and were able to resolve the issues seen there off-camera, resulting in this gem: https://github.com/tweag/nix-hour/tree/master/24 . We learned a bit about how systemd services signal their readiness and how their permissions to do so are managed.

The rest of the topic might show up in future nix hours, though Silvan said he's not an expert and is thus a bit reluctant.

[infinisil]

This is a nice page! https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes

[0x4A6F]

Some information is also collected here open for improvement.

[infinisil]

I think this is reasonably covered in a recent blog post: https://discourse.nixos.org/t/handling-secrets-in-nixos-an-overview-git-crypt-agenix-sops-nix-and-when-to-use-them/35462

Since I don't know too much about this myself, I'll consider this satisfactory for now