devos/secrets/README.md

19 lines
791 B
Markdown
Raw Normal View History

2021-02-14 03:38:20 +01:00
# Secrets
Secrets are managed using [git-crypt][git-crypt] so you can keep your flake in
a public repository like GitHub without exposing your password or other
sensitive data.
By default, everything in the secrets folder is automatically encrypted. Just
be sure to run `git-crypt init` before putting anything in here.
> ##### _Note:_
> Currently, there is [no mechanism][secrets-issue] in nix to deploy secrets
> within the nix/store so, if they end up in the nix/store after deployment, they
> will be world readable on that machine.
>
> The author of nixflk intends to implement a workaround for this situation in
> the near future, but for the time being, simple be aware of this.
[git-crypt]: https://github.com/AGWA/git-crypt
[secrets-issue]: https://github.com/NixOS/nix/issues/8