πŸŽ‰ The Instagram Growth Blueprint: How to Gain 1,000 Real Followers in 30 Days Without Paid Ads

gittech. site

for different kinds of informations and explorations.

Nix-rage – Nix way to store private info inside config

Published at
Dec 24, 2024
Main Article
https://github.com/renesat/nix-rage

nix-rage

nix-rage is age/rage based tool designed to manage of encrypted configuration files within the Nix ecosystem. Unlike agenix or sops-nix, this tool is not designed for the secure use of passwords, tokens, etc. It is designed to hide personal information in public repositories. If you want to share your fancy nix config, but do not want to disclose your home address or your "secret" email, then this is the tool for you.

Strongly inspired by oddlama's article "Evaluation time secrets in Nix: Importing encrypted nix files".

[!WARNING]
The nix-rage package is currently in an unstable development phase and is not recommended for use in sensitive configurations.

Features

  • Seamless Integration: Integrate encrypted configuration files directly within your Nix configuration.
  • Simplicity: No need to preconfigure your repository with external tools (like git-crypt).
  • Security: Securely manage sensitive configurations without exposing them in plaintext to public.

Installation

You need to add plugin-files inside you nix.conf (~/.config/nix/nix.conf, /etc/nix/nix.conf):

# with nix-env:
plugin-files = /home/YOURUSERNAMEHERE/.nix-profile/lib/libnix_doc_plugin.so

# with cago build:
plugin-files = /path/to/repo/target/debug/libnix_rage.so

# inside nix config:
plugin-files = ${pkgs.nix-rage}/lib/libnix_rage.so

Nix Flake example:

{
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
    nix-rage.url = "github:renesat/nix-rage";
    nix-rage.inputs.nixpkgs.follows = "nixpkgs";
    #...
  };

  outputs = {self, nixpkgs, nix-rage, ..}: {
    nixosConfigurations = {
      myhostname = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          {
            nix.extraOptions = let
              nix-rage-package = nix-rage.packages."x86_64-linux".default;
            in ''
            plugin-files = ${nix-rage-package}/lib/libnix_rage.so
            '';
          }
          #...
        ];
      };
    };
  };
}

Build From Source

Clone the repository and build nix-rage locally:

git clone https://github.com/renesat/nix-rage.git
cd nix-rage

# Using nix
nix build

# Using cargo
cargo build

Usage

First create secret config:

secret.nix:

{
  mySecretEmail = "[email protected]"
  #...
}

Now we need to encrypt using age secret.nix:

age --encrypt -r <AGE-KEY> secret.nix -o secret.nix.age

Now we can use this file in our config:

{...}:
let
  secrets = builtins.importAge [ ./secret-key ] ./secret.nix.age {}
in {
  some.config.parameters.email = secrets.mySecretEmail;
}

Also, you can read other files:

{...}:
let
  secretConfig = builtins.readAgeFile [ ./secret-key ] ./secret.toml.age {}
in {
  #...
}

Contributing

Contributions are welcome! Feel free to open issues or submit pull requests on GitHub.

Related software

You might also be interested in:

License

nix-rage is licensed under the MIT License. See the LICENSE file for more information.