Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There's a nix way to read a secret from a file. I'm not sure if it still ends up in the nix store that way but at least it's not in the config file so your VCS is clean.


Typically with NixOS, you'll have systemd or a wrapper script read the secret from a file into an environment variable for the service that needs the secret. This secret file would be stored in `/var/lib` or similar, outside the Nix store. There isn't really a "Nix" way, just a pattern used in various places in NixOS.


I know NixOps has a way to handle keys without putting them in the store and without having to do some out-of-band file management:

https://nixops.readthedocs.io/en/latest/overview.html#managi...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: