research the nix ways to manage secrets instead of parsing usedata.json at startup #37

Open
opened 2023-07-15 01:42:04 +03:00 by alexoundos · 1 comment
Member

The current files.nix specifies jq and sed commands to be run at OS startup in order to parse values and write them to some /var/lib/* and /root/.config/* destinations. This is not reliable and makes reasoning about configuration-runtime conformity more complex.

I expect that userdata.json is only read by nix (at configuration build time).


This commit in #19 did a good job at moving secrets out of /nix/store, though I believe there are better ways.

[The current `files.nix` specifies `jq` and `sed` commands to be run at OS startup in order to parse values and write them to some `/var/lib/*` and `/root/.config/*` destinations](https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config/src/commit/65b5a1977756549240eae05005d1f6b5feef126d/files.nix#L38). This is not reliable and makes reasoning about configuration-runtime conformity more complex. I expect that `userdata.json` is only read by nix (at configuration build time). --- [This commit](https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config/commit/c1ed3a5) in #19 did a good job at moving secrets out of /nix/store, though I believe there are better ways.
Owner

Can we close this?

Can we close this?
Sign in to join this conversation.
No milestone
No project
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: SelfPrivacy/selfprivacy-nixos-config#37
No description provided.