Secret Management on Nixos with Sops-Nix
Posted4 months agoActive4 months ago
michael.stapelberg.chTechstory
calmpositive
Debate
20/100
NixosSecret ManagementSops-NixInfrastructure Security
Key topics
Nixos
Secret Management
Sops-Nix
Infrastructure Security
The post discusses using sops-Nix for secret management on NixOS, and the discussion revolves around the trade-offs of committing encrypted secrets to a public repository versus keeping them separate.
Snapshot generated from the HN discussion
Discussion Activity
Light discussionFirst comment
2d
Peak period
2
36-39h
Avg / period
2
Key moments
- 01Story posted
Aug 24, 2025 at 4:03 AM EDT
4 months ago
Step 01 - 02First comment
Aug 25, 2025 at 4:56 PM EDT
2d after posting
Step 02 - 03Peak activity
2 comments in 36-39h
Hottest window of the conversation
Step 03 - 04Latest activity
Aug 25, 2025 at 5:16 PM EDT
4 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45002308Type: storyLast synced: 11/18/2025, 12:04:07 AM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
I never accepted the idea of committing encrypted secrets to a public git repository.
So when you publish your Nix infrastructure repositories (which there are many good reasons to do), having actual secrets in them this way seems insufficient.
Alternatively, one can put their secrets in a separate flake input that is unaccessible from the public. Since I cannot have a flake input that is conditional and have nixosModules that are enabled based on whether that conditional input is available, I have to publish configuration that can only be evaluated by me, or come up with some other way to dynamically use sops-nix.
While sops-nix is the most ergonomic secrets management I've found in Nix, I'm tempted to simply go with HashiCorp Vault and sacrifice the idea of self-containedness so that my secrets can live under management outside of my Nix config, and so that programs and services that depend on secrets will retrieve them at runtime.