Great video as always! To me, the difficulty with nix has always been that there are too many ways of doing the same thing, so when I try to do something, I can look at the documentation, the source code, other peoples configs, etc. everyone do the same things in different ways. This means that having your bite-size videos are extremely useful, as you make them very modular, so even though my config is already a sprawling mess of nix files, imports etc., I can always just add your stuff without any problems!
This video is incomplete as are many others. This excess complexity is unfortunately why NixOS is and always will be an esoteric obscurity. The configuration is so appalling that the user-base is limited to people with way too much free time. This means that there will be very few users and thus documentation never gets past the rudimentary.
@@abbcc555 I kind of disagree about the free time part. Sure, it is more work upfront, if you are oblivious to nix(os) stuff, but once you have a working config (and honestly that's pretty easy given how many configs you can find online) it's a whole lot easier to thinker around than with say, Arch. While documentation is quite bad, there is quite a lot of third party guides that explain things pretty well and from what I've experimented the community is eager to answer/help.
Awesome video! I was wondering if you could also make one about yubikeys and/or TPMs. Both provide a nice layer of security in addition to sops-nix. And if the generated keys are in sops, it doesn't matter if the private key is cracked, since you still need the Key/TPM to fully utilize it. Kinda like a passphrase in hardware!
Thank you - great video!! I have a question regarding t=96s where you add sops.age.keyFile to configuration.nix... If I am creating a configuration.nix to be shared and ultimately deployed on a different server/machine, the reference to the keyfile will be public (which should be fine). However, I do not believe it is discussed how the target server/machine is to get the keyfile (private age key} so that it can decript the details. Do you mind sharing or pointing me in the right direction of how you would do this?
Is there a way to have a secret with multiple lines? In my case, I'm trying to make an environment file with multiple environment variables. If I do a YAML multi-line string, Sops seems to replace the newlines with spaces when it decodes the secret.
is there any way to use sops-nix for let's say git email for example? I've been searching for days and I found no other way around except running nixos with a --impure flag
The only thing I haven't been able to do with sops is to define hosts file. networking.hosts (not sure about the name, writing from a phone) requires a list and there's no any other way like "hostsFile" or something like we have for ssh-config, for example. Simply setting a path for sops secret to /etc/hosts doesn't work for me. Any ideas on how to implement this?
I don't know what I am doing wrong but I can't get past creating the secrets file at the 2 minutes point. when I run sops secrets.yaml and try to save the file I get the error "No master keys were provided, so sops can't encrypt the file. Press a key to return to the editor, or Ctrl+C to exit."
За червоно-чорну великодку окремий лайк :) Взагалі дуже дякую за контент, Ваш канал був основною причиною перейти на NixOS, і я ні граму не пожалів! Бажаю каналу розвитку і процвітання, нехай все буде тільки добре! Як буду мати фінансову можливість закину пару гривників на якусь каву або щось поміцніше :)
At 2:02 you run sops command. Which at that point is not yet available. Should that be just added to systemPackages or just work just with rest of the configuration being done first? Also at 2:44 you are using "inputs" already inside "inputs"? For me this just generates building error: `"sops-nix" is a thunk while a ....` but ommiting it works though.
if you hadn't figured out already, most other guides suggest running the sops command using "nix-shell -p" or "nix shell." (edit: specifically the command would be something like "nix-shell -p sops --run "sops secrets.yaml" ".) I agree this should have been specified, but also, running ad-hoc commands without permanently installing is one of the main benefits of running nix and nixos, so I can see how he'd forget that's not obvious.
How scaleable are secrets? For example, if i have 10 programs which require user and password details, can i use secrets on all of them to save me having to authenticate each one? or do you need to rely on each program creating an api for the secret?
Nix is a programming language, so your secrets are as scalable as you want them to be. Just create simple functions to decrease amount of boilerplate, and create as many secrets as you wish in just a couple of lines.
@@vimjoyer i am still struggling how i tell each app what secret to use. From my understanding, the particular package on nix needs to expose some 'password' field e.g programs.postman = { password = config.sops.secrets; }; This means very few packages will have the ability to declaratively authenticate as they won't have the 'password' field.
Just FYI: age is pronounced "ah-gay", because the name comes from Latin. "Age" in Latin is a command spoken to another person to "act"/"go". Here's a good example: th-cam.com/video/GYGXYYOp4as/w-d-xo.html
Your channel covers amazing topics and has good production quality. But still from all the videos I have seen over the years yours are some of the most difficult to follow, learn from, or reproduce. I am not sure if it's your presentation style or if I just don't know enough about the Nix language yet.
Thank you for your honest criticism. I already know how to work with Nix, and it's hard for me to highlight those hard to follow moments, so if you have difficulties with any part I'd love to hear about it to pay more attention in future vids Edit: spelling
![[MV] A leap of faith...ความเชื่อใจครั้งสุดท้าย (From "Petrichor the series")](http://i.ytimg.com/vi/U1piZH2CNXA/mqdefault.jpg)
Great video as always! To me, the difficulty with nix has always been that there are too many ways of doing the same thing, so when I try to do something, I can look at the documentation, the source code, other peoples configs, etc. everyone do the same things in different ways. This means that having your bite-size videos are extremely useful, as you make them very modular, so even though my config is already a sprawling mess of nix files, imports etc., I can always just add your stuff without any problems!
This video is incomplete as are many others. This excess complexity is unfortunately why NixOS is and always will be an esoteric obscurity. The configuration is so appalling that the user-base is limited to people with way too much free time. This means that there will be very few users and thus documentation never gets past the rudimentary.
@@abbcc555 skill issue
@@abbcc555 I kind of disagree about the free time part. Sure, it is more work upfront, if you are oblivious to nix(os) stuff, but once you have a working config (and honestly that's pretty easy given how many configs you can find online) it's a whole lot easier to thinker around than with say, Arch.
While documentation is quite bad, there is quite a lot of third party guides that explain things pretty well and from what I've experimented the community is eager to answer/help.
Just today I was beginning to setup sops-nix, this timing couldnt be any better! Thank you!!
Awesome video! I was wondering if you could also make one about yubikeys and/or TPMs. Both provide a nice layer of security in addition to sops-nix. And if the generated keys are in sops, it doesn't matter if the private key is cracked, since you still need the Key/TPM to fully utilize it. Kinda like a passphrase in hardware!
This video is still my go-to way to have a refresher on sops-nix! way clearer than the documentation on that project lol
I need a bit more explanations than this like a more traditional tutorial, but this is the only video about secrets management on nix 😅
I was just looking at this yesterday. Thx for the vid.
Love it. I just followed these instructions to store my VPN credentials and deploy them into an OpenVPN configuration.
YOUR VIDEOS ARE GOLD
The production quality sure is improving really fast!
Thank you - great video!! I have a question regarding t=96s where you add sops.age.keyFile to configuration.nix... If I am creating a configuration.nix to be shared and ultimately deployed on a different server/machine, the reference to the keyfile will be public (which should be fine). However, I do not believe it is discussed how the target server/machine is to get the keyfile (private age key} so that it can decript the details. Do you mind sharing or pointing me in the right direction of how you would do this?
I guess the easiest way is to just put it there with ssh
Is there a way to have a secret with multiple lines? In my case, I'm trying to make an environment file with multiple environment variables. If I do a YAML multi-line string, Sops seems to replace the newlines with spaces when it decodes the secret.
This is gold! Thank you! 🙌
what if I want to just use my password to decrypt secrets?
is there any way to use sops-nix for let's say git email for example? I've been searching for days and I found no other way around except running nixos with a --impure flag
The only thing I haven't been able to do with sops is to define hosts file. networking.hosts (not sure about the name, writing from a phone) requires a list and there's no any other way like "hostsFile" or something like we have for ssh-config, for example. Simply setting a path for sops secret to /etc/hosts doesn't work for me.
Any ideas on how to implement this?
Not sure really
I don't know what I am doing wrong but I can't get past creating the secrets file at the 2 minutes point. when I run sops secrets.yaml and try to save the file I get the error "No master keys were provided, so sops can't encrypt the file. Press a key to return to the editor, or Ctrl+C to exit."
За червоно-чорну великодку окремий лайк :)
Взагалі дуже дякую за контент, Ваш канал був основною причиною перейти на NixOS, і я ні граму не пожалів!
Бажаю каналу розвитку і процвітання, нехай все буде тільки добре!
Як буду мати фінансову можливість закину пару гривників на якусь каву або щось поміцніше :)
Дякую :)
I was just looking into this! Thanks
At 2:02 you run sops command. Which at that point is not yet available. Should that be just added to systemPackages or just work just with rest of the configuration being done first?
Also at 2:44 you are using "inputs" already inside "inputs"? For me this just generates building error: `"sops-nix" is a thunk while a ....` but ommiting it works though.
unfortunately these are very sloppy videos which miss a lot of the details
if you hadn't figured out already, most other guides suggest running the sops command using "nix-shell -p" or "nix shell." (edit: specifically the command would be something like "nix-shell -p sops --run "sops secrets.yaml" ".) I agree this should have been specified, but also, running ad-hoc commands without permanently installing is one of the main benefits of running nix and nixos, so I can see how he'd forget that's not obvious.
Are you going to cover other methods of secret management with Nix?
Maybe
How scaleable are secrets? For example, if i have 10 programs which require user and password details, can i use secrets on all of them to save me having to authenticate each one? or do you need to rely on each program creating an api for the secret?
Nix is a programming language, so your secrets are as scalable as you want them to be. Just create simple functions to decrease amount of boilerplate, and create as many secrets as you wish in just a couple of lines.
@@vimjoyer i am still struggling how i tell each app what secret to use. From my understanding, the particular package on nix needs to expose some 'password' field e.g programs.postman = { password = config.sops.secrets; }; This means very few packages will have the ability to declaratively authenticate as they won't have the 'password' field.
Just FYI: age is pronounced "ah-gay", because the name comes from Latin. "Age" in Latin is a command spoken to another person to "act"/"go". Here's a good example: th-cam.com/video/GYGXYYOp4as/w-d-xo.html
Didn't know, thanks!
YOU! SAVE MY DAY!!!
Your channel covers amazing topics and has good production quality.
But still from all the videos I have seen over the years yours are some of the most difficult to follow, learn from, or reproduce.
I am not sure if it's your presentation style or if I just don't know enough about the Nix language yet.
Thank you for your honest criticism. I already know how to work with Nix, and it's hard for me to highlight those hard to follow moments, so if you have difficulties with any part I'd love to hear about it to pay more attention in future vids
Edit: spelling
❤
Awesome!!!
Make one complete setup of hyprland with necessary packages on nixos
If you are using a new microphone, it sounds great!
It's the same one, but I was recording after work, so my voice might sound a bit tired. That could actually be the reason
Why not agenix?
Agenix is great too
great conrent
great commrent
@2:02 sops: command not found. again a broken tutorial
Learn the concept then read the manual
Or use Ubuntu 😂
@@yukendhiran8043 Neither of your suggestions provides the sops command.
install sops 😂 sops-nix “helps” to use sops with nixos not replacing them
@@kexec. I haven't found a working guide yet on how to install it.