Ryan Mulligan
Ryan Mulligan
Unless we can come up with some better plan for how to import the files into the NixOS configuration, they need to be encrypted at rest.
Yeah, a diff filter would be good. Sops supports that. https://github.com/mozilla/sops#showing-diffs-in-cleartext-in-git
Cool. It would be nice to have some instructions.
@nrdxp Thanks for adding some docs. Do you know what the minimum version of Yubikey is required or which feature is needed to make it work? I have some Yubikeys...
My Yubikey is way too old. It doesn't even have things called "application"s.
See https://github.com/ryantm/agenix/pull/96#issuecomment-1021814412 for my comments on this.
I agree this is desirable, otherwise it triggers potential path change monitoring unnecessarily. It would still need to decrypt the secret, but it doesn't have to move it into place...
On the one hand this is cool because it would mean one less file and possibly quicker setup. On the other, it means we'd have to evaluate all the nixosConfigurations...
@blaggacao Sorry, I'm not following what you are proposing. Could you write some more about it?
I don't think it will work by default. We'll need to update the module to work with it. This is definitely in scope for this project.