Almost every NixOS tutorial I encounter, be that blog or video, says to use Flakes and Home Manager. While that definitely speaks to the value of these tools, I find myself, instinctually, wanting to avoid them. I’ve attempted to get them working multiple time, and encountered more issues than they solved, for me. I interpret this to mean my knowledge and/or use case of NixOS is not ready for me to use these tools effectively. On top of that, something about a set of files that could all be put into a single unified config appeals to me (which flakes/hm can probably do too, but hopefully to get my vibe).
My reasoning aside, this has made me curious if there is some way for me to “backport” all these configs I encounter into my set of more default style configs. The primary goal I have that lead me to this is rootless Podman and declaring my containers in the config. If anyone has any guidance or resources you could point me to it would be much appreciated.
I already use Unix pass as my password manager and have a private git server for it. Is there a nice way to get that working with secrets in my config? I know that directly goes against the suggestion of SSH vs GPG, but I’ve already got lots of data saved within that system.
Unfortunately I don’t think there’s a nice way to do that. You can retrieve secrets from
pass(albeit with quite a bit of working around the intended evaluation model) but I don’t see a good way to actually deploy the secrets without just putting the plain text into the Nix store (unless you also use a big server management thing like NixOps, as the author of that blog is, but in the time since blog was written NixOps has decided people shouldn’t be using it anymore… so it’s a bit of a mess). You’d really want something like sops-nix or agenix for that.You can of course decide you don’t care about the secrets being in the Nix store. It “just” means that every local user on the system can read them, as can anyone booting a live USB if the disk isn’t encrypted. And, while this almost certainly isn’t relevant to you right now, if you use the system as a binary cache for other systems those can get the plaintext secrets too. But you might not actually actually care about any of these.