In the previous article we walked through how to set up our very own Nix binary cache.

It’s great being able to run attic push system /run/current-system on whichever machine we are currently using, but the the chances are that if you use Nix to manage your system configurations, you have a system configuration monorepo, and depending on how many machines and architectures you are targeting, it can quickly become tiresome to manually push to the cache from each of them.

There are a number of different approaches available for NixOS users to handle secrets. The most popular tend to be git-crypt, agenix and sops-nix. But which one should you use?

To hopefully help you in answering this question for yourself, here is an overview of a few common use cases and what I think is most appropriate for each.

Managing Your Own Physical Machines

Maybe you have a desktop, a Macbook and a Raspberry Pi which you are managing from a single NixOS flake repo. Maybe you even have a NixOS dedicated server somewhere running in a datacenter which functions as your media server running Plex or Jellyfin.

In my last post, I shared how to get a working instance of Nitter deployed on NixOS, but requested advice on how to best automatically provision the guest_accounts.json runtime secret file on the target server.

A number of folks reached out to me on Mastodon (thanks @[email protected], @[email protected], @[email protected] and @[email protected]!) to suggest that I use agenix to copy encrypted files to the server and decrypt them in non-world readable directories, and then use systemd’s LoadCredentials option to make them available to the nitter service.

Background

Static generated blogs have seen a surge in popularity over the past few years, as a more cost effective and scalable alternative to traditional publishing platforms such as WordPress. A big reason contributing to why it took me so long to actually start writing online was uncertainty about the publishing medium I should use.

Ghost appealed to me for a while, but it felt like overkill for what I wanted to achieve. Most of the latter half of 2016 was spent diving into the ever-expanding React ecosystem, and it was during one of those dives that I was first exposed to the idea of static generated blogs by Gatsby, a static site generator which is built on the React component model. I am definitely a proponent of React. I have used it extensively in both personal projects and professional projects that have provided my income stream for most of the past six months. However, it didn’t take long for me to come to the conclusion that Gatsby too, was overkill for what I was looking to achieve.