[aliasxneo]

> Private Registry, No Problem

Minor nit: configuration is not the hard part. The hard part is getting "/root/registry-password.txt" onto the NixOS machine in the first place. I mean, you could just scp it I guess, but why spend hours tuning a NixOS config that requires you to manually do stuff in the end?

I'm aware of all of the NixOS "secret management" methods out there but I found none of them satisfying back when I was still using NixOS.

[Macha]

If you're on e.g. AWS or GCP, you can pull them from the cloud's IAM service. If you're on kubernetes, you can use k8s secrets. If you have e.g. vault you can use that.

It's really only deploying on unmanaged servers where this comes around, but it's also somewhat of a hard problem. Like you don't (or shouldn't) bake secrets into disk/VM/container images, so once you're no longer building on some managed layer then you do have to figure out bootstrapping yourself.

[LorenzoGood]

You can also use something like agenix or sops-nix to deploy the secrets encrypted to the machine in the system closure.

[Macha]

These are a little chicken and egg as you need the system's host key for that. If you want to use a signed host key, you need to deploy that, otherwise if you just let it generate a host key you're in TOFU territory

[LorenzoGood]

I don't really feel like bootstrapping is that much work, since you usually need that public key to deploy the whole clojure anyway.

Also, SCPing the file over is bad for reproducibility.

[socksy]

It’s finally happened, people are typo’ing closure as clojure, instead of the other way around!

For the topic at hand isn’t this always a problem with deployment systems? You need to have the secret somewhere after all. In my case I only ever use nix for personal systems, so feel totally justified just storing my ssh key as a secret in yadm.

[bkiran]

Yeah I agree it's manual but it takes about 5 minutes to SCP the password onto the machine.

I have some playbooks I setup to creating a new machine. All in all it takes about 10 min to get it up and running. Maybe not instant but at the moment I don't need anything else.