There are a number of different approaches available for NixOS users to handle secrets. The most popular tend to be git-crypt, agenix and sops-nix. But which one should you use?
To hopefully help you in answering this question for yourself, here is an overview of a few common use cases and what I think is most appropriate for each.
Managing Your Own Physical Machines Maybe you have a desktop, a Macbook and a Raspberry Pi which you are managing from a single NixOS flake repo.
In a previous comment thread someone asked me if I could talk about
sops-nix
in comparison toagenix
, so here is a write-up on the different approaches for handling secrets in NixOS and when I think each of them is appropriate (with lots of example code!)