Skip to content(if available)orjump to list(if available)

HN

The Therac-25 Incident

thedailywtf.com

Claude for Chrome

Gemini 2.5 Flash Image

developers.googleblog.com

Dissecting the Apple M1 GPU, the end

Scientist exposes anti-wind groups as oil-funded. Now they want to silence him

Light pollution prolongs avian activity

GNU Artanis – A fast web application framework for Scheme

Chinese astronauts make rocket fuel and oxygen in space

livescience.com

Bypass PostgreSQL catalog overhead with direct partition hash calculations

Rv, a new kind of Ruby management tool

The man with a Home Computer (1967) [video]

Uncomfortable Questions About Android Developer Verification

commonsware.com

Reverse Engineered Raspberry Pi Compute Module 5

One universal antiviral to rule them all?

cuimc.columbia.edu

stratechery.com

Neuralink 'Participant 1' says his life has changed

Denmark summons top US diplomat over alleged Greenland influence operation

Japan has opened its first osmotic power plant

theguardian.com

SpaCy: Industrial-Strength Natural Language Processing (NLP) in Python

Show HN: Regolith – Regex library that prevents ReDoS CVEs in TypeScript

Why do people keep writing about the imaginary compound Cr2Gr2Te6?

A teen was suicidal. ChatGPT was the friend he confided in

Cascata delle Marmore

en.wikipedia.org

iOS 18.6.1 0-click RCE POC

Secret Management on NixOS with sops-Nix

Secret Management on NixOS with sops-Nix

3 comments

·August 24, 2025

sshine

Great tutorial.

I never accepted the idea of committing encrypted secrets to a public git repository.

So when you publish your Nix infrastructure repositories (which there are many good reasons to do), having actual secrets in them this way seems insufficient.

Alternatively, one can put their secrets in a separate flake input that is unaccessible from the public. Since I cannot have a flake input that is conditional and have nixosModules that are enabled based on whether that conditional input is available, I have to publish configuration that can only be evaluated by me, or come up with some other way to dynamically use sops-nix.

While sops-nix is the most ergonomic secrets management I've found in Nix, I'm tempted to simply go with HashiCorp Vault and sacrifice the idea of self-containedness so that my secrets can live under management outside of my Nix config, and so that programs and services that depend on secrets will retrieve them at runtime.

Mic92

Technically sops-nix doesn't require sops files to be added to the repo. It's just what most people choose because it makes deployment convenient - if you have your deployment tool uploading sops files that would be a way around. I have also heard people using private flake inputs. You may find https://github.com/numtide/systemd-vaultd useful if you go the vault route

null

[deleted]