Secrets

Secrets are managed using git-crypt so you can keep your flake in a public repository like GitHub without exposing your password or other sensitive data.

By default, everything in the secrets folder is automatically encrypted. Just be sure to run git-crypt init before putting anything in here.

Note:

Currently, there is no mechanism in nix to deploy secrets within the nix/store so, if they end up in the nix/store after deployment, they will be world readable on that machine.

The author of nixflk intends to implement a workaround for this situation in the near future, but for the time being, simple be aware of this.