How I manage secrets in my Guix home config
I use guix home to manage my configuration files. Naturally, there
are certain files that shouldn’t be publicly accessible, like public
and secret keys. So, how do I manage those files? There are certainly
elegant ways to deal with this, but I choose the lazy option and just
encrypt a tarball.
First, I define the paths to include in the tarball by setting the argument list.
set -- \ cancername-git-config-service.scm \ cancername-ssh-config-service.scm \ cancername-gpg-config-service.scm \ git \ gpg \ ssh
Then, I use scripts to create and unpack the encrypted tarball. Here, I use age and my public key.
#! /usr/bin/env -S guix shell dash age tar zstd -- dash # -*- mode: sh -*- set -xeu . ./set-encrypt-files.sh tar c "$@" | zstd | age -r age1shvrllx330ylxgahlwehxc6yt099qrjsdcnz6f4lq27qaqgcrdus6yjphn >secret.tar.zst.age git add secret.tar.zst.age git commit -m 'update secrets'
#! /usr/bin/env -S guix shell dash age tar zstd -- dash # -*- mode: sh -*- set -xeu key_file="$1" . ./set-encrypt-files.sh age --decrypt -i "$key_file" <secret.tar.zst.age | zstd -d | tar x "$@"
After it is unpacked, I can load the files into my home config.
(load "cancername-gpg-config-service.scm") (load "cancername-ssh-config-service.scm") (load "cancername-git-config-service.scm")