UP | HOME

How I manage secrets in my Guix home config

I use guix home to manage my configuration files. Naturally, there are certain files that shouldn’t be publicly accessible, like public and secret keys. So, how do I manage those files? There are certainly elegant ways to deal with this, but I choose the lazy option and just encrypt a tarball.

First, I define the paths to include in the tarball by setting the argument list.

set -- \
    cancername-git-config-service.scm \
    cancername-ssh-config-service.scm \
    cancername-gpg-config-service.scm \
    git \
    gpg \
    ssh

Then, I use scripts to create and unpack the encrypted tarball. Here, I use age and my public key.

#! /usr/bin/env -S guix shell dash age tar zstd -- dash
# -*- mode: sh -*-
set -xeu

. ./set-encrypt-files.sh

tar c "$@" | zstd | age -r age1shvrllx330ylxgahlwehxc6yt099qrjsdcnz6f4lq27qaqgcrdus6yjphn >secret.tar.zst.age

git add secret.tar.zst.age
git commit -m 'update secrets'
#! /usr/bin/env -S guix shell dash age tar zstd -- dash
# -*- mode: sh -*-
set -xeu

key_file="$1"

. ./set-encrypt-files.sh

age --decrypt -i "$key_file" <secret.tar.zst.age | zstd -d | tar x "$@"

After it is unpacked, I can load the files into my home config.

(load "cancername-gpg-config-service.scm")
(load "cancername-ssh-config-service.scm")
(load "cancername-git-config-service.scm")