NixOS and Secrets
Summary
The article reviews NixOS secrets management options (sops-nix and agenix), discusses risks of secrets exposure and related CVEs, and provides guidance on secure configurations (using tmpfs, avoiding plaintext in repos). It weighs ergonomics and trade-offs, ultimately recommending agenix for simple setups and sops-nix for complex secret bundles, with a note on post-quantum considerations.