mirrors/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2024-12-14 11:57:52 +00:00
Code Activity

Merge #277

Browse source 
277: drop warning on tmpfs for XDG_RUNTIME_DIR r=Mic92 a=Mic92



Co-authored-by: Jörg Thalheim <joerg@thalheim.io>
This commit is contained in:
bors[bot] 2023-02-21 06:10:47 +00:00 committed by GitHub
commit 2c5828439d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -740,8 +740,7 @@ sops-nix also provides a home-manager module.
This module provides a subset of features provided by the system-wide sops-nix since features like the creation of the ramfs and changing the owner of the secrets are not available for non-root users.
Instead of running as an activation script, sops-nix runs as a systemd user service called `sops-nix.service`.
And instead of decrypting to `/run/secrets`, the secrets are decrypted to `$XDG_RUNTIME_DIR/secrets`.
**Since the secrets are decrypted there, it's highly recommended to use a tmpfs for `$XDG_RUNTIME_DIR` to avoid storing secrets in plain text on persistent storage. Linux distributions using systemd-logind do that out-of-the-box.**
And instead of decrypting to `/run/secrets`, the secrets are decrypted to `$XDG_RUNTIME_DIR/secrets` that is located on a tmpfs or similar non-persistent filesystem.
Depending on whether you use home-manager system-wide or using a home.nix, you have to import it in a different way.
This example show the `channel` approach from the example [Install: nix-channel](#nix-channel) for simplicity, but all other methods work as well.