This is a proof of concept of using multiple nix stores to isolate private data.
The main idea is to show that this can be done using existing mechanism with the exception of being able to reference between different nix stores without additional transformations.
- applications' private configuration is evaluated with nix-build into a separate "ephemeral" nix-store, evaluated without nixpkgs or stdenv, with its paths stored in some "index" file.
- the contents of the "ephemeral" nix-store are stored into a nar-like file
- the nar-like file is encryped with some key that's also known to the compute node that runs the application, but not the build host (the software nix-store)
- the nixos module references the nar-like file (adding it to the "big" store), code that knows how to decrypt it at runtime and (optionally) names of private files
for (1) (2) and (3) see sproxy-config.nix
and Makefile
(which references build-secrets.sh
)
for (4) see nixos-module.nix
for an additional example of doing inter-store references see internix.nix