Advice on "secret" fonts

[sylvorg]

Hello!

I would like to use some purchased fonts, but encrypt them using agenix or sops-nix. Is it currently possible to specify a font directory of sorts, or is there any advice you can give me on how use manage these fonts between machines without resorting to a private repository? Since agenix and sops-nix don't support build-time secrets, I can't build the font packages either.

Thank you kindly for the help, and sorry if this sounds confusing! I'll clarify however I can if asked.

[trueNAHO]

I would like to use some purchased fonts, but encrypt them using agenix or sops-nix. Is it currently possible to specify a font directory of sorts, or is there any advice you can give me on how use manage these fonts between machines without resorting to a private repository? Since agenix and sops-nix don't support build-time secrets, I can't build the font packages either.

I use agenix, but IIRC sops-nix works essentially the same. Essentially, because the Nix store is world-readable, decrypting secrets inside Nix expressions is unacceptable. Instead, the encrypted secrets should be written to the Nix store and applications read run time decrypted files outside the Nix store at run time. Practically, the agenix deamon decrypts secrets into $XDG_RUNTIME_DIR and applications access secrets by reading those decrypted files.

In other words, unless applications support reading values from the filesystem, this is impossible at the Nix level without compromising security.

Unless all Stylix modules happen to support this, Stylix can only support some applications, resulting in confusing behavior. It might be better to consider this out-of-scope for Stylix, although you can manually support applications this way yourself.

Take a look at nix-community/home-manager#5819 as a possible workaround for allowing applications to read values from the filesystem. Keep in mind that wrapping applications with something like $application --api-key "$(< ${cfg.apiKey})" makes the secret world-readable by inspecting running processes, which includes expanded CLI arguments. In the case of nix-community/home-manager#5819, I decided that internally leaking the machine location is not a real attack.

[sylvorg]

Hmm... Regarding the home-manager discussion, doesn't NixOS only read the fonts declaratively defined? I can't just drop them into the fonts directory like in most distros, right?

At the moment, I've decided to use vlaci/git-agecrypt instead, though it's usage might eventually prove untenable.

[trueNAHO]

Regarding the home-manager discussion, doesn't NixOS only read the fonts declaratively defined? I can't just drop them into the fonts directory like in most distros, right?

IIRC, based on nix-community/home-manager#2732, the NixOS and Home Manager modules generate a configuration file to declare fc-match's font mapping. Beyond that, fonts can be configured as usual, although the configuration file is the most Nix idiomatic approach.

At the moment, I've decided to use vlaci/git-agecrypt instead, though it's usage might eventually prove untenable.

That might be the simplest workaround.

[sylvorg]

Got it. I'll mark this as the answer, then. Thanks for the help!