Add wiki

docs/wiki/secrets/index.md

@@ -0,0 +1,52 @@
+---
+title: Recemmended Secrets Management
+---
+
+Secrets in nix can be difficult to handle. Your Nixos configuration is
+world-readable in the nix store. This means that _any_ user can read your
+config in `/nix/store` somewhere (_Not good!_). The way to solve this is to
+keep your secrets in files and pass these to nix. Below, I will present two
+ways of accomplishing this.
+
+**Warning:** Do _not_ let secrets live in your configuration directory either!
+
+## The simple way
+
+The simplest secrets management is to simply create a directory for all you
+secrets, for example:
+
+```sh
+  sudo mkdir -p /data/.secret
+  sudo chmod 700 /data/.secret
+```
+
+Then put your secrets, for example your wireguard configuration from your
+VPN-provider, in this directory:
+
+```sh
+  sudo mkdir -p /data/.secret/vpn
+  sudo mv /path/to/wireguard/config/wg.conf /data/.secret/vpn/wg.conf
+```
+
+And set the accompanying Nixarr option:
+
+```nix
+  nixarr.vpn = {
+    enable = true;
+    wgConf = "/data/.secret/vpn/wg.conf";
+  };
+```
+
+**Note:** This is impure, meaning that since the file is not part of the
+nix store, a nixos rollback will not restore a previous secret. This also
+means you have to rebuild Nixos using the `--impure` flag set.
+
+## Agenix - A Path to Purity
+
+The "right way" to do secret management is to have your secrets
+encrypted in your configuration directory. This can be accomplished using
+[agenix](https://github.com/ryantm/agenix). I won't go into the details of how
+to set it up since it's a more complex solution than the one above. However,
+including the right way doing it should help you if you're a more advanced
+user and want to do things the "right way".
+