u/JakeGinesin

While I leave critical secrets such as private keys, passwords, API tokens, etc to agenix/sops, I've frequently found myself wanting to provide my config with less critical secrets such as IPs, MAC addresses, or password hashes at evaluation time.

I've been testing the following approach. I encrypt my secrets I want to make available at evaluation-time with git-crypt, and store the git-crypt key with agenix. My config is available here for anyone curious. This way, everything remains automatically managed and self-contained within the config itself.

Are there any better approaches to evaluation-time secrets? I personally don't like relying on GPG and git-crypt, and I'd like to migrate to a tool I have more trust in. Thanks!