2024-12-11 13:26:38 +01:00
|
|
|
# Secrets
|
|
|
|
|
|
|
|
Secrets are handled using [Agenix](https://github.com/ryantm/agenix).
|
|
|
|
|
|
|
|
## Cheat sheet
|
|
|
|
|
|
|
|
### Adding a secret
|
|
|
|
|
|
|
|
As an example, let us add a secret in a file “cheeses” whose content should be
|
|
|
|
“best ones come unpasteurised”.
|
|
|
|
|
|
|
|
1. Edit [`secrets.nix`](./secrets.nix), adding a field to the final record with
|
|
|
|
the file name mapped to the systems that should be able to decrypt the
|
|
|
|
secret, for instance:
|
|
|
|
```nix
|
|
|
|
cheeses = [ vm02116 forgejo-ci ];
|
|
|
|
```
|
|
|
|
|
|
|
|
2. Run Agenix to add the content of the file. Agenix is provided by the
|
|
|
|
development Shell but can also be run directly with `nix run
|
|
|
|
github:ryantm/agenix --`. Run `agenix -e cheeses.age` (with the `.age`
|
|
|
|
extension); this will open your `$EDITOR` ; enter “best ones come
|
|
|
|
unpasteurised”, save and close.
|
|
|
|
|
2024-12-13 12:35:48 +01:00
|
|
|
3. If you are doing something flake-related such as NixOps4, remember to commit
|
|
|
|
or at least stage the secret.
|
2024-12-11 13:26:38 +01:00
|
|
|
|
|
|
|
4. In the machine's configuration, load the Agenix NixOS module, declare your
|
|
|
|
secret, possibly with owner/group, and use it where necessary, eg.:
|
|
|
|
```nix
|
|
|
|
{ config, ... }:
|
|
|
|
{
|
|
|
|
imports = [ inputs.agenix.x86_64-linux.nixosModules.default ];
|
|
|
|
age.secrets.cheeses.file = ../secrets/cheeses.age;
|
|
|
|
# age.secrets.cheeses.owner = "jeanpierre";
|
|
|
|
# age.secrets.cheeses.group = "france";
|
|
|
|
# age.secrets.cheeses.mode = "440";
|
|
|
|
services.imaginaryCheeseFactory.frenchSecretFile = config.age.secrets.cheeses.path;
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
5. Never read the content of the file in Nix, that is never do anything like:
|
|
|
|
```nix
|
|
|
|
services.imaginaryCheeseFactory.frenchSecret = readFile config.age.secrets.cheeses.path;
|
|
|
|
```
|
|
|
|
This will put the secret as a world-readable file in the Nix store. The
|
|
|
|
service that you are using must be able to read from a file at runtime, and
|
|
|
|
if the NixOS default module options do not provide that, you must find a way
|
|
|
|
around it.
|