hans/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

Update secrets' README

Browse source
This commit is contained in:
Nicolas Jeannerod 2024-12-13 13:03:07 +01:00
parent 21e8c962bf
commit d9c5da6f8b
Signed by untrusted user: Niols
GPG key ID: 35DB9EC8886E1CB8
1 changed files with 10 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
secrets/README.md
View file

@ -25,19 +25,21 @@ As an example, let us add a secret in a file “cheeses” whose content should
3. If you are doing something flake-related such as NixOps4, remember to commit 3. If you are doing something flake-related such as NixOps4, remember to commit
or at least stage the secret. or at least stage the secret.
4. In the machine's configuration, load the Agenix NixOS module, declare your 4. In the machine's configuration, load our `ageSecrets` NixOS module, declare the machine's host key and start using your secrets, eg.:
secret, possibly with owner/group, and use it where necessary, eg.:
```nix ```nix
{ config, ... }: { self, config, ... }:
{ {
imports = [ inputs.agenix.x86_64-linux.nixosModules.default ]; imports = [ self.nixosModules.ageSecrets ];
age.secrets.cheeses.file = ../secrets/cheeses.age; fediversity.hostPublicKey = self.keys.systems.vmFromage;
# age.secrets.cheeses.owner = "jeanpierre";
# age.secrets.cheeses.group = "france";
# age.secrets.cheeses.mode = "440";
services.imaginaryCheeseFactory.frenchSecretFile = config.age.secrets.cheeses.path; services.imaginaryCheeseFactory.frenchSecretFile = config.age.secrets.cheeses.path;
} }
``` ```
If the secrets requires specific owner/group/mode, those can be set with:
```nix
age.secrets.cheeses.owner = "jeanpierre";
age.secrets.cheeses.group = "france";
age.secrets.cheeses.mode = "440";
```
5. Never read the content of the file in Nix, that is never do anything like: 5. Never read the content of the file in Nix, that is never do anything like:
```nix ```nix