Fediversity/secrets
2024-12-13 12:37:25 +01:00
..
flake-part.nix s/x_fediversity/fediversity/ 2024-12-13 12:37:25 +01:00
forgejo-database-password.age Handle Forgejo's secrets cleanly 2024-12-12 12:38:20 +01:00
forgejo-email-password.age Handle Forgejo's secrets cleanly 2024-12-12 12:38:20 +01:00
forgejo-runner-token.age Set up a first secret 2024-12-12 12:38:20 +01:00
README.md s/do not forget/remember/ 2024-12-13 12:35:48 +01:00
secrets.nix Expose keys and secrets in the global flake 2024-12-13 00:26:43 +01:00

Secrets

Secrets are handled using Agenix.

Cheat sheet

Adding a secret

As an example, let us add a secret in a file “cheeses” whose content should be “best ones come unpasteurised”.

  1. Edit secrets.nix, adding a field to the final record with the file name mapped to the systems that should be able to decrypt the secret, for instance:

    cheeses = [ vm02116 forgejo-ci ];
    
  2. Run Agenix to add the content of the file. Agenix is provided by the development Shell but can also be run directly with nix run github:ryantm/agenix --. Run agenix -e cheeses.age (with the .age extension); this will open your $EDITOR ; enter “best ones come unpasteurised”, save and close.

  3. If you are doing something flake-related such as NixOps4, remember to commit or at least stage the secret.

  4. In the machine's configuration, load the Agenix NixOS module, declare your secret, possibly with owner/group, and use it where necessary, eg.:

    { config, ... }:
    {
      imports = [ inputs.agenix.x86_64-linux.nixosModules.default ];
      age.secrets.cheeses.file = ../secrets/cheeses.age;
      # age.secrets.cheeses.owner = "jeanpierre";
      # age.secrets.cheeses.group = "france";
      # age.secrets.cheeses.mode = "440";
      services.imaginaryCheeseFactory.frenchSecretFile = config.age.secrets.cheeses.path;
    }
    
  5. Never read the content of the file in Nix, that is never do anything like:

    services.imaginaryCheeseFactory.frenchSecret = readFile config.age.secrets.cheeses.path;
    

    This will put the secret as a world-readable file in the Nix store. The service that you are using must be able to read from a file at runtime, and if the NixOS default module options do not provide that, you must find a way around it.