.. | ||
flake-part.nix | ||
forgejo-database-password.age | ||
forgejo-email-password.age | ||
forgejo-runner-token.age | ||
README.md | ||
secrets.nix | ||
wiki-basicauth-htpasswd.age | ||
wiki-password.age | ||
wiki-smtp-password.age |
Secrets
Secrets are handled using Agenix.
Cheat sheet
Adding a secret
As an example, let us add a secret in a file “cheeses” whose content should be “best ones come unpasteurised”.
-
Edit
secrets.nix
, adding a field to the final record with the file name mapped to the systems that should be able to decrypt the secret, for instance:cheeses = [ vm02116 forgejo-ci ];
-
Run Agenix to add the content of the file. Agenix is provided by the development Shell but can also be run directly with
nix run github:ryantm/agenix --
. Runagenix -e cheeses.age
(with the.age
extension); this will open your$EDITOR
; enter “best ones come unpasteurised”, save and close. -
If you are doing something flake-related such as NixOps4, remember to commit or at least stage the secret.
-
In the machine's configuration, load our
ageSecrets
NixOS module, declare the machine's host key and start using your secrets, eg.:{ self, config, ... }: { imports = [ self.nixosModules.ageSecrets ]; fediversity.hostPublicKey = self.keys.systems.vmFromage; services.imaginaryCheeseFactory.frenchSecretFile = config.age.secrets.cheeses.path; }
If the secrets requires specific owner/group/mode, those can be set with:
age.secrets.cheeses.owner = "jeanpierre"; age.secrets.cheeses.group = "france"; age.secrets.cheeses.mode = "440";
-
Never read the content of the file in Nix, that is never do anything like:
services.imaginaryCheeseFactory.frenchSecret = readFile config.age.secrets.cheeses.path;
This will put the secret as a world-readable file in the Nix store. The service that you are using must be able to read from a file at runtime, and if the NixOS default module options do not provide that, you must find a way around it.