kiara/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity
Fediversity/secrets/README.md
Kiara Grouwstra dd5a6335b1
proxmox 
pass in description

fix syntax

configure proxmox provider

typo

add doc comment in existing modules

add comment

allow insecure proxmox connection for use in dev

wip proxmox progress

use service configurations moved to machine-independent location

wire settings directly without option block terraform

adjust cwd

try tf on null input

update .envrc.sample with sample proxmox credentials
2025-05-11 19:22:49 +02:00

56 lines
2.1 KiB
Markdown
Raw Blame History

# Secrets
Secrets are handled using [Agenix](https://github.com/ryantm/agenix).
## Cheat sheet
### Adding a secret
As an example, let us add a secret in a file “cheeses” whose content should be
“best ones come unpasteurised”.
1. Edit [`secrets.nix`](./secrets.nix), adding a field to the final record with
the file name mapped to the systems that should be able to decrypt the
secret, for instance:
```nix
cheeses = [ vm02116 forgejo-ci ];
```
2. Run Agenix to add the content of the file. Agenix is provided by the
development Shell but can also be run directly with `nix run
github:ryantm/agenix --`. Run `agenix -e cheeses.age` (with the `.age`
extension); this will open your `$EDITOR` ; enter “best ones come
unpasteurised”, save and close.
3. If you are doing something flake-related, remember to commit
or at least stage the secret.
4. In the machine's configuration, load our `ageSecrets` NixOS module, declare the machine's host key and start using your secrets, eg.:
```nix
{ self, config, ... }:
{
imports = [ self.nixosModules.ageSecrets ];
fediversity.hostPublicKey = self.keys.systems.vmFromage;
services.imaginaryCheeseFactory.frenchSecretFile = config.age.secrets.cheeses.path;
}
```
If the secrets requires specific owner/group/mode, those can be set with:
```nix
age.secrets.cheeses.owner = "jeanpierre";
age.secrets.cheeses.group = "france";
age.secrets.cheeses.mode = "440";
```
5. Never read the content of the file in Nix, that is never do anything like:
```nix
services.imaginaryCheeseFactory.frenchSecret = readFile config.age.secrets.cheeses.path;
```
This will put the secret as a world-readable file in the Nix store. The
service that you are using must be able to read from a file at runtime, and
if the NixOS default module options do not provide that, you must find a way
around it.
### Adding a contributor
Rekeying can be done by running `agenix --rekey` (or `-r` for
short) in the current directory. This requires access to the secrets using [contributor keys](../keys).
View git blame Copy permalink