History

Nicolas “Niols” Jeannerod 5771c14249 Set up a first secret		2024-12-12 12:38:20 +01:00
..
forgejo-runner-token.age	Set up a first secret	2024-12-12 12:38:20 +01:00
README.md	Set up a first secret	2024-12-12 12:38:20 +01:00
secrets.nix	Set up a first secret	2024-12-12 12:38:20 +01:00

README.md

Secrets

Secrets are handled using Agenix.

Cheat sheet

Adding a secret

As an example, let us add a secret in a file “cheeses” whose content should be “best ones come unpasteurised”.

Edit secrets.nix, adding a field to the final record with the file name mapped to the systems that should be able to decrypt the secret, for instance:
```
cheeses = [ vm02116 forgejo-ci ];
```
Run Agenix to add the content of the file. Agenix is provided by the development Shell but can also be run directly with nix run github:ryantm/agenix --. Run agenix -e cheeses.age (with the .age extension); this will open your $EDITOR ; enter “best ones come unpasteurised”, save and close.
If you are doing something flake-related such as NixOps4, do not forget to commit or at least stage the secret.

In the machine's configuration, load the Agenix NixOS module, declare your secret, possibly with owner/group, and use it where necessary, eg.:

{ config, ... }:
{
  imports = [ inputs.agenix.x86_64-linux.nixosModules.default ];
  age.secrets.cheeses.file = ../secrets/cheeses.age;
  # age.secrets.cheeses.owner = "jeanpierre";
  # age.secrets.cheeses.group = "france";
  # age.secrets.cheeses.mode = "440";
  services.imaginaryCheeseFactory.frenchSecretFile = config.age.secrets.cheeses.path;
}

Never read the content of the file in Nix, that is never do anything like:
```
services.imaginaryCheeseFactory.frenchSecret = readFile config.age.secrets.cheeses.path;
```
This will put the secret as a world-readable file in the Nix store. The service that you are using must be able to read from a file at runtime, and if the NixOS default module options do not provide that, you must find a way around it.