Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add agenix support #579

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

Add agenix support #579

wants to merge 3 commits into from

Conversation

erikarvstedt
Copy link
Collaborator

@erikarvstedt erikarvstedt commented Dec 22, 2022
edited
Loading

agenix is a popular secrets deployment scheme where age-encrypted secrets are committed to the system repo and deployed as part of the system derivation.

The workflow for nix-bitcoin users:

  • Include the nix-bitcoin age module
  • Configure the age module
  • nix run a package in a nix-bitcoin node flake to automatically generate and encrypt secrets
  • Commit the secrets and deploy

This PR is based on #577.
First new commit: "secrets: expose generateSecretsScript"

Current status: draft. This is hot off the press and hasn't seen a thorough review.

@erikarvstedt
secrets: expose generateSecretsScript
d538ea3 
This is particularly helpful for Flake users.

Contents in `secretsScriptLib` are reused by the next commit.
@erikarvstedt
modules: add secrets/age.nix
8aa9e69
@erikarvstedt
examples: add flakes-agenix
dc055b7 
This also acts as an integration test for age.
@seberm
Copy link
Contributor

seberm commented Nov 9, 2023

Hello @erikarvstedt,
do you still plan to add the agenix support?

@jpentland
Copy link

jpentland commented May 4, 2024
edited
Loading

So the goal here is to generate all secrets during the configuration process, and then commit them encrypted, rather than at runtime/activation as it is currently?

@erikarvstedt
Copy link
Collaborator Author

erikarvstedt commented May 4, 2024
edited
Loading

Yes. This approach is already available when deploying via krops. Agenix however works with all deployment methods and with flakes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@erikarvstedt @seberm @jpentland