Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Secrets

Secrets are managed using agenix — encrypted at rest in the repo and decrypted at activation time to /run/agenix/.

Usage

Create or edit a secret:

cd secrets && agenix -e myapp.age

The secret file contains environment variables, one per line:

DATABASE_URL=postgres://...
API_KEY=xxxxx
SECRET_TOKEN=yyyyy

Adding a new secret

  1. Add the public key entry to secrets/secrets.nix:
"service-name.age".publicKeys = [ kierank ];
  1. Create and encrypt the secret:
agenix -e secrets/service-name.age
  1. Declare in machine config:
age.secrets.service-name = {
  file = ../../secrets/service-name.age;
  owner = "service-name";
};
  1. Reference as config.age.secrets.service-name.path in the service module.

Identity paths

The decryption keys are SSH keys configured per machine:

age.identityPaths = [
  "/home/kierank/.ssh/id_rsa"
  "/etc/ssh/id_rsa"
];