Mic92
commented
4 years ago This project might be relevant as well: https://github.com/Mic92/sops-nix Sops has vault integration to decrypt keys.
Open grahamc opened 4 years ago
Mic92
commented
4 years ago This project might be relevant as well: https://github.com/Mic92/sops-nix Sops has vault integration to decrypt keys.
roberth
commented
3 years ago This could be split up into two changes, one to define the whole network via the module system, the other to add a resource similar to commandOutput, but which doesn't store a value in the state file.
Using these two, this can be implemented completely in Nix, at least for (1).
For (2) this may require plugins to provide thunks, so a tight integration with the interpreter, which is not possible with nix-instantiate. Writing a python binding for libexpr may be out of scope here, but you can chat with me about libexpr bindings though :)
tewfik-ghariani
commented
3 years ago Would https://github.com/PsyanticY/nixops-vault be somehow helpful?
roberth
commented
3 years ago This issue is mostly about getting secrets out of Vault at deployment time, whereas nixops-vault currently only supports the creation of resources inside vault; writing to vault. I suppose it could add support for a secret reading resource, which will enable (1), but perhaps not (2) just yet.
roberth
commented
3 years ago That said, (1) is probably not what you want anyway. Vault Agent templating would be preferable in most setups.
Two things to consider:
deployment.keyssecretsnixops-awsand other plugins, instead of reading from the environment.We should consider if we want to do these at all, and also if we should make its behavior something a plugin could provide.