Open grahamc opened 4 years ago
This project might be relevant as well: https://github.com/Mic92/sops-nix Sops has vault integration to decrypt keys.
This could be split up into two changes, one to define the whole network via the module system, the other to add a resource similar to commandOutput
, but which doesn't store a value in the state file.
Using these two, this can be implemented completely in Nix, at least for (1).
For (2) this may require plugins to provide thunks, so a tight integration with the interpreter, which is not possible with nix-instantiate. Writing a python binding for libexpr may be out of scope here, but you can chat with me about libexpr bindings though :)
Would https://github.com/PsyanticY/nixops-vault be somehow helpful?
This issue is mostly about getting secrets out of Vault at deployment time, whereas nixops-vault
currently only supports the creation of resources inside vault; writing to vault. I suppose it could add support for a secret reading resource, which will enable (1), but perhaps not (2) just yet.
That said, (1) is probably not what you want anyway. Vault Agent templating would be preferable in most setups.
Two things to consider:
deployment.keys
secretsnixops-aws
and other plugins, instead of reading from the environment.We should consider if we want to do these at all, and also if we should make its behavior something a plugin could provide.