jbboehr
commented
5 years ago You might be better off using services.consul.extraConfigFiles. AFAICT from looking at the service module, it can be used at the same time as services.consul.extraConfig
Closed majewsky closed 11 months ago
jbboehr
commented
5 years ago You might be better off using services.consul.extraConfigFiles. AFAICT from looking at the service module, it can be used at the same time as services.consul.extraConfig
stale[bot]
commented
4 years ago Thank you for your contributions.
This has been automatically marked as stale because it has had no activity for 180 days.
If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.
Here are suggestions that might help resolve this more quickly:
adamcstephens
commented
11 months ago Using extraConfigFiles is in fact the correct solution.
adamcstephens
commented
11 months ago Here is an example using agenix.
create file
echo "{\"encrypt\": \"$(nix run nixpkgs#consul keygen)\"}" | ragenix --identity $AGE_IDENTITY_FILE --editor - --edit roles/grid/consul-gossip-encrypt.ageenable extraConfigFiles:
age.secrets."consul-gossip-encrypt.json" = {
file = ./consul-gossip-encrypt.age;
owner = "consul";
};
services.consul = {
enable = true;
extraConfigFiles = [
config.age.secrets."consul-gossip-encrypt.json".path
];
};
Consul's configuration has the field
encryptwhere an encryption key can be given (upstream documentation). This key can be given inconfiguration.nixasservices.consul.extraConfig.encrypt, but this causes the key to end up in the/nix/store, as described in great detail in #24288. Following the mitigation suggested in there, there should be an option (e.g.services.consul.encryptionKeyFile) which allows to store the secret key in a not-world-readable file.