Closed usmcamp0811 closed 1 year ago
Hey there, thanks!
I don't think there's currently a great solution for secrets with Nix. Every option seems to require a bunch of manual work still. Currently I'm using Vault to manage my secrets along with Determinate Systems' vault agent module: https://github.com/DeterminateSystems/nixos-vault-service
I made a module to manage Vault policies declaratively: https://github.com/jakehamilton/config/blob/ab3bdade824335d44aba53cfb2bdd4322635b390/modules/nixos/services/vault/default.nix#L70
And here's an example of me instantiating those policies: https://github.com/jakehamilton/config/blob/ab3bdade824335d44aba53cfb2bdd4322635b390/systems/x86_64-linux/quartz/default.nix#L79
Then applying secrets to services: https://github.com/jakehamilton/config/blob/ab3bdade824335d44aba53cfb2bdd4322635b390/systems/x86_64-linux/ruby/default.nix#L70
thanks! yea I saw that and wasn't sure.. thought maybe it was just creating a Vault. So are you able to get secrets from Vault and inject them into things like files? Currently looking for a solution to inject certificates in places and maybe some passwords too.
and thanks again for sharing your config. I saw your YT video(s) and they were super helpful! I'm just starting out with Nix and decided to jump in the deep end cause well I really like your config and its where I want to eventually end up so.. and I'm too dumb to take it slow..
I'm currently exploring agenix but trying to figure out how to import it correctly.
@usmcamp0811 yes! The vault agent service lets you patch systemd services with environment variables or add files during runtime. I recommend taking a look at the documentation from Determinate Systems: https://github.com/determinatesystems/nixos-vault-service
Again great config!! I really like what you have done and I'm completely mimicking your setup. I just put together a README together to help out my future self (and others). I figured I would link to it here in case someone else had similar issues and needed a little extra help.
It can be found here in my Dotfiles repo.
That's awesome! Glad you have stuff working and I'm sure that writeup will be helpful!
Hey neat config! Was curious how you manager your secrets..