search

jakehamilton / config

One Nix flake to rule them all.
Other
360 stars 21 forks source link

Secrets? #6

Closed usmcamp0811 closed 1 year ago

usmcamp0811 commented 1 year ago

Hey neat config! Was curious how you manager your secrets..

jakehamilton commented 1 year ago

Hey there, thanks!

I don't think there's currently a great solution for secrets with Nix. Every option seems to require a bunch of manual work still. Currently I'm using Vault to manage my secrets along with Determinate Systems' vault agent module: https://github.com/DeterminateSystems/nixos-vault-service

I made a module to manage Vault policies declaratively: https://github.com/jakehamilton/config/blob/ab3bdade824335d44aba53cfb2bdd4322635b390/modules/nixos/services/vault/default.nix#L70

And here's an example of me instantiating those policies: https://github.com/jakehamilton/config/blob/ab3bdade824335d44aba53cfb2bdd4322635b390/systems/x86_64-linux/quartz/default.nix#L79

Then applying secrets to services: https://github.com/jakehamilton/config/blob/ab3bdade824335d44aba53cfb2bdd4322635b390/systems/x86_64-linux/ruby/default.nix#L70

usmcamp0811 commented 1 year ago

thanks! yea I saw that and wasn't sure.. thought maybe it was just creating a Vault. So are you able to get secrets from Vault and inject them into things like files? Currently looking for a solution to inject certificates in places and maybe some passwords too.

and thanks again for sharing your config. I saw your YT video(s) and they were super helpful! I'm just starting out with Nix and decided to jump in the deep end cause well I really like your config and its where I want to eventually end up so.. and I'm too dumb to take it slow..

I'm currently exploring agenix but trying to figure out how to import it correctly.

jakehamilton commented 1 year ago

@usmcamp0811 yes! The vault agent service lets you patch systemd services with environment variables or add files during runtime. I recommend taking a look at the documentation from Determinate Systems: https://github.com/determinatesystems/nixos-vault-service

usmcamp0811 commented 1 year ago

Again great config!! I really like what you have done and I'm completely mimicking your setup. I just put together a README together to help out my future self (and others). I figured I would link to it here in case someone else had similar issues and needed a little extra help.

It can be found here in my Dotfiles repo.

jakehamilton commented 1 year ago

That's awesome! Glad you have stuff working and I'm sure that writeup will be helpful!