anti-pattern use of agenix for factorio credentials

[Kreyren]

https://github.com/ocfox/den/blob/3e33c09639fa2701e1e98a14469c1c4798631fc3/hosts/whitefox/nixpkgs.nix#L12

See: https://github.com/ryantm/agenix#builtinsreadfile-anti-pattern

This can cause the cleartext to be placed into the world-readable Nix store. Instead, have your services read the cleartext path at runtime.

[ocfox]

Thanks, but I am thinking about how to get this token during building.

[Kreyren]

Refer to https://github.com/ryantm/agenix#installation

In short it's declaring a file like this:

# Standalone ragenix secret declaration

let
    user = "ssh-ed25519 your-key";

    system-host = "ssh-ed25519 content of /etc/ssh/ssh_host_ed25519_key.pub without host@domain.tld"; 
in {
    "./path/to/your/file.age".publicKeys = [
        user system-host # users and systems who are allowed to decrypt the file.age
    ];
}

I keep this file in ./secrets.nix as it's standalone from flakes

Then invoke agenix -e ./path/to/your/file.age if you didn't already

and declare the secret in your configuration:

   services.gitea.enable = true; # Example
   ...
   age.secrets.file.file = ../secrets/file.age;
   ...

and then you can refer it it with e.g.

{ config, ... }:
{
  users.users.YOUR_USER.hashedPasswordFile = config.age.secrets.kreyren-user-password.path;
}

Upon deployment it will place the file in /run/agenix/somewhere

Let me know if you need help or ideally ask in https://matrix.to/#/%23agenix:nixos.org

[oluceps]

Here is a pattern that may help for avoiding impure eval and global readable:

inputs.private-repo.url = "git+ssh://git@github.com/${username}/${private-repo}";

Place credentials under another flake and import then.

 token = inputs.private-repo.token; 

[ocfox]

I like this approach. - Thank you!