Closed bbigras closed 1 year ago
That's to be expected since the rekeyed secrets are only stored in local derivations (one for each host). Technically nothing about nix run .#rekey
is inherently interactive, but rage usually prompts for the password. If there's a plausible use case for non-interactive use we can of course easily add that.
Do I need to run nix run .#rekey on the CI? If so, is there a non-interactive version?
That would be one possibility, but be aware that this requires your master key to be accessible in the CI. I haven't thought a lot about CI use yet, but an alternative would be to make your rekeyed derivations accessible to the CI via a substituter (cachix, or host your own), where you push the resulting derivations to after running .#rekey locally.
If you can tell me more about your use case, maybe we can find a good solution that makes this easy to use.
My use case with CI is basically to only build what is not already built and cached using nix-build-uncached.
I never deploy from CI, so I don't need to handle secrets there. For secret config, I actually use a private gitsubmodule (which is not fetched in CI), and include the nix files if they exist. https://github.com/bbigras/nix-config/blob/4f8685cf92c0ee908f99bcc1e629586946223089/hosts/desktop/default.nix#L51-L52
Maybe it could be nice if the build in CI would just generate dummy secrets (since my master key is absent) and I would push the real secret from my desktop later.
an alternative would be to make your rekeyed derivations accessible to the CI via a substituter (cachix, or host your own), where you push the resulting derivations to after running .#rekey locally.
That seems to work. I tested it last night.
Maybe it could be nice if the build in CI would just generate dummy secrets (since my master key is absent) and I would push the real secret from my desktop later.
Yeah that's a good idea, I've now implemented a --dummy
flag to do that. Let me know in case there's anything else that turns out to be an issue in CI :)
It works! Thank you very much.
Could --dummy
cause problems if the result is pushed to a cache?
I'm having dummy secrets on my desktop and I only ran --dummy
on github actions.
In other words, if I use --dummy
in CI and it's pushed to cachix, will agenix-rekey ask me to run rekey again on my desktop when I actually want to deploy?
I ran rekey on my desktop and it didn't seem to change anything.
Yes, you should exclude this from being pulled from the cache, or from putting it there - whatever makes more sense. Since the rekeying inherently depends on having predictable output derivations, it will always look the same to nix, whether the contents are dummy values or the real values. So naturally your substituter would try to substitute the known result, which is not what you want for secrets.
I'm not sure whether there's a flag that I could set on the derivation to exclude it by default.
I'm able to use agenix-rekey locally, but when I try to build my config on github actions, I get
No rekeyed secrets were found
.Do I need to run
nix run .#rekey
on the CI? If so, is there a non-interactive version?