Open noonien opened 1 year ago
How about setting age.identityPaths to something different for the container? Then you could bind mount an identity into the container that it uses to decrypt the secrets?
Would that not require having separate identities for containers? Or sharing the host's identity?
I'm trying to use agenix with nixos-container, the issue is that the containers won't have ssh enabled and I would prefer not to have keys for containers.
I tried bind-mounting
/run/agenix/path/to/secret
, however the secrets disappear from the container when a new agenix generation is created, probably because/run/agenix
is a symlink.I think the best way to solve this would be for
age.secrets.<secret>.path
to resolve to a different path each time the secrets change. So, for example, it could resolve to/run/agenix.d/<hash derived from secret inputs>/<secret>
. This not only solves issues with nixos-containers, but also with reloading systemd services, becuse the paths changes, and both nixos-containers and systemd services will automatically restart when their inputs change./run/agenix
could still keep working as it currently does.