ryantm
commented
1 year ago How about setting age.identityPaths to something different for the container? Then you could bind mount an identity into the container that it uses to decrypt the secrets?
Open noonien opened 1 year ago
ryantm
commented
1 year ago How about setting age.identityPaths to something different for the container? Then you could bind mount an identity into the container that it uses to decrypt the secrets?
noonien
commented
1 year ago Would that not require having separate identities for containers? Or sharing the host's identity?
I'm trying to use agenix with nixos-container, the issue is that the containers won't have ssh enabled and I would prefer not to have keys for containers.
I tried bind-mounting
/run/agenix/path/to/secret, however the secrets disappear from the container when a new agenix generation is created, probably because/run/agenixis a symlink.I think the best way to solve this would be for
age.secrets.<secret>.pathto resolve to a different path each time the secrets change. So, for example, it could resolve to/run/agenix.d/<hash derived from secret inputs>/<secret>. This not only solves issues with nixos-containers, but also with reloading systemd services, becuse the paths changes, and both nixos-containers and systemd services will automatically restart when their inputs change./run/agenixcould still keep working as it currently does.