agenix
agenix copied to clipboard
ryantm
Bootstrap / recreate secrets
In a situation where an operator want's to bootstrap a prefabricated environment, or in a situation where an operator has to "break the glass" and cycle the root secrets,
it would be useful to store create instructions alongside the encryption definition in secrets.nix.
Example bootstrap/recreate scripts could be:
encrypt="$(nomad operator keygen)"
echo '{}' | jq --arg encrypt "$encrypt" '.server.encrypt = $encrypt'
export PATH="${lib.makeBinPath (with pkgs; [ xkcdpass ])}"
xkcdpass -n 24
Without further research, I would assume agenix cli contracting output on stdout for subsequent encryption would be good enough.
/cc @veehaitch if @ryantm is interested, I'd probably implement this for ragenix asap.
https://github.com/yaxitech/ragenix/issues/52 is related here for the export PATH="${lib.makeBinPath (with pkgs; [ xkcdpass ])}" & the likes parts.
@blaggacao Sorry, I'm not following what you are proposing. Could you write some more about it?
I think concretely it could mean the following:
# secrets.nix
{
"path/to/1".publicKeys = [];
"path/to/1".generate = ''
xkcdpass -n 24
'';
}
so that agenix -g path/to 1 / agenix --generate path/to/1 would (re-)generate path/to/1 using the specified script.
In a first iteration xkcdpass would have to be in the environment, in a future iteration, agenix could opt to consume a special secrets attribute out of flake.nix / default.nix, so that the script could be instead written as:
# secrets.nix
{ pkgs, lib }: {
"path/to/1".publicKeys = [];
"path/to/1".generate = ''
export PATH="${lib.makeBinPath (with pkgs; [ xkcdpass ])}"
xkcdpass -n 24
'';
}
Since this is an UX expansion, I also linked the ragenix issue that deals with the foundation necessary for the mentioned second iteration, namely to alternatively parse an attr (.secrets) rather than a special file (secrets.nix).
Not sure if still relevant, but here is a proof of concept extension that probably adds what you are asking for.
