agenix
agenix copied to clipboard
Bootstrap / recreate secrets
In a situation where an operator want's to bootstrap a prefabricated environment, or in a situation where an operator has to "break the glass" and cycle the root secrets,
it would be useful to store create instructions alongside the encryption definition in secrets.nix
.
Example bootstrap/recreate scripts could be:
encrypt="$(nomad operator keygen)"
echo '{}' | jq --arg encrypt "$encrypt" '.server.encrypt = $encrypt'
export PATH="${lib.makeBinPath (with pkgs; [ xkcdpass ])}"
xkcdpass -n 24
Without further research, I would assume agenix
cli contracting output on stdout
for subsequent encryption would be good enough.
/cc @veehaitch if @ryantm is interested, I'd probably implement this for ragenix asap.
https://github.com/yaxitech/ragenix/issues/52 is related here for the export PATH="${lib.makeBinPath (with pkgs; [ xkcdpass ])}"
& the likes parts.
@blaggacao Sorry, I'm not following what you are proposing. Could you write some more about it?
I think concretely it could mean the following:
# secrets.nix
{
"path/to/1".publicKeys = [];
"path/to/1".generate = ''
xkcdpass -n 24
'';
}
so that agenix -g path/to 1
/ agenix --generate path/to/1
would (re-)generate path/to/1
using the specified script.
In a first iteration xkcdpass
would have to be in the environment, in a future iteration, agenix
could opt to consume a special secrets
attribute out of flake.nix
/ default.nix
, so that the script could be instead written as:
# secrets.nix
{ pkgs, lib }: {
"path/to/1".publicKeys = [];
"path/to/1".generate = ''
export PATH="${lib.makeBinPath (with pkgs; [ xkcdpass ])}"
xkcdpass -n 24
'';
}
Since this is an UX expansion, I also linked the ragenix
issue that deals with the foundation necessary for the mentioned second iteration, namely to alternatively parse an attr (.secrets
) rather than a special file (secrets.nix
).
Not sure if still relevant, but here is a proof of concept extension that probably adds what you are asking for.
Indeed! Very nice!