deploy-rs icon indicating copy to clipboard operation
deploy-rs copied to clipboard
verified publisher icon serokell

Secret management support

Open bbigras opened this issue 5 years ago • 16 comments

Like Nixus has.

bbigras avatar Dec 03 '20 18:12 bbigras

We're using a separate NixOS module for that (see https://github.com/serokell/serokell.nix/blob/master/modules/vault-secrets.nix). For now, approle secrets (which authenticate the server to fetch the actual secrets from Vault) are deployed using a separate script. We're considering integrating deploy-rs with that script by implementing a mechanism for pre/post deploy "local" hooks, though.

https://old.reddit.com/r/NixOS/comments/k0utpw/our_new_nix_deployment_tool_deployrs/gdktjit/

bbigras avatar Dec 03 '20 19:12 bbigras

Some kind of functionality that will make this possible is definitely planned, either native, a plugin system, a simple hook system, or something else

notgne2 avatar Dec 06 '20 17:12 notgne2

+1 for this. I'm using pass for my secrets currently, would be nice to have a way to integrate it like krops.

pinpox avatar Dec 11 '20 17:12 pinpox

I'm using sops-nix for this purpose; haven't had to adjust anything to migrate to deploy-rs from nixus - I can recommend it. (Edit: More importantly, I don't think the deploy tool needs any special affordances for the deployed configuration to do reasonable secrets management!)

antifuchs avatar Dec 12 '20 16:12 antifuchs

I'm using sops-nix for this purpose; haven't had to adjust anything to migrate to deploy-rs from nixus - I can recommend it. (Edit: More importantly, I don't think the deploy tool needs any special affordances for the deployed configuration to do reasonable secrets management!)

I've seen sops-nix but if I understand correctly, it requires me to put all secrets into one special file and won't play well with my existing password manager. I'll consider it as an option, but having all my secrets in one central password manager is a big plus for me.

I imagine supporting the execution of a "password command" like pass machines/host1/token that return a string wouldn't be that difficult to implement and a great feature to have.

pinpox avatar Dec 14 '20 12:12 pinpox

Mechanically, sops (and by extension, sops-nix) is quite similar to pass: You check one or more encrypted files into your version control, and sops takes care of managing the "recipients" (both the users that can edit it, and the server identities that can decrypt it) for the secret.

Similarly, sops-nix puts the encrypted file into the store, then an environment activation task uses the machine's credentials (ssh private key or KMS or other key provider) to decrypt the secrets into a ramfs mount in /run/secrets.d/.

Understandable if you have a secret-management solution that works for you, though (and apologies for sounding dismissive earlier!): Better support for pass would definitely be useful. If you're looking to set up secrets in a new repo with deploy-rs right now, I do recommend sops-nix because it's really quite nice & well-supported by all tools, including krops&deploy-rs.

antifuchs avatar Dec 14 '20 15:12 antifuchs

Thanks for the info, I'll look into it!

pinpox avatar Dec 16 '20 12:12 pinpox

It might be a good idea to rely on other tools. sops-nix seems pretty good. And there is (or will be?) also agenix.

bbigras avatar Jan 10 '21 00:01 bbigras

agenix

  • https://github.com/divnix/devos/issues/37#issuecomment-795749947
  • https://github.com/divnix/devos/issues/37#issuecomment-798986443 / https://christine.website/blog/nixos-encrypted-secrets-2021-01-20

blaggacao avatar Mar 15 '21 01:03 blaggacao

Does agenix support ssh keys yet? It was a deal breaker for me.

bbigras avatar Mar 15 '21 02:03 bbigras

Looks like so: https://github.com/ryantm/agenix/blob/9eb981eeb552e0856cb562b7643b311933a0e992/pkgs/agenix.nix#L3 :rocket:

Christine's blog post does this nicely combine with a host metadata inventory file that basically holds all the cryptographic host identities (ssh / wireguard).

blaggacao avatar Mar 15 '21 02:03 blaggacao

Oh, sorry I misspoke. It supports ssh keys but not keys with passphrase. See https://github.com/ryantm/agenix/issues/4

bbigras avatar Apr 06 '21 06:04 bbigras

Just chiming in to say that I don't think deploy-rs needs to solve this issue; sops-nix allows to solve it at the level of NixOS.

I just made a nice setup:

  • I keep the SSH known_hosts file in my repo
  • a script encrypts stdin for a given host + stores in predictable location under repo/secrets/$node/$name.sops
  • extends the module a little:
    • reads the repo/secrets/ directory and populates the config.sops.secrets entries for that host
      • this auto-populates them on the server
    • extends the sops.secrets option to take an azure vault key name
  • a script runs nix eval to figure out the secrets that don't have corresponding files yet, and
    • gets it from azure + encrypts it for the host
    • or generates a new one, stores on azure and encrypts it for the host
  • a deploy wrapper runs that script

This is somewhat specific for our situation, but as you can see, deploy-rs would not really help here, it's an orthogonal problem.

wmertens avatar Oct 12 '22 20:10 wmertens

Just chiming in to say that I don't think deploy-rs needs to solve this issue; sops-nix allows to solve it at the level of NixOS.

That's true.

c4710n avatar May 21 '23 10:05 c4710n

so if I'm understanding it correctly it's not recommended to use deploy-rs with agenix, right?

TornaxO7 avatar Jan 28 '24 00:01 TornaxO7