dunkirk.sh
Kieran's opinionated (and probably slightly dumb) nix config
1# Secrets
2
3Secrets are managed using [agenix](https://github.com/ryantm/agenix) — encrypted at rest in the repo and decrypted at activation time to `/run/agenix/`.
4
5## Usage
6
7Create or edit a secret:
8
9```bash
10cd secrets && agenix -e myapp.age
11```
12
13The secret file contains environment variables, one per line:
14
15```
16DATABASE_URL=postgres://...
17API_KEY=xxxxx
18SECRET_TOKEN=yyyyy
19```
20
21## Adding a new secret
22
231. Add the public key entry to `secrets/secrets.nix`:
24
25```nix
26"service-name.age".publicKeys = [ kierank ];
27```
28
292. Create and encrypt the secret:
30
31```bash
32agenix -e secrets/service-name.age
33```
34
353. Declare in machine config:
36
37```nix
38age.secrets.service-name = {
39 file = ../../secrets/service-name.age;
40 owner = "service-name";
41};
42```
43
444. Reference as `config.age.secrets.service-name.path` in the service module.
45
46## Identity paths
47
48The decryption keys are SSH keys configured per machine:
49
50```nix
51age.identityPaths = [
52 "/home/kierank/.ssh/id_rsa"
53 "/etc/ssh/id_rsa"
54];
55```