Using agenix with nixos-containers #145
Comments
|
How about setting age.identityPaths to something different for the container? Then you could bind mount an identity into the container that it uses to decrypt the secrets? |
|
Would that not require having separate identities for containers? Or sharing the host's identity? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm trying to use agenix with nixos-container, the issue is that the containers won't have ssh enabled and I would prefer not to have keys for containers.
I tried bind-mounting
/run/agenix/path/to/secret, however the secrets disappear from the container when a new agenix generation is created, probably because/run/agenixis a symlink.I think the best way to solve this would be for
age.secrets.<secret>.pathto resolve to a different path each time the secrets change. So, for example, it could resolve to/run/agenix.d/<hash derived from secret inputs>/<secret>. This not only solves issues with nixos-containers, but also with reloading systemd services, becuse the paths changes, and both nixos-containers and systemd services will automatically restart when their inputs change./run/agenixcould still keep working as it currently does.The text was updated successfully, but these errors were encountered: