Agenix: Difference between revisions
imported>Onny Note on how to access secrets inside container |
imported>Onny Add note on using secrets in initrd |
||
| Line 128: | Line 128: | ||
containers.mycontainer.bindMounts."${config.agenix.secrets.mysecret.path}".isReadOnly = true; | containers.mycontainer.bindMounts."${config.agenix.secrets.mysecret.path}".isReadOnly = true; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
=== Using secrets in initrd === | |||
Unfortunately this doesn't work because Agenix sets up secrets during system activation stage but initrd is being built before that. As [https://github.com/ryantm/agenix/issues/193 a workaround] we could create the secret as a static file outside of <code>/run/agenix</code> and reference the secret at <code>/etc/initrd-hostkey</code>. | |||
<syntaxhighlight lang="nix"> | |||
age.secrets.hostkey-initrd = { | |||
file = "${paths.agenix}/hostkey-initrd.age"; | |||
path = "/etc/initrd-hostkey"; | |||
symlink = false; | |||
}; | |||
boot.initrd.network.ssh.hostKeys = [ "/etc/initrd-hostkey" ]; | |||
</syntaxhighlight> | |||
For this workaround you'll have to rebuild twice and reference the secret <code>/etc/initrd-hostkey</code> only after the file is created. | |||
== See also == | == See also == | ||