Agenix: Difference between revisions
imported>Onny Add note on using secrets in initrd |
imported>Dafitt Alternate way to access secrets inside container |
||
| Line 127: | Line 127: | ||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
containers.mycontainer.bindMounts."${config.agenix.secrets.mysecret.path}".isReadOnly = true; | containers.mycontainer.bindMounts."${config.agenix.secrets.mysecret.path}".isReadOnly = true; | ||
</syntaxhighlight> | |||
Another option would be to to use the agenix-module in the nixos-container. This also allows to set the secret-owner to the users inside the container. But it is also necessary to provide the ssh-private-key to the container in order for agenix to decrypt the secret (or generate a own for the container). | |||
<syntaxhighlight lang="nix"> | |||
{ agenix, ... }: { | |||
containers."mycontainer" = { | |||
# pass the private key to the container for agenix to decrypt the secret | |||
bindMounts."/etc/ssh/ssh_host_ed25519_key".isReadOnly = true; | |||
config = { config, lib, pkgs, ... }: { | |||
imports = [ agenix.nixosModules.default ]; # import agenix-module into the nixos-container | |||
age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # isn't set automatically for some reason | |||
# import the secret | |||
age.secrets."mysecret" = { | |||
file = ../secrets/mysecret.age; | |||
owner = "myuser"; | |||
}; | |||
# use the secret like you normally would with config.age.secrets."mysecret".path | |||
}; | |||
}; | |||
} | |||
</syntaxhighlight> | </syntaxhighlight> | ||