NixOS Containers: Difference between revisions
m →Tips and tricks: improve grammar |
Add infrmation how to get agenix secrets into the container |
||
| Line 147: | Line 147: | ||
# nixos-container start flake-test | # nixos-container start flake-test | ||
</syntaxhighlight> | |||
==== Use agenix secrets in container ==== | |||
To add <code>agenix</code> secrets to a container bind mount the <code>ssh-host.key</code> and import the <code>agenix.nixosModule</code> and set <code>age.identityPaths</code> [https://discourse.nixos.org/t/secrets-inside-nixos-containers/34403/6 Source]<syntaxhighlight lang="nix"> | |||
{ agenix, ... }: | |||
{ | |||
containers."withSecret" = { | |||
# pass the private key to the container for agenix to decrypt the secret | |||
bindMounts."/etc/ssh/ssh_host_ed25519_key".isReadOnly = true; | |||
config = | |||
{ | |||
config, | |||
lib, | |||
pkgs, | |||
... | |||
}: | |||
{ | |||
imports = [ agenix.nixosModules.default ]; # import agenix-module into the nixos-container | |||
age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # isn't set automatically when openssh is not setup | |||
# import the secret | |||
age.secrets."secret-name" = { | |||
file = ../secrets/secret.age; | |||
}; | |||
}; | |||
}; | |||
} | |||
</syntaxhighlight> | </syntaxhighlight> | ||