diff options
| author | William Carroll <wpcarro@gmail.com> | 2020-02-23T18·55+0000 |
|---|---|---|
| committer | William Carroll <wpcarro@gmail.com> | 2020-02-23T19·32+0000 |
| commit | f926b4d61ab9fbb2831c52594ed2e523842c1e24 (patch) | |
| tree | 7888c9db25df884aef7757118d385b638399c0c6 /haskell-file | |
| parent | 527b472469acd55f71dee55e22e13a2a24142cea (diff) | |
Expose secrets to Monzo / YNAB service
Here is my first attempt to manage secrets when I deploy onto a NixOS machine. Background: When I develop, I use direnv, which reads an .envrc file in which I define my secrets. My secrets are read from `pass` using a pattern like this... ```shell secret_value="$(pass show path/to/secret)" ``` ...Thus far, I've found this pattern convenient. `pass show` invokes GPG, which asks me for a password to authenticate. This means that when I cd into a directory with an .envrc file using this pattern, I may be prompted by GPG for a password. When I'm not, it's because gpg-agent is still caching my password. This works for development, but I currently do not know how to use direnv for deployments. Here is what I'm using until I find a more convenient solution: - Store the secrets in /etc/secrets on socrates. Ensure that the /etc/secrets directory and its contents are only readable by root. - Use systemd's Environment and NixOS's builtins.readFile to read the files in /etc/secrets when I can `sudo nixos-rebuild`. Ideally I could call a function like `builtins.readFromPasswordStore` within configuration.nix. This would allow me to skip the step where I run... ```shell > ssh socrates > pass show finance/monzo/client-id | sudo tee /etc/secrets/monzo-client-id > pass show finance/monzo/client-secret | sudo tee /etc/secrets/monzo-client-secret > # etc ``` ...I don't know how to manage secrets using NixOS, but at least this is one answer.
Diffstat (limited to 'haskell-file')
0 files changed, 0 insertions, 0 deletions