Secrets

Here is a secrets:

secrets = {
  example = {
    file = ./secret/example.age;
  };
};

The secret is expected to appear in /run/vaultix/ with 0400 and own by uid0.

Here is full options that configurable:

secrets = {
  example = {
    file = ./secret/example.age;
    mode = "640"; # default 0400
    owner = "root";
    group = "users";
    name = "example.toml";
    path = "/some/place";

    insert = {...};
  };
};

This part basically keeps identical with agenix. But has few diffs:

  • no symlink: bool option, since it has an systemd function called tmpfiles.d.

path

  • type: absolute path string

If you manually set this, it will deploy to specified location instead of to /run/vaultix.d (default value of decryptedMountPoint).

If you still set the path to directory to /run/vaultix (default value of decryptedDir), you will receive a warning, because you should use the name option instead of doing that.

mode

  • type: string
  • default: "0400"

UNIX file permission, octal representation.

insert

Insert is an enhanced pre-process of secret.

Different from Template which is for inserting secret content to plain content, this provides a mechanism for inserting plain text into secret.

The placeholder text MUST be 32 bytes hex text (64 chars), which is identical with the most common use blake3 hash display format. Easily generated by:

openssl rand -hex 32

secrets = {
  example = {
    file = ./secret/example.age;
    insert = {
      # the string which seems like hash is not hash of any content (it could be)
      "81c4b7f7e0549f1514e9cae97cf40cf133920418d3dc71bedbf60ec9bd6148cb" =  {
         order = 0;
         content = "there is a plain text";
      };
      "3f2446562e758157e38542ed7b227a8c83c2a9bd03d8d37cf013fa29ef93d878" =  {
        order = 1;
        content = "another for inserting";
      };
    };
  };
};

in ./secret/example.age:

test {{ 81c4b7f7e0549f1514e9cae97cf40cf133920418d3dc71bedbf60ec9bd6148cb }}
and {{ 3f2446562e758157e38542ed7b227a8c83c2a9bd03d8d37cf013fa29ef93d878 }}.

and finally produces while deploy:

test there is a plain text
and another for inserting.

This will not affect the template function, and the processing is before templating.

order

  • type: u32
  • default: 0

Since nix attrset has no order, this is for explicitly set the insert sequence of these content.

These RECOMMENDED to be different in same insert attrset, the smaller one will be inserted first.

If all order in a insert section not set, it expected to follow the alphabetical order of attrset names.

content

  • type: string
  • no default, must be set

If you'd like to set this multiline, just use nix multiline literal string syntax:

''
  This is the first line.
  This is the second line.
    This is the third line.
''

then will be insert as it be.

cleanPlaceholder

  • type: bool
  • default: false

After the insertion complete, clean the remaining placeholder which formats {{ $32bytes_hex_str }}.