Secrets
Here is a secrets:
secrets = {
example = {
file = ./secret/example.age;
};
};
The secret is expected to appear in /run/vaultix/
with 0400
and own by uid0.
Here is full options that configurable:
secrets = {
example = {
file = ./secret/example.age;
mode = "640"; # default 0400
owner = "root";
group = "users";
name = "example.toml";
path = "/some/place";
insert = {...};
};
};
This part basically keeps identical with agenix
. But has few diffs:
- no
symlink: bool
option, since it has an systemd function called tmpfiles.d.
path
- type:
absolute path string
If you manually set this, it will deploy to specified location instead of to /run/vaultix.d
(default value of decryptedMountPoint).
If you still set the path to directory to /run/vaultix
(default value of decryptedDir), you will receive a warning, because you should use the name
option instead of doing that.
mode
- type:
string
- default:
"0400"
UNIX file permission, octal representation.
insert
Insert is an enhanced pre-process of secret.
Different from Template which is for inserting secret content to plain content, this provides a mechanism for inserting plain text into secret.
The placeholder text MUST be 32 bytes hex text (64 chars), which is identical with the most common use blake3 hash display format. Easily generated by:
openssl rand -hex 32
secrets = {
example = {
file = ./secret/example.age;
insert = {
# the string which seems like hash is not hash of any content (it could be)
"81c4b7f7e0549f1514e9cae97cf40cf133920418d3dc71bedbf60ec9bd6148cb" = {
order = 0;
content = "there is a plain text";
};
"3f2446562e758157e38542ed7b227a8c83c2a9bd03d8d37cf013fa29ef93d878" = {
order = 1;
content = "another for inserting";
};
};
};
};
in ./secret/example.age
:
test {{ 81c4b7f7e0549f1514e9cae97cf40cf133920418d3dc71bedbf60ec9bd6148cb }}
and {{ 3f2446562e758157e38542ed7b227a8c83c2a9bd03d8d37cf013fa29ef93d878 }}.
and finally produces while deploy:
test there is a plain text
and another for inserting.
This will not affect the template function, and the processing is before templating.
order
- type: u32
- default: 0
Since Nix attribute sets are inherently unordered, this mechanism explicitly defines the insertion sequence of content elements.
When multiple entries coexist in the same insertion attribute set:
-
Ordering Recommendation: Distinct numerical priorities should be assigned to each entry. Entries with smaller
order
values will be inserted first. -
Default Behavior: If no priorities are specified within an
insert
, elements will follow alphabetical ordering based on their attribute names.
content
- type: string
- no default, must be set
If you'd like to set this multiline, just use nix multiline literal string syntax:
''
This is the first line.
This is the second line.
This is the third line.
''
then will be insert as it be.
cleanPlaceholder
- type: bool
- default: false
After the insertion complete, clean the remaining placeholder which formats {{ $32bytes_hex_str }}
.