Comments (10)
If it can be expressed with environment variables it can be put here:
https://github.com/Mic92/sops-nix/blob/master/modules/sops/default.nix#L160
and exposed with module options.
from sops-nix.
It seems like this does not require that many changes in my module itself. However before advertising azure support for sops-nix I would like to have some documentation about how to set this all up.
from sops-nix.
If possible I would prefer explicit options since its more user friendly. Because than nixos modules could perform validations and also document how things are supposed to use.
from sops-nix.
But I assume for the first boot it would also need some sort of login to get AZURE_CLIENT_SECRET
?
from sops-nix.
@Mic92 Ack on explicit options. For what it's worth, I think sops
should modify their Azure code so that msi
mode is always tried so this becomes unnecessary, but I've already filed an issue to discuss.
@Mic92 re AZURE_CLIENT_SECRET
: it will be somewhat deployment dependent, but the demo I'm building uses Azure Managed Identity. In Azure, you can create an "Identity" as an explicit resource. Think of it as a user. This identity will have access to the KeyVault and the identity will be assigned to the VMs at creation. Applications running on the VM can then retrieve OAuth tokens for that assigned identity from inside the VM by accessing a VM-private HTTP service. (Thereby sops will then be able to pull the key, etc)
Thus, the user doesn't have to manage getting any credentials into the VM. (CLIENT_ID
, CLIENT_SECRET
are more traditional but a headache for reasons you can imagine).
from sops-nix.
I'm building out a full standalone demo that shows how to use flakes, sops-nix and something else I'm working on. It includes a full e2e demo, I'm just building it as I go through the steps myself. I do need to ask some questions. I'll pose some here, let me know if it's okay to ping your on #nixos or something.
First and foremost, where should I be seeing logs when I ssh into this box?
from sops-nix.
Disregard the last question- the logs are visible in stage-2-init in dmesg
. I've opened a new issue.
from sops-nix.
@colemickens I know it's been a while since you created the issue but it would be very kind if you could try it out now. We have introduced support for arbitrary environment variables and knowing that Azure works (maybe even with a small section in the README on how to properly use it) would be great for this project
from sops-nix.
My grandfathered MSDN sub was finally (understandably) "cleaned up" and thus I've stopped doing work on Azure for free.
The only real requisites for this scenario are:
- is that the machine was provisioned with Managed Service Identities with access to relevant KV unlocking keys
- the user sets
AZURE_AUTH_MODE
for the Go SDK insidesops
to do the right thing
It's actually even possible that this scenario just works (aka step 2 is unnecessary) if the Go SDK team got the SDK finally working in a way that was suggested to Azure SDK teams 6+ years ago... and if sops-nix upgraded to it. But again, loose ends for someone else at this point.
from sops-nix.
Thank you for your feedback, maybe someone else who pays for Azure anyway will get back at it :)
from sops-nix.
Related Issues (20)
- XDG_RUNTIME_DIR warning redundant?
- How to install using Flakes HOT 1
- %r not being replaced when using the home-manager module HOT 10
- sops.secrets.<name>.path not working properly in the home-manager module HOT 15
- `sops.age.keyFile` vs `sops.age.sshKeyPaths` HOT 2
- keygroups in .sops.yaml examples
- understanding keys.txt HOT 3
- Can we avoid two nixos rebuild ? HOT 2
- Expose the values of unencrypted keys as-is HOT 5
- `sops.templates` is insecure: does not use ramfs HOT 4
- Feature Request: Detect that secret decryption depends on decrypted secret HOT 2
- Hanging on "setting up tmpfiles" (Raspberry Pi 4) HOT 6
- All secrets missing if one secret cannot be decrypted HOT 2
- Opt-in state + sops-nix? HOT 3
- Can I use sops-nix with nixos-generators? HOT 6
- restartUnits fails silently HOT 2
- Can't execute `nix-shell -p sops-init-gpg-key` HOT 1
- Why does a container failure prevent sops-nix from working? HOT 1
- QUESTION: Why is there both nixpkgs and nixpkgs-stable in flake inputs? HOT 2
- sops-nix always requests yubikey with home-manager module HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sops-nix.