In this current case I've been banging my head against, I'm doing some funky #systemd & #NixOS magic.
The idea is that the NixOS module for this particular app will have a config and a secret-files option set for the services.$program attribute. The latter is something to fill with sops-nix file paths and stuff.
At build time, I will replace any values in secret-files with #path.to.key (eg, secret-files.something.token = "blah" will become secret-files.something.token = "#something.token#).
Then, the systemd service fille will have an ExecStartPre=, which calls a script that replaces all the #blah# tokens in the config file template, and shoves it in $RUNTIME_DIR/etc/config.toml, and the program will use that.
This way the secrets aren't in the store, aren't in environment variables, and the config file only lives as long as the service is running, and is pretty much bound to it in every possible way.
I wouldn't have to do this, if said app would be able to load secrets from files itself, but alas... I could just encrypt the entire configuration file, but that's going to be a big fat nope.
Working with encrypted files is a pain in the ass, and I want most of my configuration in the clear, and documented - not something I can reasonably do when the entire config file is encrypted. Not in a way I want to, anyway (embedded comments are not documentation).
=> More informations about this toot | View the thread | More toots from algernon@trunk.mad-scientist.club
=> View systemd tag | View nixos tag | View path tag | View something tag | View blah tag This content has been proxied by September (ba2dc).Proxy Information
text/gemini