Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Q&A: environmentFile definition inside config #49

Closed
caniko opened this issue Apr 3, 2025 · 3 comments
Closed

Q&A: environmentFile definition inside config #49

caniko opened this issue Apr 3, 2025 · 3 comments
Labels
question Further information is requested

Comments

@caniko
Copy link

caniko commented Apr 3, 2025
edited
Loading

Was wondering if this is OK in production?

    environmentFile = pkgs.writeText "authentik-secrets.env" ''
      AUTHENTIK_SECRET_KEY=${age.secrets.kingpin-authentik-secret.value}
      AUTHENTIK_EMAIL__PASSWORD=${age.secrets.kingpin-mailersend-smtp-secret.value}
    '';

I generate/bootstrap the authentik secret using agenix-rekey while the email password is an agenix secret, so getting this to work is very useful for me.
@Ma27
Copy link
Member

Ma27 commented Apr 7, 2025

I assume age.secrets.kingpin-mailersend-smtp-secret.value is the actual password? Kinda surprised that you can even get this at eval-time with agenix.

Anyways, under this assumption, you'll have a store-path with the email password and the secret key inside. Store paths are readable by every user (and thus essentially every process) on your system. This is the reason stuff like agenix/sops-nix exists in the first place fwiw. So, personally I'd rather not do this in production.

@Ma27 Ma27 added the question Further information is requested label Apr 7, 2025
@caniko
Copy link
Author

caniko commented Apr 7, 2025

Yeah, I realized this earlier today. Keeping this open for other ideas

@Ma27
Copy link
Member

Ma27 commented Apr 7, 2025

There are essentially two things you can do:

  • put the entire env file into agenix/sops-nix.
  • sops-nix supports generating secret files on activation, i.e. with:
{ config, ... }:
{
  sops = {
    secrets = {
      email_password = {};
      authentik_secret_key = {};
      db_password = {};
      ldap_outpost_token = {};
      tls-key = {};
    };
    templates = {
      server-env.content = ''
        AUTHENTIK_EMAIL__PASSWORD=${config.sops.placeholder.email_password}
        AUTHENTIK_SECRET_KEY=${config.sops.placeholder.authentik_secret_key}
        AUTHENTIK_POSTGRESQL__PASSWORD=${config.sops.placeholder.db_password}
      '';
    };
  };
  services.authentik = {
    enable = true;
    environmentFile = config.sops.templates.server-env.path;
    # ...
  };
}

Never used agenix, so I have no idea if they also have a feature like this.

Right now, secret management is effectively an excercise left to the reader, but with a few implementations almost everyone uses (i.e. agenix and sops-nix).

In the context of this repository, there's nothing left to discuss, really, so I'll close this.
If you have further questions, feel free to ask anyways, but I'd suggest to ask around in e.g. Matrix or Discourse, you'll probably get an answer a little quicker there :)

@Ma27 Ma27 closed this as completed Apr 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Ma27 @caniko