-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using sops with arion-compose #195
Comments
I'm working on doing basically the same thing for my setup. sops-nix templates seem like they may work for this. I'm hoping to have a working example soon to share. *Edit: Templates are not the solution here either. This will also just insert the path to a config generated with sops-nix. sops-nix cannot be used to insert secrets directly into nix configurations. See using-secrets-at-evaluation-time in the sops-nix readme. At this point I am thinking about just using sops-nix to create the config, and either use arion to extend the compose file with docker compose secrets, or forego arion and just use a plain docker-compose.yml in my setup that can reference the secrets files that sops-nix outputs. The only alternative I'm seeing is scalpel which hasn't had a commit in over 2 years, so it's most likely dead. If there's any other alternatives that anyone knows about, or if you ended up solving this since your post, I'd love to hear your solution! In case I forget to come back to this, whatever method I end up using will be in my NixOS configuration for my Homelab Setup. |
that docker compose/swarm secret mechanism exposes the secrets as a file to the container. when you only need to access a secret during a docker build step, another approach is to use docker buildx secrets. (for using |
The workaround shown in #247 is great, it solved my flake issues. The build passes and the container starts. When it comes to sops-nix, however, that still doesn't quite work. There are a couple of errors when running
After the container starts, I can verify that Here are the extended logs:
|
@thenbe what about if you give your arion service |
@KiaraGrouwstra Yup that works. Thanks for the hint! {
service.privileged = true;
service.volumes = [ "${toString ./.}/keys.txt:/var/lib/secrets/age" ];
} It also works if we only grant it the -service.privileged = true;
+service.capabilities = { SYS_ADMIN = true; }; |
I'm still not sure exactly why the container needs to be privileged, the best I have so far is this similar discussion in the nix repo: NixOS/nix#3059 After searching a bit more, I found another solution that sidesteps the privilege requirement altogether. {
sops.useTmpfs = true;
} See the issue and PR for more info. This solution also comes with a caveat. |
@thenbe nice! would you maybe have an example of how to expose the secret thru arion? |
Something like this: {
project.name = "nixos container";
services.webserver = { pkgs, lib, ... }: {
service.volumes = [ "${toString ./.}/keys.txt:/var/lib/secrets/age" ];
nixos.useSystemd = true;
service.useHostStore = true;
nixos.configuration = { config, lib, options, pkgs, ... }: {
boot.tmp.useTmpfs = true;
# 1. setup sops-nix
imports = [
inputs.sops-nix.nixosModules.sops
];
sops.defaultSopsFile = ../secrets.yaml;
sops.defaultSopsFormat = "yaml";
sops.age.keyFile = "/var/lib/secrets/age";
sops.useTmpfs = true;
# 2. use sops-nix
sops.secrets.MYSECRET = { };
environment.variables = {
MYSECRET = config.sops.secrets.MYSECRET.path;
};
};
};
} |
thanks! |
I am trying to set up a container that needs a secret stored with sops-nix. My .sops.yaml and secrets/ are set up, but I'm not sure how to configure my arion-compose.nix file. I have something like:
But it's failing on:
Thanks in advance!
The text was updated successfully, but these errors were encountered: