Railbird Secrets Flake
Railbird manages our secrets using agenix. This page will take you through the process of adding a new one.
How to encrypt a secret in the secrets-flake repo
- Add the secret in secrets.nix e.g.
"my_example_secret.json.age".publicKeys = keys.railbirdDevKeys;
. - Run
agenix -e my_example_secret.yaml.age
; an editor will open. Put the unencrypted text in to that file and save and close it. If you open that file it will now look like some strings and then a bunch of binary data. You can runagenix -d my_example_secret.yaml.age
to output the unencrypted secret to the terminal to check if you did it successfully. - Open a PR on the secrets-flake repo and merge it to master.
- In all the repos affected by the secret run
LD_LIBRARY_PATH='' nix flake lock --update-input secrets
. Open a PR and merge the affectedflake.lock
file.
How to add a new key to the secrets flake
The process for adding a key is relatively simple:
- Add the key to secrets-flake/secrets/keys.nix in the relevant category (or a new one if that makes sense).
rec { ... newUserKey = [ "ssh-ed25519 <your new key>" ]; railbirdAdminKeys = kanivanKeys ++ mikeKeys ++ hostKeys; railbirdDevKeys = railbirdAdminKeys ++ loewyKeys ++ deanKeys ++ micahKeys ++ andyKeys ++ benKeys ++ willKeys ++ <your new permission class>; }
- Then run
agenix -r
from secrets-flake/secrets to reencrypt the secrets. - Open a PR on the secrets-flake repo and merge it to master.
- In all the repos the new key needs access to (ie railbird-mobile, etc.) run
just update secrets
. Open a second PR in that repo and merge the affectedflake.lock
file. - The new developer needs to get on the latest master of secrets-flake locally
Potential gotchas
- You must have the permissions of the class you are trying to apply to the secret in our example case that class is
railbirdDevKeys
. You can check those permission classes here. - Whatever you name the file will appear as
RB_SECRET_<SCREAMING_SNAKE_CASE_NAME>
when you mount the secret in the repo that is pulling it.