Skip to content

Railbird Secrets Flake

Railbird manages our secrets using agenix. This page will take you through the process of adding a new one.

How to encrypt a secret in the secrets-flake repo

  1. Add the secret in secrets.nix e.g. "my_example_secret.json.age".publicKeys = keys.railbirdDevKeys;.
  2. Run agenix -e my_example_secret.yaml.age; an editor will open. Put the unencrypted text in to that file and save and close it. If you open that file it will now look like some strings and then a bunch of binary data. You can run agenix -d my_example_secret.yaml.age to output the unencrypted secret to the terminal to check if you did it successfully.
  3. Open a PR on the secrets-flake repo and merge it to master.
  4. In all the repos affected by the secret run LD_LIBRARY_PATH='' nix flake lock --update-input secrets. Open a PR and merge the affected flake.lock file.

How to add a new key to the secrets flake

The process for adding a key is relatively simple:

  1. Add the key to secrets-flake/secrets/keys.nix in the relevant category (or a new one if that makes sense).
    rec {
      ...
      newUserKey = [
        "ssh-ed25519 <your new key>"
      ];
      railbirdAdminKeys = kanivanKeys ++ mikeKeys ++ hostKeys;
      railbirdDevKeys = railbirdAdminKeys ++ loewyKeys ++ deanKeys ++ micahKeys ++ andyKeys ++ benKeys ++ willKeys ++ <your new permission class>;
    }
    
  2. Then run agenix -rfrom secrets-flake/secrets to reencrypt the secrets.
  3. Open a PR on the secrets-flake repo and merge it to master.
  4. In all the repos the new key needs access to (ie railbird-mobile, etc.) run just update secrets. Open a second PR in that repo and merge the affected flake.lock file.
  5. The new developer needs to get on the latest master of secrets-flake locally

Potential gotchas

  • You must have the permissions of the class you are trying to apply to the secret in our example case that class is railbirdDevKeys. You can check those permission classes here.
  • Whatever you name the file will appear as RB_SECRET_<SCREAMING_SNAKE_CASE_NAME> when you mount the secret in the repo that is pulling it.