Railbird Secrets Flake
Railbird manages our secrets using agenix. This page will take you through the process of adding a new one.
How to encrypt a secret in the secrets-flake repo
- Add the secret in secrets.nix e.g.
"my_example_secret.json.age".publicKeys = keys.railbirdDevKeys;. - Run
agenix -e my_example_secret.yaml.age; an editor will open. Put the unencrypted text in to that file and save and close it. If you open that file it will now look like some strings and then a bunch of binary data. You can runagenix -d my_example_secret.yaml.ageto output the unencrypted secret to the terminal to check if you did it successfully. - Open a PR on the secrets-flake repo and merge it to master.
- In all the repos affected by the secret run
LD_LIBRARY_PATH='' nix flake lock --update-input secrets. Open a PR and merge the affectedflake.lockfile.
How to add a new key to the secrets flake
The process for adding a key is relatively simple:
- Add the key to secrets-flake/secrets/keys.nix in the relevant category (or a new one if that makes sense).
rec { ... newUserKey = [ "ssh-ed25519 <your new key>" ]; railbirdAdminKeys = kanivanKeys ++ mikeKeys ++ hostKeys; railbirdDevKeys = railbirdAdminKeys ++ loewyKeys ++ deanKeys ++ micahKeys ++ andyKeys ++ benKeys ++ willKeys ++ <your new permission class>; } - Then run
agenix -rfrom secrets-flake/secrets to reencrypt the secrets. - Open a PR on the secrets-flake repo and merge it to master.
- In all the repos the new key needs access to (ie railbird-mobile, etc.) run
just update secrets. Open a second PR in that repo and merge the affectedflake.lockfile. - The new developer needs to get on the latest master of secrets-flake locally
Potential gotchas
- You must have the permissions of the class you are trying to apply to the secret in our example case that class is
railbirdDevKeys. You can check those permission classes here. - Whatever you name the file will appear as
RB_SECRET_<SCREAMING_SNAKE_CASE_NAME>when you mount the secret in the repo that is pulling it.