-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
8 changed files
with
74 additions
and
28 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,28 @@ | ||
# Advanced | ||
|
||
|
||
|
||
|
||
## Tricks | ||
|
||
In most cases you don't need these. | ||
|
||
### Manually deploy | ||
|
||
This must be executed on local, and be sure all secrets re-encrypted before that, since there has no module to guarantee it in this case. | ||
|
||
Manually deploy not affect next vaultix activation. It's a trick that helps you finish deploy while your flake options of vaultix broken: | ||
|
||
This eval nixos vaultix configs to json. | ||
|
||
```bash | ||
nix eval .#nixosConfigurations.your-hostname.config.vaultix-debug --json > profile.json | ||
``` | ||
/|、 | ||
(˙、.7 | ||
|、~ヽ | ||
じしf_,)ノ | ||
|
||
So that you can feed it to vaultix cli directly: | ||
|
||
```bash | ||
nix run github:oluceps/vaultix -- -p ./profile.json deploy | ||
``` | ||
|
||
To be notice that deploy secrets that needs to be extracted before user init (deploy with --early) in this way is meaningless. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,23 @@ | ||
# Vaultix | ||
|
||
### Secret management for NixOS. | ||
### Single-admin Secret Manage Scheme for NixOS. | ||
|
||
This project is highly inspired by [agenix-rekey](https://github.com/oddlama/agenix-rekey) and [sops-nix](https://github.com/Mic92/sops-nix). Based on rust [age](https://docs.rs/age/latest/age) crate. | ||
|
||
+ Support Template | ||
+ Age Plugin Compatible | ||
+ Support PIV Card (Yubikey) | ||
+ Support identity with passphrase | ||
+ Compatible with `userborn` module option | ||
+ No Bash | ||
This project is highly inspired by [agenix-rekey](https://github.com/oddlama/agenix-rekey) and [sops-nix](https://github.com/Mic92/sops-nix). | ||
|
||
+ Based on age rust [implemention](https://docs.rs/age/latest/age) | ||
+ Support secure identity with passphrase | ||
+ Support template for reusing insensitive stanza | ||
+ Support Yubikey PIV with [age-yubikey-plugin](https://github.com/str4d/age-plugin-yubikey) | ||
+ Small closure size increase (less than 1.5M[^1]) | ||
+ Fits well with new `sysuser` nixos userborn machenism[^2] | ||
+ Design with [flake-parts](https://flake.parts/) and modulized flake | ||
+ Written in Rust for speed, safety, and simplicity | ||
+ Compatible and tested with known[^3] nixos deployment tools | ||
|
||
|
||
|
||
|
||
[^1]: nix build result on Nov 18 2024, 1357112 bytes. | ||
[^2]: See merged pr [270727](https://github.com/NixOS/nixpkgs/pull/270727) and [332719](https://github.com/NixOS/nixpkgs/pull/332719) | ||
[^3]: nixos-rebuild, apply, colmena was confirmed supported |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters