In this current case I've been banging my head against, I'm doing some funky #systemd & #NixOS magic.
The idea is that the NixOS module for this particular app will have a config
and a secret-files
option set for the services.$program
attribute. The latter is something to fill with sops-nix
file paths and stuff.
At build time, I will replace any values in secret-files
with #path.to.key
(eg, secret-files.something.token = "blah"
will become secret-files.something.token = "#something.token#
).
Then, the systemd service fille will have an ExecStartPre=
, which calls a script that replaces all the #blah#
tokens in the config file template, and shoves it in $RUNTIME_DIR/etc/config.toml
, and the program will use that.
This way the secrets aren't in the store, aren't in environment variables, and the config file only lives as long as the service is running, and is pretty much bound to it in every possible way.
I wouldn't have to do this, if said app would be able to load secrets from files itself, but alas... I could just encrypt the entire configuration file, but that's going to be a big fat nope.
Working with encrypted files is a pain in the ass, and I want most of my configuration in the clear, and documented - not something I can reasonably do when the entire config file is encrypted. Not in a way I want to, anyway (embedded comments are not documentation).