How to handle configuration secret for deploying NixOS in CICD with flake?

winston0410 · October 29, 2021, 11:33am

I want to create a cicd workflow which will build the NixOS and deploy it for me when I push any changes to the configuration. This is the configuration I have right now, and I am deploying with a single command deploy now

github.com

winston0410/homelab/blob/b655f8f01e22e1925bf7a1b1c3bdcac9a9d6c15f/flake.nix

{
  description = "Flake for deployment";

  inputs = {
    deploy-rs = { url = "github:serokell/deploy-rs"; };

    nixpkgs = { url = "github:nixos/nixpkgs/nixos-unstable"; };

    remote-flake-template = {
      url = "github:winston0410/remote-flake-template";
    };

    flake-utils = { url = "github:numtide/flake-utils"; };

    life-builder = { url = "github:winston0410/life-builder"; };

    otp-server = { url = "github:winston0410/otp-server"; };

    #NOTE Save secret locally
    secret = { url = "path:/home/hugosum/secret"; };

This file has been truncated. show original

It is working ok, but I cannot deploy in cicd, because I have hidden my ip in a flake in my local.

github.com

winston0410/homelab/blob/b655f8f01e22e1925bf7a1b1c3bdcac9a9d6c15f/flake.nix#L19-L20


      
          #NOTE Save secret locally
          secret = { url = "path:/home/hugosum/secret"; };

How should I deal with this kind of private configuration? I have thought of using .gitignore to ignore those private/secret files inside my current deploy flake, but it won’t work because flake tries to be pure and only takes in files from inputs or something that would be committed to git.

For dealing with runtime secret(like password or secret key), I am using agenix with is working ok. I hope I am explaining myself clearly so that you understand my issue.