Run-time provisioning of secrets with sops-nix or agenix is a nice feature. However, it usually is problematic for services that require secrets to be provided in their config-file with no alternative means of receiving them. Forking the NixOS-module or even the upstream package to make it compatible with run-time provisioned secrets might be a lot of work and you suddenly have to maintain a fork, not ideal.
Scalpel is a set of tools and a workflow that provides minimally invasive secure secrets-provisioning to config files by using the recent
extendModules feature of NixOS. The basic workflow is:
- Configure the service normally, put placeholders where your secrets go
- Create a transformator that will exchange the placeholders with the actual secrets and put the file in a ramdisk. Transformators run at activation time.
extendModulesto obtain the service config-file path from the nix-store (to be provided to transformator) and replace it with the ramdisk path
The goals are:
- Provide high-level of security for services that require their secrets as part of config-files
- No secrets at evaluation time, no danger of secrets ending up in the nix-store
- Does not require a fork of the module or upstream project
- Continue to reap benefits from module or upstream updates with minimal worry of breakage
There is more explanation and an example provided in the repository README.
This should be considered beta and a proof-of-concept. Comments towards security and pull-requests are welcome.