From 4e828171d8083910f6b37779153ccb48729fa9a3 Mon Sep 17 00:00:00 2001 From: Zhaofeng Li Date: Sun, 18 Sep 2022 17:27:46 -0600 Subject: [PATCH] manual/keys: Add note about flake-copying behavior in Nix Ref: #78 --- manual/src/features/keys.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/manual/src/features/keys.md b/manual/src/features/keys.md index be2b5eb..e11db2e 100644 --- a/manual/src/features/keys.md +++ b/manual/src/features/keys.md @@ -33,3 +33,9 @@ To upload your secrets without performing a full deployment, use `colmena upload For each secret file deployed using `deployment.keys`, a systemd service with the name of `${name}-key.service` is created (`acme-credentials.secret-key.service` for the example above). This unit is only active when the corresponding file is present, allowing you to set up dependencies for services requiring secret files to function. + +## Flakes + +If you are using flakes, Nix will copy the entire flake (everything tracked by git) into the Nix store during evaluation. +This means the all file as checked out by git are world-readable, including the ones managed by filter-based encryption tools like `git-crypt`. +To use `deployment.keys..keyFile` with flakes without having the secrets copied to the Nix store, a quoted absolute path can be used.