forked from DGNum/colmena
parent
c171a43328
commit
4e828171d8
1 changed files with 6 additions and 0 deletions
|
@ -33,3 +33,9 @@ To upload your secrets without performing a full deployment, use `colmena upload
|
||||||
|
|
||||||
For each secret file deployed using `deployment.keys`, a systemd service with the name of `${name}-key.service` is created (`acme-credentials.secret-key.service` for the example above).
|
For each secret file deployed using `deployment.keys`, a systemd service with the name of `${name}-key.service` is created (`acme-credentials.secret-key.service` for the example above).
|
||||||
This unit is only active when the corresponding file is present, allowing you to set up dependencies for services requiring secret files to function.
|
This unit is only active when the corresponding file is present, allowing you to set up dependencies for services requiring secret files to function.
|
||||||
|
|
||||||
|
## Flakes
|
||||||
|
|
||||||
|
If you are using flakes, Nix will copy the entire flake (everything tracked by git) into the Nix store during evaluation.
|
||||||
|
This means the all file as checked out by git are world-readable, including the ones managed by filter-based encryption tools like `git-crypt`.
|
||||||
|
To use `deployment.keys.<name>.keyFile` with flakes without having the secrets copied to the Nix store, a quoted absolute path can be used.
|
||||||
|
|
Loading…
Reference in a new issue