manual/keys: Add note about flake-copying behavior in Nix

Ref: #78
This commit is contained in:
Zhaofeng Li 2022-09-18 17:27:46 -06:00
parent c171a43328
commit 4e828171d8

View file

@ -33,3 +33,9 @@ To upload your secrets without performing a full deployment, use `colmena upload
For each secret file deployed using `deployment.keys`, a systemd service with the name of `${name}-key.service` is created (`acme-credentials.secret-key.service` for the example above). For each secret file deployed using `deployment.keys`, a systemd service with the name of `${name}-key.service` is created (`acme-credentials.secret-key.service` for the example above).
This unit is only active when the corresponding file is present, allowing you to set up dependencies for services requiring secret files to function. This unit is only active when the corresponding file is present, allowing you to set up dependencies for services requiring secret files to function.
## Flakes
If you are using flakes, Nix will copy the entire flake (everything tracked by git) into the Nix store during evaluation.
This means the all file as checked out by git are world-readable, including the ones managed by filter-based encryption tools like `git-crypt`.
To use `deployment.keys.<name>.keyFile` with flakes without having the secrets copied to the Nix store, a quoted absolute path can be used.