tuxcord/tuxcord.nix
8
2
Fork 1
Code Issues 13 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
89a0e5cf44d36961b50ee418c97fe51106938fdc
tuxcord.nix/docs/SECRETS.md
T
javalsai b00819c3c4
Check / Nix flake (push) Failing after 9s
Details
Lint / Nix expressions (push) Failing after 10s
Details
docs: document installation, secrets and setup steps
2026-05-03 18:25:42 -04:00

1.4 KiB
Raw Blame History

Secrets

Secrets are managed with agenix in the agenix/ directory. This allows to declaratively define secrets as well as which keys are allowed to decrypt them.

Usage

The agenix help menu is already very helpful, but here you have a survival guide:

  • agenix commands should run relative to the agenix/ direcotry.
  • agenix -d allows you to descrypt such file if you possess any of the decryption keys.
  • agenix -e decrypts (if present) and opens the file in your editor to re-encrypt when exited.
  • agenix -r re-encypts *.age files in the case you ever change its decryption keys.

Secrets

DNS TSIG Keys

The DNS server takes zone updates through nsupdate with symmetric TSIG keys.

These keys can be generated using tsig-keygen <key-name> (historically they were done with dnssec-keygen and HMAC algorithms, but this is no longer supported).

When DNS is enabled for a host, it will look for dns/${fqdn}/${zone}.key secrets.

  • The key whose zone matches the ${fqdn} will be allowed to tramit updates for all the domain.
  • Keys restrained to a specific ${subdomain} will only be allowed to edit records of such subdomain.
  • All keys must be named with the zone they affect, final dot included, so that (e.g. tuxcord.net/javalsai.tuxcord.net.key must be generated by tsig-keygen javalsai.tuxcord.net.).
Reference in New Issue View Git Blame Copy Permalink