Using agenix for docspell secrets #2451
Comments
|
Hello @MrCustomizer I don't use this myself, so I don't know better ways. I suppose that the trick you mentioned should work here. If you want to add more options to the module to better support ragenix (like reading secrets from files), then please feel free to do so any time. |
|
Hello eikek. Thank's for the information. I will think about creating a PR for docspell to better support this. But first I have to get to know NixOs a little bit better. I've just started using it a few weeks ago and there is a lot of stuff still pretty new to me. |
|
@eikek: The trick mentioned in the wiki does not work. The first problem is, that there is no way to access the path of the config files in a NixOs configuration file. The second problem is, that even if it would be accessible, the file would be read only as it is an element located in the nix store, which is read only by design. So currently, there is no way to use agenix with docspell. To my understanding, this is a big security issue. Not only do you have to add the passwords and secrets directly to the NixOs configuration, which normally is world readable, but also the config files itself are stored in the Nix store, including the passwords and secrets. The Nix store is also world readable, so the secrets are world readable, too. For reference: https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes If I'm not mistaken, it is currently sadly not advisable to use these Nix modules as they are unsafe. I'm still lacking the knowledge to fix this myself as I'm very new to NixOs and I am struggling a lot with NixOs' configuration language and syntax. If anyone wants to jump in, I guess at least these two things would have to be done to improve the situation:
|
|
It's possible you wouldn't have to move the config file, if docspell itself would be able to read the secrets and passwords from files. In that case, the config file would only contain the path to the secured files, which contain the secrets. |
|
Hi @MrCustomizer, you are right, currently the entire config is written to the nix store. For me this is not a big problem as the machine is a private one and not exposed. Of course, it is not nice and should be changed :) I think a quite easy way is doing what you suggest in 1 - we can simply write the config to another location (at Another rather quick option is to add one more config option that accepts the entire config file. Then you can use agenix and provide the entire config this way. The module can use this file if it is present, otherwise fallback to the current state. A nicer way is to read these sensitive things selectively from files so that something like agenix can be used. This requires changes to docspell itself (not just the nix code). I would like to change it this way, but until this happens you could look into the other alternatives (simply copy the module definition to your setup). |
|
Thanks for your ongoing efforts, @eikek. Docspell is a great project. Nevertheless I will not follow up on this matter as I will probably move to paperless-ngx in the next few days. The project is currently better supported in NixOs and has shortly been getting some features, I'm pretty interested in. |
I want to move from the docker deployment to the Nix-deployment. I'm handling my secrets in NixOs with ragenix. But I'm having a hard time to figure out how to use ragenix with the Nix modules of docspell. Is that even possible, currently?
Ragenix and agenix are file based, that's why the options which take the secrets, have to support file based secret handling. I'm guessing I could deploy a config file for docspell and replace the secrets with the trick mentioned at the bottom of https://nixos.wiki/wiki/Agenix. But it would be nice if this hack could be avoided. Is there a better way to do this?
The text was updated successfully, but these errors were encountered: