Vault Integration for Secrets

[grahamc]

Two things to consider:

1. A way for Vault to provide deployment.keys secrets
2. A way for Vault to provide tokens for nixops-aws and other plugins, instead of reading from the environment.

We should consider if we want to do these at all, and also if we should make its behavior something a plugin could provide.

[Mic92]

This project might be relevant as well: https://github.com/Mic92/sops-nix
Sops has vault integration to decrypt keys.

[roberth]

This could be split up into two changes, one to define the whole network via the module system, the other to add a resource similar to commandOutput, but which doesn't store a value in the state file.
Using these two, this can be implemented completely in Nix, at least for (1).
For (2) this may require plugins to provide thunks, so a tight integration with the interpreter, which is not possible with nix-instantiate. Writing a python binding for libexpr may be out of scope here, but you can chat with me about libexpr bindings though :)

[tewfik-ghariani]

Would https://github.com/PsyanticY/nixops-vault be somehow helpful?

[roberth]

This issue is mostly about getting secrets out of Vault at deployment time, whereas nixops-vault currently only supports the creation of resources inside vault; writing to vault. I suppose it could add support for a secret reading resource, which will enable (1), but perhaps not (2) just yet.

[roberth]

That said, (1) is probably not what you want anyway. Vault Agent templating would be preferable in most setups.