Integrating Podam & sops-nix for Secret Management on NixOS

[Kynson]

Hello,

I would like to seek for assistant on the "best"/proper way to integrate sops-nix and podman.

Background

Currently I manage my secrets with sops-nix as it allows me to manage the secrets declaratively. I would like allow containers to be able to access some of the secrets (either from an env variable or file). sops-nix mounts secrets on /run/secrets/mysecret on the host.

Possible Solution

I come up with two possible solutions which may solve my issue, but I am not sure which one is better:

1. Bind mount the secret to the container. As the secret exists as a file on the host, bind mounting it to the container should be straightforward. Yet, I am not sure if it is secure enough (comparing using podman secret)
2. Custom secret shell driver. Define a shell driver in container.conf by writing scripts that read the secret file on the host. This only works if podman will execute my script every time the container starts. Yet, the four supported options (list, lookup, store, delete) do not seem to related to accessing/ reading (correct me if I am wrong).

Feel free to suggest other ways if there is any.

Why not use podman secret

It is because I would like to manage everything declaratively. Using podman secret requires running the create command every time secrets are update/created. This somehow to me breaches the rationale of manage everything declaratively when using NixOS.

Thanks in advance!

[Luap99]

Bind mount the secret to the container. As the secret exists as a file on the host, bind mounting it to the container should be straightforward. Yet, I am not sure if it is secure enough (comparing using podman secret)

That is exactly what podman secretes is doing