doc: be more forceful about needing at least 20.09

This commit is contained in:
Ryan Mulligan 2021-05-12 20:21:42 -07:00
parent c27b6334a2
commit 400e5208be

View file

@ -19,8 +19,8 @@ All files in the Nix store are readable by any system user, so it is not a suita
## Notices ## Notices
* The `age` module will only work if you use NixOS with [commit e6b8587](https://github.com/NixOS/nixpkgs/commit/e6b8587b25a19528695c5c270e6ff1c209705c31) which is included in the latest `nixos-20.09` or `nixos-unstable` releases.
* Password-protected ssh keys: since the underlying tool age/rage do not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times. * Password-protected ssh keys: since the underlying tool age/rage do not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
* If you want to manage user's hashed passwords, you must use a version of NixOS with [commit e6b8587](https://github.com/NixOS/nixpkgs/commit/e6b8587b25a19528695c5c270e6ff1c209705c31), so the root-owned secrets can be decrypted before the user activation script runs. Currently available on up to date `20.09` and `unstable`.
## Installation ## Installation
@ -161,7 +161,6 @@ but, if you want to (change the system based on your system):
```nix ```nix
age.secrets.secret1.file = ../secrets/secret1.age; age.secrets.secret1.file = ../secrets/secret1.age;
``` ```
5. NixOS rebuild or use your deployment tool like usual. 5. NixOS rebuild or use your deployment tool like usual.
The secret will be decrypted to the value of `age.secrets.secret1.path` (`/run/secrets/secret1` by default). For per-secret options controlling ownership etc, see [modules/age.nix](modules/age.nix). The secret will be decrypted to the value of `age.secrets.secret1.path` (`/run/secrets/secret1` by default). For per-secret options controlling ownership etc, see [modules/age.nix](modules/age.nix).