secrets-lengths.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

# If we have a couple of applications, lets say mattermost, jenkins, opengrok for example - 
# do they all require secrets of the same length and if so, we would need to create them at that length - so we would need scripts for each desired length, or have the length be a parameter.
   # - Mattermost: MM_SECRET (Session/Encryption Key) - 64 chars or more
   # - Mattermost: database passwords - 24 to 32 chars reccommended
   # - Jenkins master key: 128 bit key, around 24 chars
   # - Jenkins API tokens - 32 chars typically
   # - Jenkins misc tokens - at least 32 to 64 chars
   # - opengrok - between 16 and 64 chars depending on what for


# There are multiple ways to generate secrets, here's a by no means complete set of examples - we could even generate the long ones and cut them down. 

# Generate a random 32-byte secret and output as base32
    head -c 32 /dev/urandom | base32

# You can programmatically access or generate secrets:
    nix eval --raw '(import <nixpkgs> {}).lib.mkSecret "mysecret"'

# You can also store secrets outside the config with systemd:
    {
      systemd.services.myService.environment = {
        SECRET_KEY = builtins.readFile /etc/secrets/mysecret;
      };
    }
# mkpasswd
  # variety of encryption methods, of different lengths

# Many NixOS users integrate password managers to generate secrets dynamically:
    pass generate my-service/secret 32

# Here's reusable secrets.nix template for NixOS. It generates multiple secrets for different services and can be imported into configuration.nix without exposing them in Git.

    { lib, pkgs, ... }:

    let
      # Helper to generate a random base32 secret of given length
      randomSecret = length:
        builtins.toString (builtins.base32Encode (pkgs.lib.randomString length));

    in {
      # Example: PostgreSQL password
      postgresPassword = lib.mkSecret (randomSecret 32);

      # Example: Redis password
      redisPassword = lib.mkSecret (randomSecret 32);

      # Example: API token for some internal service
      internalApiToken = lib.mkSecret (randomSecret 40);

      # Example: Web application secret key
      webAppSecretKey = lib.mkSecret (randomSecret 64);

      # Example: SSH authorized key for automated tasks
      automatedSshKey = lib.mkSecret (randomSecret 32);

      # You can add more services as needed
    }
# and how to use in configuration.nix:
    { config, pkgs, ... }:

    let
      secrets = import ./secrets.nix { inherit pkgs lib; };
    in
    {
      services.postgresql = {
        enable = true;
        authentication = {
          password = secrets.postgresPassword;
        };
      };

      services.redis.enable = true;
      services.redis.password = secrets.redisPassword;

      # Example environment variable for web service
      systemd.services.myWebApp.environment = {
        SECRET_KEY = secrets.webAppSecretKey;
        API_TOKEN = secrets.internalApiToken;
      };
    }

# ==========================================================================================
  # 1. Short secrets (8–16 characters)
  #    •	Use: Low-security tokens, simple service passwords, or internal tools with limited exposure.
  #    •	Example Applications:
  #    •	Temporary API keys for internal scripts
  #    •	Simple Redis instance with limited access
  #    •	Example:
  shortToken = lib.mkSecret (builtins.toString (pkgs.lib.randomString 12));
      
  # 2. Medium secrets (20–32 characters)
  #	•	Use: Standard passwords for services, moderate security tokens, session keys.
  #	•	Example Applications:
  #	•	PostgreSQL or MySQL passwords
  #	•	Redis passwords
  #	•	Docker registry tokens
  #	•	Example:
  postgresPassword = lib.mkSecret (builtins.toString (pkgs.lib.randomString 24));
  redisPassword    = lib.mkSecret (builtins.toString (pkgs.lib.randomString 32));

  # 3. Long secrets (40–64 characters)
  #	•	Use: Cryptographic keys, high-security API tokens, web application secrets.
  #	•	Example Applications:
  #	•	Web framework SECRET_KEY for session encryption (Django, Flask, etc.)
  #	•	JWT signing keys
  #	•	OAuth2 client secrets
  #	•	Example:
  webAppSecretKey   = lib.mkSecret (builtins.toString (pkgs.lib.randomString 64));
  internalApiToken  = lib.mkSecret (builtins.toString (pkgs.lib.randomString 48));

  # 4. Very long secrets (128+ characters)
  # •	Use: Encryption keys, long-lived service-to-service authentication, blockchain keys.
  # •	Example Applications:
  # •	SSH private keys or passphrases
  # •	TLS certificates private keys
  # •	End-to-end encryption secrets for messaging apps
  # •	Example:
  tlsPrivateKey = lib.mkSecret (builtins.toString (pkgs.lib.randomString 128));
  sshKeyPassphrase = lib.mkSecret (builtins.toString (pkgs.lib.randomString 256));