ecs-blueprints VS agenix

I’ve been spending a week trying to learn how to deploy a collection of containers (my web app, a Postgres DB, and some microservices) to AWS and I am still so lost.

The first solution I happened upon was serverless. Specifically SST, which is written with AWS CDK, but you must develop on live services and I just can’t justify paying to develop.

Then I found Serverless Framework, which is an abstraction on CloudFormation, but the offline solutions like localstack get a lot of flack for being buggy and localstack charges for some services. I also looked into Architect but the documentation is abysmal.

Then I figured serverful might be the easier way to go. I found that docker compose has a built in integration with AWS ECS where it transforms your yaml into Cloudformation to provision the right services. However, it seems to just be missing key parts like custom domain and SSL certificate provisioning which seems to defeat the IaC ethos.

Then I figured I might go with Terraform and I found some seemingly good starters like https://github.com/aws-ia/terraform-aws-ecs-blueprints https://github.com/cloudposse/terraform-aws-ecs-web-app https://github.com/turnerlabs/terraform-ecs-fargate but the examples are just lacking. They don’t have any examples for multiple containers that can access each others’ resources that I can find. Reading these templates has at least given me a better idea of the resources I need to provision in AWS but the networking and configuration still frighten me. Like do I need to configure nginx with a reverse proxy myself? How do I orchestrate that container with the others? And apparently services can crash and just not restart? And I need to make sure to configure volumes for data that needs to persist. And setting up the CI/CD seems daunting.

I’ve also heard about docker swarm, kubernetes, pulumi, AWS SAM, etc but it’s a lot to learn. When I go on Discords for web frameworks, mostly everyone including the devs of these frameworks use 2nd tier managed providers like Vercel, Fly, Netlify, Supabase, Cloudflare, etc. But many of those are just not as reliable as core cloud providers and the cost is way higher. Glad to see I’m not alone in a very reasonable expectation of a simple way to orchestrate multiple containers on AWS, what must be the most common use case web developers have

How about: https://github.com/ryantm/agenix

I've heard good things about and seen sops-nix used on a few really solid configs. Others tend to use Age or Homeage.

I don't have a write-up, just my code in git. But it's not public. I'm not using anything out of the ordinary - Nix containers, modules, and functions, and the Agenix module with uses a private key to decrypt secrets at start. The Nix language is inherently composable. Here are some links that explain:

Containers:

https://nixos.wiki/wiki/NixOS_Containers

Modules:

https://nixos.wiki/wiki/NixOS_modules

Functions:

https://www.reddit.com/r/NixOS/comments/zzstun/please_help_m...

Agenix:

https://github.com/ryantm/agenix

For passwords I am using agenix which is also pretty awesome, an alternative could have been sops.nix.

Alternatively, you could simply add the wireless connection files to the Networkmanager dir in /etc using environment.etc. Though keep in mind that any file declared in your config is readable by any user in your system. agenix would be the solution to that.

One think I saw that I don't recommend is to change your password after installing; that's not very reporoducible, use users.users..hashedPassword or users.users..passwordFile with agenix or sops-nix.

Answering your broader question (secret management) colmena does that for me outside the Nix store. I also use git-crypt to store secrets in the repo. There are also more Nix-y alternatives like agenix.

I feel that trying to make SSH keys short-lived is becoming more painful each year because there's an increase of tools that use SSH keys for purposes other than SSH logins. For example, age [1] encrypts files with SSH keys, agenix [2] does secrets management with it, Git can now sign commits with it [3], and even ssh-keygen can now sign arbitrary data [4]. All of these become useless the moment you start using short-lived keys.

[1]: https://github.com/FiloSottile/age

[2]: https://github.com/ryantm/agenix

[3]: https://calebhearth.com/sign-git-with-ssh

[4]: https://www.man7.org/linux/man-pages/man1/ssh-keygen.1.html

I built this because I try to keep as much as possible outside of my system config but all of the secret managers I found were system only. I had no idea how to solve this until I found RaitoBezarius' awesome pull request to agenix where it all clicked. It also exposed me to the inner workings of home-manager which has definitely made me appreciate it more! I kept this separate from agenix because I am interested only in a module rather than a CLI and thus see it as having a different fit.

I've been thinking about the same thing. I haven't gotten around to it yet but agenix looked the most promising to me so far