vaultenv VS robotnix

Having secrets in an external system (like Hashicorp Vault) and then using [vaultenv](https://github.com/channable/vaultenv) to inject these during `helm install/upgrade`. So you end up with something like `vaultenv ... -- helm install --set config.myvar=${VAULTENV_INJECTED_ENV_VALUE}` (or similar). Point is I use vaultenv to run helm with secrets injected as env vars only during the helm run, and use helm's `--set` flag to set individual secrets. This can get tedious if you have many secrets as you have to specify each of them individually with --set. Usually I wrap this in a Makefile or a shell script for easier invoking.

> Also, regarding DevOps, the tooling around Nix makes it a little brittle for anything event based--rapidly changing configurations on the fly due to network conditions (Consul, Ansible, etc). This is where configuration management is heading, and due to the static nature of Nix, delegating dynamic changes is hard/anti pattern.

Channable uses Consul, Vault, etc. for dynamic configuration and it works with Nix just fine.

You don't have to use static configuration files with Nix. Either fetch dynamic stuff using the Consul, Vault, etc. APIs at runtime or use a tool like vaultenv [1] or similar if you don't want this logic in your application code.

Put those tools in your systemd service before launching your app, and you're good to go.

(NB: I was DevOps teamlead at Channable while a part of this work was being done. Sad that I won't be able to see the final picture.)

[1]: https://github.com/channable/vaultenv

danielfullmer/robotnix

commit 660b23fb152874b6d237065045c78ceeb6ebdbf9 Author: Chirayu Desai Date: Fri Jun 24 01:41:28 2022 +0530 releasetools: Replace Trichrome fingerprint * Trichrome APKs depend on TrichromeLibrary, and they specify both package name and a certificate digest * We sign TrichromeLibrary and both dependent APKs with the same key, so we can simply make sure that the fingerprint matches the key the APK is being (re)signed with Based on: https://github.com/danielfullmer/robotnix/blob/master/modules/apps/chromium-trichrome-patcher.py Change-Id: I79f8c69787decd5abbb5d5513dee9bc357eb8814

You might be interested in https://github.com/danielfullmer/robotnix

Just noting, using Nix it is possible to build an actual real deal Android image using Robotnix:

- https://github.com/danielfullmer/robotnix/

This is different from a non-Android Linux on Mobile devices, which is what Mobile NixOS aims to achieve :).

If you still want to do your own builds, I'd recommend looking at Robotnix (https://github.com/danielfullmer/robotnix). While it doesn't out of the box build on AWS like this, it's a way more sane build process and it would be easy enough to execute a build on any cloud provider.

There are some tools already which support automated builds such as https://github.com/dan-v/rattlesnakeos-stack and https://github.com/danielfullmer/robotnix - however they'll need work to support both CalyxOS and also Android Auto.