| 20 Dec 2025 |
 Sofie 🏳️⚧️ (she/her) | So anyways, does someone have a nice template which covers agenix or another secret thingy, directory centered modules and options, system deployment and other stuff | 16:54:02 |
| Sofie 🏳️⚧️ (she/her) | * | 16:54:50 |
| Sofie 🏳️⚧️ (she/her) | For Nilla | 16:55:18 |
| Sofie 🏳️⚧️ (she/her) | @jakehamilton:auxolotl.org do you have an example of Nilla but with agenix or similar? | 17:00:15 |
| Sofie 🏳️⚧️ (she/her) | I love your Hive based config :3 | 17:00:25 |
 bandithedoge | is there a way to make the lix installer not try to install fish configs? it's causing this error in my github action that uses nothing-but-nix with default settings: https://github.com/bandithedoge/nur-packages/actions/runs/20227877364/job/58063479258#step:4:83 | 17:24:38 |
 goldstein | nix-repl> builtins.flakeRefToString { type = "indirect"; id = "lol"; ref = "lol/9bdfd23e28ffc1fb5a6e52e43dad4288701bb05d"; }
"flake:lol/lol/9bdfd23e28ffc1fb5a6e52e43dad4288701bb05d"
nix-repl> builtins.flakeRefToString { type = "indirect"; id = "lol"; ref = "lol"; rev = "9bdfd23e28ffc1fb5a6e52e43dad4288701bb05d"; }
"flake:lol/lol/9bdfd23e28ffc1fb5a6e52e43dad4288701bb05d
no question here, I just want to share my pain 🫠
why are flakerefs so ambiguous | 18:54:59 |
| goldstein | I knew that parse(serialize(flakeref)) is not noop because of HTTP query params, but I didn’t know that indirect flakerefs are also ambigous | 18:59:00 |
| goldstein | and getFlake only takes string flakerefs, so some getFlake invocations are quite literally inexpressible | 18:59:37 |
| goldstein | nix-repl> builtins.parseFlakeRef (builtins.flakeRefToString { type = "indirect"; id = "nixpkgs"; ref = "refs/heads/master"; })
error:
… while calling the 'parseFlakeRef' builtin
at «string»:1:1:
1| builtins.parseFlakeRef (builtins.flakeRefToString { type = "indirect"; id = "nixpkgs"; ref = "refs/heads/master"; })
| ^
error: GitHub URL 'flake:nixpkgs/refs/heads/master' is invalid
that one is probably a bug though? no way it’s a github url | 19:06:51 |
| Sofie 🏳️⚧️ (she/her) | also, rootless install through nixsa would be nice to have! | 19:48:40 |
| bandithedoge | real | 19:49:12 |
 raitobezarius | In reply to @cyclopentane:aidoskyneen.eu
another missing puzzle piece imo: currently, Nix treats the eval process and the build process as two conceptually separate things. But afaict there's nothing stopping us from treating the evaluation of, say, a flake as a derivation too - that derivation would have the flake source, its dependencies and nix as inputs, and output a .drv file I also have this in my mind and I'd like it to happen | 23:47:22 |
| 21 Dec 2025 |
 SomeoneSerge (back on matrix) | It's more like aterm drv and nixlang are two different languages and both are by default applicative, with ifd making nixlang monadic and dyndrv making aterm monadic. But also I've never managed to read "a la carte" as anything more than a bunch of handwavy metaphors when applied to nix, so idk, maybe I'm too slow for this | 01:17:51 |
 jakehamilton | In reply to @sofiedotcafe:matrix.org
@jakehamilton:auxolotl.org do you have an example of Nilla but with agenix or similar? Ah I don't, I am not a fan of agenix and other existing secret solutions due to the manual work required :( | 01:19:08 |
 Acid Bong | In reply to @sofiedotcafe:matrix.org
@jakehamilton:auxolotl.org do you have an example of Nilla but with agenix or similar? Nilla is just a Nix entry point system, like flakes, while Agenix and such live within NixOS | 03:34:10 |
| Acid Bong | i think you should be able to use agenix or sops-nix regardless whether your NixOS is behind flakes, colmena and/or nilla | 03:35:57 |
 piegames | Beta test the next npins release now: https://github.com/andir/npins/pull/185 | 13:21:37 |
| Sofie 🏳️⚧️ (she/her) | I mean, agree :3 | 13:35:18 |
| Sofie 🏳️⚧️ (she/her) | we really do need a better tool | 13:35:33 |
| Acid Bong | In reply to @jakehamilton:auxolotl.org
Ah I don't, I am not a fan of agenix and other existing secret solutions due to the manual work required :( what kinda manual work? is it about setting up ssh host keys on a new machine to decrypt the secrets? | 13:49:40 |
| jakehamilton | In reply to @acidbong:envs.net
what kinda manual work? is it about setting up ssh host keys on a new machine to decrypt the secrets? Rekeying, managing keys for different machines, etc. There are still quite a few manual steps which I feel like shouldn't be necessary. | 13:52:18 |
| jakehamilton | Plus the issue of secrets being checked into git (even if encrypted). I think we can do better than that as well. | 13:53:04 |
 tc424 (Steve D) | Added npins add container, which allows pinning OCI containers
Ooooooooh ... | 13:54:11 |
| jakehamilton | In reply to @srtcd424:auxolotl.org
Added npins add container, which allows pinning OCI containers
Ooooooooh ... I wonder if this is specific to container images or if any artifact on an OCI registry can be pinned this way. Helm charts, for example! | 13:56:32 |
| tc424 (Steve D) | I'm currently skimming it - https://github.com/andir/npins/pull/145/files | 13:57:04 |
| jakehamilton | In reply to @srtcd424:auxolotl.org
I'm currently skimming it - https://github.com/andir/npins/pull/145/files Same, seems to call out to nix-prefetch-docker | 13:57:49 |
| jakehamilton | https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/docker/nix-prefetch-docker | 13:58:09 |
| tc424 (Steve D) | yeah, which is something else I didn't know existed :) | 13:59:29 |
| tc424 (Steve D) | and that uses skopeo | 13:59:42 |
