| 15 Jul 2025 |
 Daniel Ramos | I'm seeing sops being used for declaring secrets: https://discourse.nixos.org/t/k3s-clusters-and-deployments-in-pure-nix/61794#p-205785-deploy-secrets-6
Then.. can I suppose that my approach with agenix is safe?
| 16:59:37 |
| Daniel Ramos | * I'm seeing sops being used for declaring secrets at the docs: https://discourse.nixos.org/t/k3s-clusters-and-deployments-in-pure-nix/61794#p-205785-deploy-secrets-6
Then.. can I suppose that my approach with agenix is safe?
| 16:59:57 |
 Zhaofeng Li |
Then.. can I suppose that my approach with agenix is safe?
No, your secrets will end up in the store
| 17:11:53 |
| Zhaofeng Li | (which might be acceptable depending on your risk model) | 17:12:13 |
 n4ch723hr3r | i'd still caution against it since you might set up a cache in the future for example and accidentialy upload some credentials | 17:18:13 |
| Zhaofeng Li | but I guess the more important issue is that reading config.age.secrets.x.path is semantically incorrect | 17:18:37 |
| Zhaofeng Li | (the path is on the target host after activation, not your host running the evaluation) | 17:18:41 |
| Daniel Ramos | I guess I'm going with sealed secrets in the end. | 17:19:00 |
| Daniel Ramos | thanks for the help 🫶🏽 | 17:19:08 |
| Daniel Ramos | Another question: does anyone know if it's possible to inject helm chart values via YAML? reading the docs, it seems that it only supports nix attribute sets? | 20:08:19 |
| Daniel Ramos | (sorry, I don't know if this is the right channel for this kind of questions) | 20:26:05 |
| Zhaofeng Li | Doesn't look easy, but you could use a derivation to parse yaml into json and then read it from Nix (import from derivation). But anyways, personally I don't like the HelmChart CRD in k3s and render everything locally so I can easily patch and check diffs before applying. I've been having fun with tanka which I recently switched to from kustomize | 20:40:34 |
| Zhaofeng Li | You don't have to use nix and k3s all the way, and half-baked abstractions can be counterproductive | 20:41:34 |
| Zhaofeng Li | Actually, you could just bypass the NixOS module altogether and emit your own HelmChart resource with valuesContent containing the yaml. But still, I personally don't use it | 20:43:36 |
|  iv3n0 joined the room. | 21:17:59 |
|  Chris Norman joined the room. | 22:53:23 |
|  0xcafca joined the room. | 23:06:20 |
| 16 Jul 2025 |
|  cods joined the room. | 13:47:27 |
| 17 Jul 2025 |
|  @imadalin:matrix.org left the room. | 16:14:55 |
| 18 Jul 2025 |
|  @dmjio:matrix.org set a profile picture. | 00:21:19 |
