| 24 Aug 2021 |
|  Tejas Agarwal left the room. | 17:06:30 |
| 26 Aug 2021 |
 nix-community-bot | [nix-community/infra] ryantm pushed to master: update nixpkgs-update
* when using updateScript, ensure update doesn't already exist - https://github.com/nix-community/infra/commit/3195b9c00b6a1b3b3ff76605b80240d6f5abc007 | 01:41:31 |
 ryantm | deploying to build02 | 01:42:52 |
 Sandro | Are you done yet ryantm ? | 09:32:59 |
 Mic92 | I guess so | 09:36:12 |
| ryantm | Oh yes sorry. | 13:33:46 |
 Jonas Chevalier | Mic92: why don't we switch to using sops-nix for the infra? | 14:21:15 |
| Mic92 | @zimbatm: I guess nothing speaks against it. | 14:21:42 |
| Jonas Chevalier | might as well exercise it | 14:21:57 |
| Mic92 | Does terraform need any secrets? | 14:22:37 |
| Jonas Chevalier | even if that's the case, terraform-sops is also a thing | 14:23:12 |
| Mic92 | Right. I was pretty sure there was something | 14:23:24 |
| Mic92 | Than it's uniform | 14:23:35 |
| Mic92 | In october I plan to add support for age but the current ssh rsa key support will stay as well. Right now we have our gpg keys anyway so this is probably the easiest option to switch to. | 14:25:04 |
| Jonas Chevalier | agreed. | 14:36:00 |
| Jonas Chevalier | maybe one day we can get rid of GPG, that would be nice | 14:36:14 |
| Mic92 | Yeah. I definitly will add this because I want to migrate some servers in university to it as well. | 14:58:05 |
| Mic92 | It also makes sops-nix nicer because you no longer need the ssh private host server key for bootstrapping. | 14:58:33 |
| Mic92 | Age only needs public keys whereas gpg needs public keys signed by the private key. | 14:59:11 |
| Jonas Chevalier | do you thing sops is still worth it if we use age, or should we just use age without the indirection? | 15:16:00 |
| Mic92 | Personally I like the sops editor over having one file per secret | 15:20:52 |
| Jonas Chevalier | ok, you convinced me :D | 15:23:39 |
 nrdxp | if you have a yubikey, you might like this pr to agenix 😉
https://github.com/ryantm/agenix/pull/46 | 16:34:44 |
| ryantm | I'm not really arguing against sops-nix, but there's arguments for having one file per secret too, like it is simpler to understand, copy secrets between places, and potentially easier to recover from some issue. | 16:37:40 |
| ryantm | Also better interoperability, theoretically. | 16:38:13 |
| Jonas Chevalier | nice. ryantm can I send you a yubikey? | 16:41:58 |
| Jonas Chevalier | another argument is that incremental rebuild is better | 16:42:46 |
| ryantm | Jonas Chevalier: Sure, I won't object 😀 I have some really old one that doesn't do the new fancy stuff. | 16:42:50 |
| Jonas Chevalier | DM me your address and you'll get one :D | 16:43:15 |
 @andi:kack.it | Is there a Yubikey that does USB-A + USB-C yet? | 16:46:26 |
