| 13 Jul 2023 |
 moots | * i dont think git crypt would work fine for me , alone by not beeing able to use a ssh key for that, and i wou;d have hoped for agenix similar workflow | 15:06:42 |
 CRTified | So it's likely that sops-nix or agenix don't fit your usecase as well, correct? | 15:07:02 |
| moots | i would love to use agenix, but doesnt work outside nixos | 15:07:37 |
| CRTified | sops-nix relies on sops, which works outside of nixos 🙂 | 15:07:56 |
| moots | i even tried to hack around it
config-tf = (pkgs.runCommand "config-tf"
{ }
(''
set -x
export RULES=${./secrets.nix}
export HOME=/home/fabi
export IDENTITIES="~/.ssh/"
cd ${secrets.age.path}
'' + (nixpkgs.lib.concatStringsSep "\n" (nixpkgs.lib.mapAttrsToList (name: value: "${agenix.packages.${system}.agenix}/bin/agenix -d ${builtins.baseNameOf value.file} > $out/${builtins.replaceStrings [".age"] [""] (builtins.baseNameOf value.file)}") secrets.age.secrets))
)
);```
| 15:08:04 |
| CRTified | oh yeah, agenix uses age as well, true | 15:08:33 |
| moots | but u cant access the ssh keys from inside the flake | 15:08:34 |
| moots | * but u cant access the ssh keys from inside the flake
cat: /home/fabi/.ssh/id_rsa: No such file or directory | 15:08:43 |
| CRTified | Yeah, it's outside of the store | 15:09:16 |
| CRTified | I think your usecase is not really clear to me. | 15:09:52 |
| moots | atm im trying to generate from a flake terranix configurations which use agenix encrpyted secrets
then build nixos systems also using the secrets, and deploying them on the terranix "managed" machines
having the whole repo publicly available with p easy way to rekey (like with agenix rekeys)
the secrets should be accessible from anywhere, like while building the flakes outputs and the dev shell
rekeying similar to agenix would be nice where i can just throw all the public keys and which files are associated with it in a nix file and have it rekey the secrets with 1 flake apps command | 15:13:45 |
| moots | working slowly my way up to a full mono repo managed with josh project akin to what the people at the virus lounge did (https://code.tvl.fyi/about/README.md), just for my own clusters of hardware and friend group | 15:17:53 |
| moots | hmm maybe i could use nix run to decrypt the secrets locally, but i think then i have to find a way to add the secrets to the flake since they invisible to git and flakes afaik usually only respect files in the git repo | 15:23:12 |
| moots | * hmm maybe i could use nix run to decrypt the secrets locally as stop gap, but i think then i have to find a way to add the secrets to the flake since they invisible to git and flakes afaik usually only respect files in the git repo | 15:23:21 |
|  The Baboon joined the room. | 17:05:16 |
|  zuckerberg changed their profile picture. | 22:02:55 |
| 14 Jul 2023 |
 @arianvp:matrix.org | I have
nixConfig = {
substituters = [ "https://cache.garnix.io" ];
trusted-public-keys = [ "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" ];
};
in my flake and I accepted the options
but nix show-config doesnt show the settings in the shell
:
(nix:shell-env) Arians-MacBook-Pro:server-optimised-nixos arian$ nix show-config
accept-flake-config = false
access-tokens =
allow-dirty = true
allow-import-from-derivation = true
allow-symlinked-store = false
allow-unsafe-native-code-during-evaluation = false
allowed-impure-host-deps = /System/Library /bin/sh /dev /usr/lib
allowed-uris =
allowed-users = *
auto-allocate-uids = false
auto-optimise-store = true
bash-prompt =
bash-prompt-prefix = (nix:$name)\040
bash-prompt-suffix =
build-hook = /nix/var/nix/profiles/default/bin/nix __build-remote
build-poll-interval = 5
build-users-group = nixbld
builders = @/etc/nix/machines
builders-use-substitutes = false
commit-lockfile-summary =
compress-build-log = true
connect-timeout = 0
cores = 12
darwin-log-sandbox-violations = false
diff-hook =
download-attempts = 5
download-speed = 0
eval-cache = true
experimental-features = flakes nix-command
extra-platforms = x86_64-darwin
fallback = false
flake-registry = https://channels.nixos.org/flake-registry.json
fsync-metadata = true
gc-reserved-space = 8388608
hashed-mirrors =
http-connections = 25
http2 = true
id-count = 128
ignore-try = false
impersonate-linux-26 = false
keep-build-log = true
keep-derivations = true
keep-env-derivations = false
keep-failed = false
keep-going = false
keep-outputs = false
log-lines = 10
max-build-log-size = 0
max-free = 18446744073709551615
max-jobs = 1
max-silent-time = 0
min-free = 0
min-free-check-interval = 5
nar-buffer-size = 33554432
narinfo-cache-negative-ttl = 3600
narinfo-cache-positive-ttl = 2592000
netrc-file = /etc/nix/netrc
nix-path = /Users/arian/.nix-defexpr/channels nixpkgs=flake:nixpkgs
plugin-files =
post-build-hook =
pre-build-hook =
preallocate-contents = false
print-missing = true
pure-eval = true
require-sigs = true
restrict-eval = false
run-diff-hook = false
sandbox = false
sandbox-fallback = true
sandbox-paths = /System/Library/Frameworks /System/Library/PrivateFrameworks /bin/bash /bin/sh /private/tmp /private/var/tmp /usr/lib
secret-key-files =
show-trace = false
stalled-download-timeout = 300
start-id = 56930
store = auto
substitute = true
substituters = https://cache.nixos.org/
sync-before-registering = false
system = aarch64-darwin
system-features = benchmark big-parallel nixos-test
tarball-ttl = 3600
timeout = 0
trace-function-calls = false
trace-verbose = false
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
trusted-substituters =
trusted-users = root arian
use-case-hack = true
use-registries = true
use-sqlite-wal = true
user-agent-suffix =
warn-dirty = true
| 10:06:57 |
| @arianvp:matrix.org | what am I doing wrong? | 10:07:06 |
|  @lehmanator:gnulinux.club joined the room. | 18:42:50 |
 Artturin | In reply to @arianvp:matrix.org
I have
nixConfig = {
substituters = [ "https://cache.garnix.io" ];
trusted-public-keys = [ "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" ];
};
in my flake and I accepted the options
but nix show-config doesnt show the settings in the shell
:
(nix:shell-env) Arians-MacBook-Pro:server-optimised-nixos arian$ nix show-config
accept-flake-config = false
access-tokens =
allow-dirty = true
allow-import-from-derivation = true
allow-symlinked-store = false
allow-unsafe-native-code-during-evaluation = false
allowed-impure-host-deps = /System/Library /bin/sh /dev /usr/lib
allowed-uris =
allowed-users = *
auto-allocate-uids = false
auto-optimise-store = true
bash-prompt =
bash-prompt-prefix = (nix:$name)\040
bash-prompt-suffix =
build-hook = /nix/var/nix/profiles/default/bin/nix __build-remote
build-poll-interval = 5
build-users-group = nixbld
builders = @/etc/nix/machines
builders-use-substitutes = false
commit-lockfile-summary =
compress-build-log = true
connect-timeout = 0
cores = 12
darwin-log-sandbox-violations = false
diff-hook =
download-attempts = 5
download-speed = 0
eval-cache = true
experimental-features = flakes nix-command
extra-platforms = x86_64-darwin
fallback = false
flake-registry = https://channels.nixos.org/flake-registry.json
fsync-metadata = true
gc-reserved-space = 8388608
hashed-mirrors =
http-connections = 25
http2 = true
id-count = 128
ignore-try = false
impersonate-linux-26 = false
keep-build-log = true
keep-derivations = true
keep-env-derivations = false
keep-failed = false
keep-going = false
keep-outputs = false
log-lines = 10
max-build-log-size = 0
max-free = 18446744073709551615
max-jobs = 1
max-silent-time = 0
min-free = 0
min-free-check-interval = 5
nar-buffer-size = 33554432
narinfo-cache-negative-ttl = 3600
narinfo-cache-positive-ttl = 2592000
netrc-file = /etc/nix/netrc
nix-path = /Users/arian/.nix-defexpr/channels nixpkgs=flake:nixpkgs
plugin-files =
post-build-hook =
pre-build-hook =
preallocate-contents = false
print-missing = true
pure-eval = true
require-sigs = true
restrict-eval = false
run-diff-hook = false
sandbox = false
sandbox-fallback = true
sandbox-paths = /System/Library/Frameworks /System/Library/PrivateFrameworks /bin/bash /bin/sh /private/tmp /private/var/tmp /usr/lib
secret-key-files =
show-trace = false
stalled-download-timeout = 300
start-id = 56930
store = auto
substitute = true
substituters = https://cache.nixos.org/
sync-before-registering = false
system = aarch64-darwin
system-features = benchmark big-parallel nixos-test
tarball-ttl = 3600
timeout = 0
trace-function-calls = false
trace-verbose = false
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
trusted-substituters =
trusted-users = root arian
use-case-hack = true
use-registries = true
use-sqlite-wal = true
user-agent-suffix =
warn-dirty = true
They're used only in the flake not in the shell IIRC | 23:03:26 |
| Artturin | Yep https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-flake.html?highlight=Nixconfig#flake-format | 23:05:10 |
| 15 Jul 2023 |
|  @ek_is_anika:tchncs.de joined the room. | 12:19:52 |
|  @2xsaiko:tchncs.de changed their profile picture. | 18:53:19 |
| 16 Jul 2023 |
|  @windchimesofmagic:matrix.org joined the room. | 02:36:11 |
| @ek_is_anika:tchncs.de changed their display name from Anika (not new to matrix btw) to Anika (prev. known as Hayley). | 19:07:41 |
| 18 Jul 2023 |
|  antimimonpneumatos joined the room. | 06:55:03 |
| 19 Jul 2023 |
| @ek_is_anika:tchncs.de changed their display name from Anika (prev. known as Hayley) to Anika. | 12:56:03 |
| 20 Jul 2023 |
|  Carl Thomé joined the room. | 22:09:03 |
| 23 Jul 2023 |
|  zarco changed their display name from El_Zarco to Zarco. | 01:07:33 |
| zarco changed their display name from Zarco to zarco. | 02:46:22 |
