| 11 Jul 2023 |
|  Ash joined the room. | 16:07:17 |
|  Pyrox [Fox/It/She] changed their display name from Pyrox [ She/They/Xem ] to Pyrox [ It/She/They/Xem ]. | 20:43:38 |
| 12 Jul 2023 |
 beect | is there an idiomatic way to produce a path relative to the root of the flake repo? i want to replace imports = [ ../../common/users.nix ] with something like imports = [ ${self}/nixos/common/users.nix ] | 11:57:33 |
 CRTified | Not tested, but shouldn't self.outPath work there? | 11:58:02 |
| beect | i've tried a bunch of variations on /${self.outPath}/nixos/common/users.nix - it complains that "a string that refers to a store path cannot be appended to a path" | 12:17:54 |
 @2xsaiko:tchncs.de | beect: both ${self} and ${self.outPath} work for me, are you sure your self is the one you get passed to your flake outputs function? | 12:57:37 |
| @2xsaiko:tchncs.de | i.e. { outputs = { self }: { myPath = "${self}"; }; } => nix eval .#myPath => "/nix/store/..." | 12:58:37 |
| @2xsaiko:tchncs.de | oh | 12:59:42 |
| @2xsaiko:tchncs.de | it should be imports = [ "${self}/nixos/common/users.nix" ], with the quotes | 13:00:04 |
| @2xsaiko:tchncs.de | or (self + /nixos/common/users.nix) | 13:01:27 |
 Ilan Joselevich (Kranzes) | In reply to @crtified:crtified.me
Not tested, but shouldn't self.outPath work there? even just "${self}" would work because of string interpolation | 13:07:28 |
| Ilan Joselevich (Kranzes) | another design choice is to expose these common modules are nixosModules flake outputs | 13:08:08 |
| beect | ah yup, using a string instead of a path works. thanks. it's a little ugly, thanks for the pointer to nixosModules. | 13:22:20 |
| 13 Jul 2023 |
|  vcunat changed their display name from @vcunat to vcunat. | 08:27:42 |
 moots | anyone know their way around managing secrets in nix flakes(outside nixos)?
i tried using a output with pkgs.runcommand running agenix to decrypt them in sequence before generating the proper output (a generated file, which needs them), but i hit the wall that i cant access the users private keys like ~/.ssh/id_rsa since that doesnt seem to be possible impureley
im trying to have encrypted secrets in the repo and have the flake decrypt them using the users private keys and generate a config file which uses the decrpyted secrets contents
| 14:44:41 |
| moots | * anyone know their way around managing secrets in nix flakes(outside nixos)?
i tried using a output with pkgs.runcommand running agenix to decrypt them in sequence before generating the proper output (a generated file, which needs them), but i hit the wall that i cant access the users private keys like ~/.ssh/id_rsa since that doesnt seem to be possible impureley
im trying to have encrypted secrets in the repo and have the flake decrypt them using the users private keys and generate a config file which uses the decrpyted secrets contents(and in future have them accessible by any sub flake/potential flake built nixos configurations) | 14:46:01 |
 @petrichor:envs.net | moots: I have handled this using git-crypt in my desktop nixos config if that's any help? decrypted by git rather than nix itself so isn't affected by the purity restrictions but doesn't work in all situations | 14:49:43 |
| moots | i dont think git crypt would work fine for me | 15:03:47 |
| moots | * i dont think git crypt would work fine for me , alone by not beeing able to use a ssh key for that | 15:05:46 |
| moots | * i dont think git crypt would work fine for me , alone by not beeing able to use a ssh key for that, and i wou;d have hoped for agenix similar workflow | 15:06:42 |
| CRTified | So it's likely that sops-nix or agenix don't fit your usecase as well, correct? | 15:07:02 |
| moots | i would love to use agenix, but doesnt work outside nixos | 15:07:37 |
| CRTified | sops-nix relies on sops, which works outside of nixos 🙂 | 15:07:56 |
| moots | i even tried to hack around it
config-tf = (pkgs.runCommand "config-tf"
{ }
(''
set -x
export RULES=${./secrets.nix}
export HOME=/home/fabi
export IDENTITIES="~/.ssh/"
cd ${secrets.age.path}
'' + (nixpkgs.lib.concatStringsSep "\n" (nixpkgs.lib.mapAttrsToList (name: value: "${agenix.packages.${system}.agenix}/bin/agenix -d ${builtins.baseNameOf value.file} > $out/${builtins.replaceStrings [".age"] [""] (builtins.baseNameOf value.file)}") secrets.age.secrets))
)
);```
| 15:08:04 |
| CRTified | oh yeah, agenix uses age as well, true | 15:08:33 |
| moots | but u cant access the ssh keys from inside the flake | 15:08:34 |
| moots | * but u cant access the ssh keys from inside the flake
cat: /home/fabi/.ssh/id_rsa: No such file or directory | 15:08:43 |
| CRTified | Yeah, it's outside of the store | 15:09:16 |
| CRTified | I think your usecase is not really clear to me. | 15:09:52 |
| moots | atm im trying to generate from a flake terranix configurations which use agenix encrpyted secrets
then build nixos systems also using the secrets, and deploying them on the terranix "managed" machines
having the whole repo publicly available with p easy way to rekey (like with agenix rekeys)
the secrets should be accessible from anywhere, like while building the flakes outputs and the dev shell
rekeying similar to agenix would be nice where i can just throw all the public keys and which files are associated with it in a nix file and have it rekey the secrets with 1 flake apps command | 15:13:45 |
