 | DevOS | 37 Members |
| Seeking help and geeking out together on https://github.com/divnix/devos & https://github.com/divnix/digga | 10 Servers |
| DevOS | 37 Members |
| Seeking help and geeking out together on https://github.com/divnix/devos & https://github.com/divnix/digga | 10 Servers |
| Sender | Message | Time |
|---|---|---|
| 22 Oct 2021 | ||
 @timdeh:matrix.org | I've been sort of diswayed from worrying about this too much after being in a RFC meeting where it was said that, "the flake.nix format will not change" 😞 | 20:26:28 |
| @timdeh:matrix.org | (by a certain prominent developer) | 20:26:58 |
| 23 Oct 2021 | ||
 @meccine:matrix.org left the room. | 02:03:59 | |
| @meccine:matrix.org joined the room. | 02:04:31 | |
 b12f | Is there a way to do a nixos-rebuild from a non-nixos live USB stick on mounted volumes? | 11:42:34 |
 genadij.udarov joined the room. | 12:27:16 | |
| b12f | Also, are secrets in /secrets double encrypted by default if using agenix? I don't see an exception in .gitattributes for .age files | 12:49:50 |
| b12f | they are encrypted by agenix, and then encrypted by git-crypt again. Would I have to unlock git-crypt files, remove git-crypt and then move to agenix to prevent this double encryption? | 12:50:42 |
| b12f | and a final question; how can I make sure initramfs reverts to a manual password entry if the keyfile is corruped or not found? | 13:07:31 |
 @aynish:sealight.xyz | In reply to @timdeh:matrix.orgi added self to the arguments of my user profile (not sure if it's a module?) but i don't know how to pass it in to that to it? i'm importing that file from the user profile | 14:41:02 |
 David Arnold (blaggacao) | In reply to @b12f:pub.solarI'd ditch gitcrypt completely for agenix. | 15:14:22 |
| David Arnold (blaggacao) | I think we could even drop support for git-crypt since we want to have an opinionated setup that is comparatively easy to manage, rather than a toolbox with so many options we already fail.to document, I guess. | 15:15:42 |
| David Arnold (blaggacao) | * I think we could even drop support for git-crypt since we want to have an opinionated setup that is comparatively easy to manage, rather than a toolbox with so many options we already fail to document, I guess. | 15:15:47 |
| David Arnold (blaggacao) | In reply to @b12f:pub.solarI can't really comment on that, I used a branch of deploy-rs for rebuilds in combination with live iso. | 15:16:57 |
| David Arnold (blaggacao) | * I can't really comment on that, directly. I used a branch of deploy-rs for rebuilds in combination with live iso, though. | 15:17:42 |
| @aynish:sealight.xyz | In reply to @aynish:sealight.xyzhmmm, aso realizing that permission is denied when i try to cat /run/secrets/<secret> (for when modules take a command instead of a file for passwords) | 15:20:20 |
| b12f | So I've finally solved a weird issue today; the intiial problem was git-crypt not properly decrypting my keyfile, causing the decryption to fail. Password prompt wasn't being shown because of https://github.com/NixOS/nixpkgs/issues/115982 I created an ISO from the basic devos main branch, booted it from a USB, decrypted + mounted the main and boot partions to I fixed the keyfile issue, then ran both Turns out, the live USB/chroot setup had written the new efi file to | 16:15:31 |
| b12f | * So I've finally solved a weird issue today; the intiial problem was git-crypt not properly decrypting my keyfile, causing the decryption to fail. Password prompt wasn't being shown because of https://github.com/NixOS/nixpkgs/issues/115982 I created an ISO from the basic devos main branch, booted it from a USB, decrypted + mounted the main and boot partions to I fixed the keyfile issue, then ran both Turns out, the live USB/chroot setup had written the new efi file to | 16:16:20 |
 @teutat3s:pub.solar | Did anybody already try using agenix for grub / initrd keyfiles? Upon rebuild switch the step updating GRUB 2 menu comes before agenix decryption step and thus fails because the secret is not yet copied in clear text to /run/secrets | 16:56:08 |
| David Arnold (blaggacao) | In reply to @teutat3s:pub.solarI wonder if that would even be possible? Afaik, agenix is injecting itself into stage2, correct me if I'm wrong. But it would be interesting to know if there is a way to get early boot support for decrypting. | 21:01:48 |
| David Arnold (blaggacao) | Btw, does anybody want to prep a PR do ditch git-crypt? 😎🙂 | 21:02:44 |
| b12f | probably impossible without hacking into the bootloader setup stuff from nixos. We're looking at putting the kernel into an unencrypted partition, this way we can ditch the keyfiles altogether. Only personal data will be encrypted then | 21:06:28 |
| @teutat3s:pub.solar | In reply to @blaggacao:matrix.orgthe current problem is rather that the activation hooks agenix uses run after the bootloader setup / update step. that's why it's trying to copy the keyfile into the initrd when agenix didn't even have a chance to decrypt it yet | 21:07:41 |
| b12f | teutat3s asked the agenix dev for advice https://github.com/NixOS/nixpkgs/blob/57961d2b838cc31fa4ce89641b6a8db544a8471a/nixos/modules/system/activation/switch-to-configuration.pl#L61 | 21:08:36 |
| b12f | we'd have to somehow hook in there, but I don't see my nix knowledge reaching that far :P | 21:09:18 |
| David Arnold (blaggacao) | The @installBootLoader@ can come from different places, afair. | 21:11:48 |
| @teutat3s:pub.solar | in our case it would be grub https://github.com/NixOS/nixpkgs/blob/5605b561ce51d3e6b5a56566d6e58fe3e5b36970/nixos/modules/system/boot/loader/grub/grub.nix#L726 | 21:12:26 |
| David Arnold (blaggacao) | Just saw initialRamdiskSecretsAppender... | 21:14:56 |
| David Arnold (blaggacao) | Maybe an agenix grub module need to be written? | 21:16:28 |
| b12f | Perhaps. A hook that can start services before the bootloader init might be more general-purpose though | 21:37:19 |