| 1 Dec 2021 |
 ultranix | it works, thank you Pacman99 ! | 23:55:09 |
| ultranix | In reply to @blaggacao:matrix.org
sent a file. what's this for? | 23:55:37 |
 Pacman99 | We should update secrets.md in devos then | 23:55:48 |
| ultranix | well, stable would still look for /run/secrets i suppose | 23:56:47 |
| Pacman99 | Ohh true, yeah I'm not sure if theres anything we can do then | 23:57:15 |
| Pacman99 | update agenix I guess then switch secrets.md | 23:57:28 |
 David Arnold (blaggacao) | In reply to @ultranix:matrix.org
what's this for? revert https://github.com/divnix/digga/commit/9c5115fa6143f51851f58055f0e2ecb9253ff15d | 23:58:22 |
| David Arnold (blaggacao) | ^^ this breaks the inner local check-feedback-loop. | 23:58:53 |
| 2 Dec 2021 |
| ultranix | ah | 00:06:07 |
| ultranix | i never liked the idea of subflakes anyways, is that widely used somewhere else? | 00:06:26 |
| ultranix | its understandable for the examples part though | 00:06:44 |
| ultranix | by the way, i still found a lot of use for git-crypt. I use it to encrypt secrets in public repositories | 00:12:34 |
| ultranix | i could not figure out how to do that with the agenix replacement | 00:12:45 |
| ultranix | stringPassword = "${builtins.readFile ./secrets/password}" | 00:13:27 |
| ultranix | agenix only works for deployment keys | 00:13:47 |
| ultranix | afaict, it doesnt work well otherwise | 00:14:07 |
| ultranix | * by the way, i still found a lot of use for git-crypt. I use it to encrypt string secrets in public repositories | 00:16:22 |
| ultranix | i dont see any other way to do it though. i wish i could not involve a gpg private key; one ssh key is much simpler to use | 00:22:08 |
| David Arnold (blaggacao) | In reply to @ultranix:matrix.org
i never liked the idea of subflakes anyways, is that widely used somewhere else? At the very least it is a way of placing multiple flake-guarantees-backed interfaces into a big project, such as you can't break (../../) out of the flake boundary. that's actually nice if you are task with auditing a big chunk of nix code. | 00:46:21 |
| David Arnold (blaggacao) | In reply to @ultranix:matrix.org
stringPassword = "${builtins.readFile ./secrets/password}" that looks like you try to manipulate secrets ahead of their final use? or is it conceptually that you wanna use them in some sort of local script? | 00:47:56 |
| David Arnold (blaggacao) | I'm trying to figure out the bigger / biggest picture. | 00:49:30 |
| Pacman99 | In reply to @ultranix:matrix.org
stringPassword = "${builtins.readFile ./secrets/password}" Well if you are doing something like this, I'm pretty sure that secret will end up in the nix store at some point | 00:50:39 |
| ultranix | In reply to @pachumicchu:myrdd.info
Well if you are doing something like this, I'm pretty sure that secret will end up in the nix store at some point that doesnt matter. i use it to encrypt location.latitude or location.longitude etc, things that are of personal information for pseudonyms etc | 01:30:13 |
| ultranix | but also, there's a lot of configuration ini's that still use string keys within config files | 01:30:46 |
| ultranix | and i'm not sure that can change? | 01:31:14 |
| Pacman99 | In reply to @ultranix:matrix.org
but also, there's a lot of configuration ini's that still use string keys within config files Thats where I think envsubst is really useful and I've seen a lot of services integrate it | 01:31:45 |
| Pacman99 | Then you can use agenix to encrypt the environment file with the secret information, and pass it along to the systemd service then you get access to that secret data in your ocnfig | 01:32:36 |
| ultranix | ok good to know | 01:34:23 |
| Pacman99 | * Then you can use agenix to encrypt the environment file with the secret information, and pass it along to the systemd service then you get access to that secret data in your config | 01:34:42 |
| ultranix | the part about hiding parts of your config is a niche case, but can be useful. but in that case, i suppose you'd import a private repo flake or something | 01:35:05 |
