| 25 Oct 2021 |
 David Arnold (blaggacao) | There is no language-conform way to handle secrets in the nix store without implementing an entire encryption framework. | 18:10:36 |
| David Arnold (blaggacao) | * There is no language-conform way to handle secrets in the nix store without implementing an entire _opinionated_ encryption framework. | 18:10:50 |
| David Arnold (blaggacao) | Nah, still a bad idea all together. Otoh, all that can be dome with pre-processing probably can be done with IFD-like. | 18:12:16 |
| David Arnold (blaggacao) | Or what's the deal with builtins.exec? | 18:12:33 |
 @timdeh:matrix.org | I dunno, doesn't seem safe so I haven't use it 😅 | 18:12:49 |
| @timdeh:matrix.org | * I dunno, doesn't seem safe so I haven't used it 😅 | 18:13:36 |
| David Arnold (blaggacao) | allow-unsafe-native-code-during-evaluation | 18:14:07 |
 genadij.udarov | In reply to @timdeh:matrix.org
I wonder if committing the tfstate file would be a possible solution 🤔 We used to do that back in like 2016 or so, but realised that using S3 as a backend for the tfstate was better. :-D | 18:14:15 |
| @timdeh:matrix.org | we use a vault-plugin for our tfstate atm | 18:14:43 |
 tomberek | you can use exec to decrypt something for you at eval-time, but it would often leak into the /nix/store. You'd need a build-time exec. | 18:14:45 |
| David Arnold (blaggacao) | Good resume; | 18:15:07 |
| @timdeh:matrix.org | * we use a vault-plugin for our tfstate atm | 18:15:08 |
| David Arnold (blaggacao) | * Good resume! | 18:15:13 |
| David Arnold (blaggacao) | To de-throne the sheesy magic addition to manage configs, build time exec might be what's needed, though. | 18:15:50 |
| @timdeh:matrix.org | That opens up a pretty huge can of impure worms though | 18:16:14 |
| David Arnold (blaggacao) | For all that involves nixos or derivations, that would be very much self inflicting harm. | 18:16:38 |
| David Arnold (blaggacao) | Yeah, sheesy's serverless approach to rotation is a bit of a pain, too. | 18:17:49 |
| tomberek | The idea is that decryption is either success or failure, so it's not impure, but either pure or impossible. | 18:17:53 |
| David Arnold (blaggacao) | If we need identity, let's just use an attestor (such as vault or spiffe or step-ca). | 18:18:22 |
| @timdeh:matrix.org | which reminds me, I also found this yesterday:
https://openpgp-ca.org/ | 18:18:44 |
| David Arnold (blaggacao) | If we just need to assert identity, a SViD based aproach might be a bit more inferoperable. | 18:19:41 |
| David Arnold (blaggacao) | SVID = Certificate of Identity (X509) + spiffe ID | 18:20:05 |
| David Arnold (blaggacao) | SpiffeID: spiffe://com.mydomain/me/and/my/dog | 18:20:41 |
| tomberek | SPIFFE is good, but like anything x509, complex. | 18:21:02 |
| David Arnold (blaggacao) | All that credentials actually do is to establish identity (in a very old-fashoined way) | 18:21:35 |
| @timdeh:matrix.org | yeah I was about to say, x509 might be the only format even more frustrating to use than gnupg 😅 | 18:21:36 |
| David Arnold (blaggacao) | X509 is very simple, and interpoerable with tls. | 18:22:10 |
| David Arnold (blaggacao) | * X509 is very simple, and interoperable with tls. | 18:22:17 |
| David Arnold (blaggacao) | Sure you can have TLS and something else. But that looks like more complexity still due to an additional component. | 18:22:47 |
| David Arnold (blaggacao) | Ok, I'd agree that TLS is complex. 😎😆 | 18:23:17 |
