agenix - Public Room Timeline

	agenix	346 Members
	age-encrypted secrets for NixOS https://github.com/ryantm/agenix/	101 Servers

Load older messages

Sender	Message	Time
5 Dec 2022
REASON...UNKNOWN	And configuration in a sec	02:34:02
REASON...UNKNOWN	https://0x0.st/ok07.nix	02:36:23
REASON...UNKNOWN	That's all the agenix stuff, except for secrets/secrets.nix	02:38:00
ryantm	Looks pretty good.	02:38:09
ryantm	I don't typically use path + string for the file config so it would be a debugging step to write the real path out there.	02:38:51
ryantm	Also double check you've staged the secrets into your flake repo.	02:39:38
REASON...UNKNOWN	In reply to @ryantm:matrix.org Also double check you've staged the secrets into your flake repo. Ah that is likely it. I have only an inkling that the repo contents affect things	02:40:44
REASON...UNKNOWN	secrets dir explicitly left out of repo in .gitignore	02:40:59
REASON...UNKNOWN	Yeah. Seems to be working now.	02:43:06
REASON...UNKNOWN	So I really ha e no choice but to commit secrets to my repo?	02:43:35
REASON...UNKNOWN	* So I really have no choice but to commit secrets to my repo?	02:43:42
6 Dec 2022
	omlet left the room.	03:18:07
7 Dec 2022
	drall.kj joined the room.	04:30:50
9 Dec 2022
	kukker joined the room.	05:22:21
pl1y	regarding the template discussion: current agenix decrypts the secret and writes it to disk. if someone needs post processing (transforming the secret, combining it with other config) one can use the `system.activationScripts` to read said secret and write it to another file, but needs to make sure it has the correct permissions and it's not committed to the nix store by accident.	12:46:47
pl1y	there is currently a pull request, that would introduce templates, so one could specify a template with `@secret1@` template variables, and those would be replaced by the secrets, and handle the permissions.	12:48:56
pl1y	have you thought about adding a more general "transform" attribute for each secret? you could specify a script there. agenix would then write the secret to the stdin of said script and write the scripts stdout to the file. this way also more complex transformations would be possible. perhaps agenix could even provide a default implementation of said script: the secret could be a toml/ini/json/yaml file that defines the variables, a command line argument of the script could point to a template. the default could be a simple `cat` that does not transform anything.	12:53:30
jhillyerd	I'd love to see something like this in agenix. I spent many hours getting templates working for myself, it definitely feels like advanced nix, and is a roadblock to adopting flake based nix deployments.	17:30:01
11 Dec 2022
	acire joined the room.	08:11:08
acire	Hi! First wanna say thanks for happy years using agenix ^^ I just upgraded a NixOS host to 22.11 and in so doing updated the agenix flake input from rev. `7e5e58` (committed May 16). The result is unexpected: secrets are properly decrypted to the secrets mount point (i.e., to `/run/agenix.d/<agenix generation>/<name>`), but they are not properly symlinked to the secrets directory (`/run/agenix`) or to a custom path when specified. Instead, only a single symlink to the generation directory containing all the decrypted secrets (`/run/agenix.d/<agenix generation>`) is created in the secrets directory. For example, with the following configuration (unchanged for several NixOS releases): `age.secrets."passwordFile".file = ./. + "/../../secrets/passwordFile.age"; users.users.me = { isNormalUser = true; passwordFile = config.age.secrets.passwordFile.path; };` a rebuild generates the following output: `[agenix] creating new generation in /run/agenix.d/1 [agenix] decrypting secrets... decrypting '/nix/store/<hash redacted>-passwordFile.age' to '/run/agenix.d/1/passwordFile'... [agenix] symlinking new secrets to /run/agenix (generation 1)... warning: password file ‘/run/agenix/passwordFile’ does not exist [agenix] chowning...` and a listing of the resulting secrets directory is as follows: `$ ll /run/agenix lrwxrwxrwx root root  1 -> /run/agenix.d/1` Since I haven't updated this host in a while, maybe there's a setting I missed? Thanks!	09:20:09
ryantm	acire: glad you've been happy with agenix up to this point! Do you want code that is doing anything with activation scripts in your config?	12:51:17
ryantm	* acire: glad you've been happy with agenix up to this point! Do you have any code that is doing anything with activation scripts in your config?	12:51:40
ryantm	Can you show the dir listing for the /run/agenix.d/1 folder too?	12:54:47
ryantm	Are you doing anything in your config with config.age.secretsDir?	12:56:45
acire	ryantm: thanks for your reply! I have one activation script in the configuration that ensures some directories exist, but nothing related to secrets. `/run/agenix.d/1` contains the decrypted secrets. E.g.: `drwxr-x--x root keys . drwxr-x--x root keys .. -r-------- root root passwordFile` I'm using the default value of `config.age.secretsDir`.	13:42:36
acire	Redacted or Malformed Event	15:40:39
acire	whoops	15:45:08
acire	I think I found the cause. This host is also using Impermanence with an ephemeral root, and there is one secret that was being decrypted by agenix and symlinked to a user-owned directory by Impermanence in the user's home-manager service. The configuration for that secret was as follows: `age.secrets."userSecret" = { file = ./. + "/../../secrets/userSecret.age"; path = "${config.age.secretsDir}/.user-secrets/userSecret"; mode = "0600"; owner = "1000"; group = "100"; };` Here is the home-manager configuration for symlinking the agenix-decrypted secret: `# Paths are relative to user's home directory home.persistence."${nixosConfig.age.secretsDir}".files = [ ".user-secrets/userSecret" ];` Removing these blocks from the configuration and rebuilding (and rebooting) resulted in the creation of `/run/agenix` not as a directory but as a symlink itself to `/run/agenix/<agenix generation>`. This behavior in agenix is new to me and clearly incompatible with the above configuration. By selecting a custom path for the user secret outside of `${age.secretsDir}`, everything now seems to work as expected. In lieu of an agenix home-manager module, is there a best (or better) practice for linking decrypted secrets into user-owned directories?	15:54:55
acire	* I think I found the cause. This host is also using Impermanence with an ephemeral root, and there is one secret that was being decrypted by agenix and symlinked to a user-owned directory by Impermanence in the user's home-manager service. The configuration for that secret was as follows: `age.secrets."userSecret" = { file = ./. + "/../../secrets/userSecret.age"; path = "${config.age.secretsDir}/.user-secrets/userSecret"; mode = "0600"; owner = "1000"; group = "100"; };` Here is the home-manager configuration for symlinking the agenix-decrypted secret: `# Paths are relative to user's home directory home.persistence."${nixosConfig.age.secretsDir}".files = [ ".user-secrets/userSecret" ];` Removing these blocks from the configuration and rebuilding (and rebooting) resulted in the creation of `/run/agenix` not as a directory but as a symlink itself to `/run/agenix/<agenix generation>`. This behavior in agenix is new to me and clearly incompatible with the above configuration. By selecting a custom path for the user secret outside of `age.secretsDir`, everything now seems to work as expected. In lieu of an agenix home-manager module, is there a best (or better) practice for linking decrypted secrets into user-owned directories?	15:57:46
acire	By selecting a custom path for the user secret outside of age.secretsDir, everything now seems to work as expected. ...except that now the secret with the custom path exists both in `/run/agenix` (because it's just a symlink to `/run/agenix.d/1`) as well as at the custom path. It isn't a problem but potentially misleading.	16:04:37

Show newer messages

Back to Room ListRoom Version: 6