| 20 Dec 2022 |
 dasj19 | ryantm: I have spinned up a virtual machine with latest nixos unstable and followed the readme file present on the github project and I end up in the same situation. So it can't just be my old config that is wrong, it must be something I do or something in the unstable branch | 22:14:05 |
| 21 Dec 2022 |
 gador | Did you try it without agenix and a plain test file with the password in it? Just to rule out an agenix problem here? | 05:08:58 |
 ryantm | ☝️dasj19 | 18:16:02 |
| 22 Dec 2022 |
|  null_radix joined the room. | 08:48:08 |
| null_radix | hello, I have a directory with 100+ files that each contain a secret. Is it possible just to encrypt the entire dir, instead of each individual file? | 08:49:28 |
| ryantm | null_radix: you could first tar it the encrypt that | 13:30:27 |
| ryantm | * null_radix: you could first tar it then encrypt that | 13:30:44 |
| dasj19 | ryantm: I ended up deleting my user entry in /etc/shadow and then rebuilt, and everything looks normal now. Got inspired from: https://github.com/NixOS/nixpkgs/issues/99433 . So it wasnt a specific agenix issue but rather a issue with the user update script | 13:59:43 |
| null_radix | In reply to @ryantm:matrix.org
null_radix: you could first tar it then encrypt that how would you untar them? would you use system.activationScripts? | 17:15:37 |
| null_radix | its for a service so maybe a systemd service makes more sense | 17:16:03 |
| ryantm | null_radix: yeah, either way. | 17:25:56 |
| 24 Dec 2022 |
| dasj19 | Hi ryantm FYI, i just pulled together a solution for password updates via the perl script in NixOS https://github.com/NixOS/nixpkgs/pull/207593 | 17:34:16 |
| 25 Dec 2022 |
|  ahmed left the room. | 10:35:09 |
| 26 Dec 2022 |
 Tommy | Hey there. That's possibly a stupid question but I'm kind of stuck here: I understand how the builtins.readFile is an anti-pattern but I nevertheless like to use agenix to encrypt my known wifi psk. What is the proper way to implement this since networking.wireless.networks.<name> only has a string option for the psk not an option to provide a file? | 14:44:52 |
| ryantm | Tommy: proper way might require fixing NixOS. | 15:22:15 |
| Tommy | Mhmm. What does that mean? Implementing an option like `networking.wireless. networks.<name>.passwordFile`? And what are options not being proper and also not storing the passwords in the nix store? | 15:28:12 |
| ryantm | Right | 15:32:09 |
|  @ar:is-a.cat left the room. | 22:01:28 |
| 30 Dec 2022 |
|  Federico Damián Schonborn joined the room. | 00:13:58 |
 ofungus | Hello all, first of all thanks for providing agenix. It works like a charm.
I am now working on a use case where I want to provide a grub passwordFile via agenix. But unfortunately updating the grub2 menu happens before agenix decrypting the passwordFile to its place like mentioned in this issue before https://github.com/ryantm/agenix/issues/74. Is there a better approach as to the described one in the issue. Thanks a lot | 19:08:45 |
| ryantm | ofungus: you could try learning which activation script does the grub password and add `agenixInstall` to the deps. Like we do for the users one https://github.com/ryantm/agenix/blob/a630400067c6d03c9b3e0455347dc8559db14288/modules/age.nix#L221 | 19:41:56 |
| ofungus | Ah ok, makes sense. I’ll look into it . Thanks | 19:43:21 |
| ryantm | It might make sense to add it to the age module. There are a lot of users with weird decryption and impermanence setups who might be affected though. I don't know enough details. | 19:45:52 |
| 1 Jan 2023 |
|  Solid Rhino joined the room. | 20:44:18 |
| 4 Jan 2023 |
|  /madonius [er|him] changed their display name from /madonius to /madonius [er|him]. | 14:16:46 |
| 5 Jan 2023 |
 [0x4A6F] | In reply to @ryantm:matrix.org
Tommy: proper way might require fixing NixOS. Proper way would be to write documentation for developers to handle secrets in nixos module system. There are many dark places in nixpkgs. ;) Any inputs for that? | 18:38:51 |
| 6 Jan 2023 |
 Wanja Hentze | In reply to @0x4a6f:matrix.org
Proper way would be to write documentation for developers to handle secrets in nixos module system. There are many dark places in nixpkgs. ;) Any inputs for that?
commandline option available for providing secret (without leaking to process list?)
danger: the method described there (--secret $(cat ${cfg.secretFilePath})) does leak to process list
| 08:10:55 |
| Wanja Hentze | the shell expands that cat invocation before passing the command line, it all still ends up in argv of the process | 08:11:47 |
| Wanja Hentze | I don't know of a way to pass secrets directly via command line option that doesn't leak that way | 08:12:36 |
| Wanja Hentze | you can play silly games with ptrace probably, but I wouldn't want to rely on that | 08:17:58 |
