agenix - Public Room Timeline

	agenix	332 Members
	age-encrypted secrets for NixOS https://github.com/ryantm/agenix/	99 Servers

Load older messages

Sender	Message	Time
27 May 2025
K900	I don't think it works like that	10:20:26
Andrew Selvia	https://github.com/ryantm/agenix/issues/329?	10:21:15
Andrew Selvia	Is there a preferred way of storing an agenix secret via HM?	10:25:41
Andrew Selvia	Seemingly related	10:35:56
Andrew Selvia	https://matrix.to/#/!XLCFfvFhUkYwOMLbVx:nixos.org/$g_OpCDha4vege-oXbuwHfZE-iDRvLC-abhfdkuZTq3I?via=nixos.org&via=matrix.org&via=frodux.net	10:41:37
Andrew Selvia	* Looks like I stumbled upon an anti-pattern: https://matrix.to/#/!XLCFfvFhUkYwOMLbVx:nixos.org/$g_OpCDha4vege-oXbuwHfZE-iDRvLC-abhfdkuZTq3I?via=nixos.org&via=matrix.org&via=frodux.net	10:42:10
Andrew Selvia	Not sure exactly how to do things properly though :(	10:42:31
Andrew Selvia	ChatGPT is recommending an alternative approach: `home.activation.copyMySecret = lib.hm.dag.entryAfter [ "writeBoundary" ] '' cp /run${config.age.secrets.mysecret.path} ${config.home.homeDirectory}/mysecret.txt '';` It works, though I suspect it compromises reproducibility... Signing off for the evening. If there's a better way, I'd be keen to learn!	11:03:22
	Lorenz joined the room.	11:15:30
28 May 2025
Andrew Selvia	Claude eventually helped me find a more pleasant solution based on `extraSpecialArgs`. I've tried to minimize it for clarity. The initial goal was to create a self-contained, minimal flake.nix that integrated nix-darwin, home-manager, and agenix. The desired end state is a macOS system with an agenix-encrypted secret decrypted and stored at ~/secret1.txt (by home-manager). The following `flake.nix` breaks the configuration into 2 sections: `homeconfig`: to configure home-manager `configuration`: to configure nix-darwin The secrets are defined in `configuration` then shuttled to `homeconfig` via `extraSpecialArgs.darwinSecrets`. The path to the secret is then leveraged by `homeconfig` to populate `~/secret1.txt` (i.e., `home.file."secret1.txt".source = config.lib.file.mkOutOfStoreSymlink darwinSecrets.secret1;`). Importantly, this circumvents the following error that would arise if the secret path was accessed directly (i.e., `home.file."secret1.txt".source = config.age.secrets.secret1.path;`): error: A definition for option `home-manager.users.andrew.home.file."secret1.txt".source' is not of type `absolute path'. Definition values: - In `<unknown-file>': "$(getconf DARWIN_USER_TEMP_DIR)/agenix/secret1" If any Nix experts observe any flaws in this approach, please raise them now. Otherwise, I hope it helps: { description = "nix-darwin & home-manager & agenix"; inputs = { nixpkgs.url = "github:NixOS/nixpkgs/master"; nix-darwin.url = "github:nix-darwin/nix-darwin/master"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; home-manager.url = "github:nix-community/home-manager"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; agenix.url = "github:ryantm/agenix"; }; outputs = inputs @ { self, nix-darwin, nixpkgs, home-manager, agenix, ... }: let homeconfig = { pkgs, config, lib, darwinSecrets, ... }: { imports = [agenix.homeManagerModules.default]; home.file."secret1.txt".source = config.lib.file.mkOutOfStoreSymlink darwinSecrets.secret1; home.stateVersion = "25.05"; home.packages = with pkgs; [agenix.packages.aarch64-darwin.default]; programs.home-manager.enable = true; }; configuration = { pkgs, config, lib, ... }: { age = { secrets = { secret1 = { symlink = true; file = ./secret1.age; mode = "777"; }; }; }; environment.systemPackages = [agenix.packages.aarch64-darwin.default]; home-manager = { useGlobalPkgs = true; users.andrew = homeconfig; useUserPackages = true; extraSpecialArgs = { darwinSecrets = { secret1 = config.age.secrets.secret1.path; }; }; }; nix.settings.experimental-features = "nix-command flakes"; nixpkgs.hostPlatform = "aarch64-darwin"; system = { configurationRevision = self.rev or self.dirtyRev or null; stateVersion = 5; }; }; in { darwinConfigurations."mac-book-pro" = nix-darwin.lib.darwinSystem { modules = [ agenix.darwinModules.default configuration home-manager.darwinModules.home-manager ]; }; }; }	03:49:26
	crgre joined the room.	15:17:31
31 May 2025
	tiferrei joined the room.	20:52:37
1 Jun 2025
	Sean Thawe joined the room.	23:38:45
7 Jun 2025
	matrixrooms.info mod bot (does NOT read/send messages and/or invites; used for checking reported rooms) joined the room.	17:45:05
	matrixrooms.info mod bot (does NOT read/send messages and/or invites; used for checking reported rooms) left the room.	22:57:38
	matrixrooms.info mod bot (does NOT read/send messages and/or invites; used for checking reported rooms) joined the room.	23:48:03
9 Jun 2025
	SigmaSquadron joined the room.	13:05:05
	Magus joined the room.	20:55:03
11 Jun 2025
	stackptr set a profile picture.	02:02:44
12 Jun 2025
	lorev joined the room.	11:58:20
15 Jun 2025
	Andrew Selvia set a profile picture.	04:29:11
	@t4ccer:matrix.org left the room.	19:07:07
16 Jun 2025
	@ygt:matrix.org left the room.	21:51:48
17 Jun 2025
	@r522:matrix.org changed their display name from 522 [it/its][ΘΔ] to 522 (moved to @522_:catgirl.cloud ).	16:27:06
	522 [it/its][ΘΔ] joined the room.	18:28:34
	@r522:matrix.org left the room.	19:07:17
	522 [it/its][ΘΔ] changed their display name from 522_ to 522 [it/its][ΘΔ].	19:51:30
	522 [it/its][ΘΔ] set a profile picture.	20:18:11
19 Jun 2025
	lgcl (they/them) changed their display name from lgcl (they/them) to lgcl (she/they).	18:06:57
20 Jun 2025
	debugloop joined the room.	17:30:20

Show newer messages

Back to Room ListRoom Version: 6