agenix - Public Room Timeline

	agenix	336 Members
	age-encrypted secrets for NixOS https://github.com/ryantm/agenix/	100 Servers

Load older messages

Sender	Message	Time
27 May 2025
Andrew Selvia	https://matrix.to/#/!XLCFfvFhUkYwOMLbVx:nixos.org/$g_OpCDha4vege-oXbuwHfZE-iDRvLC-abhfdkuZTq3I?via=nixos.org&via=matrix.org&via=frodux.net	10:41:37
Andrew Selvia	* Looks like I stumbled upon an anti-pattern: https://matrix.to/#/!XLCFfvFhUkYwOMLbVx:nixos.org/$g_OpCDha4vege-oXbuwHfZE-iDRvLC-abhfdkuZTq3I?via=nixos.org&via=matrix.org&via=frodux.net	10:42:10
Andrew Selvia	Not sure exactly how to do things properly though :(	10:42:31
Andrew Selvia	ChatGPT is recommending an alternative approach: `home.activation.copyMySecret = lib.hm.dag.entryAfter [ "writeBoundary" ] '' cp /run${config.age.secrets.mysecret.path} ${config.home.homeDirectory}/mysecret.txt '';` It works, though I suspect it compromises reproducibility... Signing off for the evening. If there's a better way, I'd be keen to learn!	11:03:22
	Lorenz joined the room.	11:15:30
28 May 2025
Andrew Selvia	Claude eventually helped me find a more pleasant solution based on `extraSpecialArgs`. I've tried to minimize it for clarity. The initial goal was to create a self-contained, minimal flake.nix that integrated nix-darwin, home-manager, and agenix. The desired end state is a macOS system with an agenix-encrypted secret decrypted and stored at ~/secret1.txt (by home-manager). The following `flake.nix` breaks the configuration into 2 sections: `homeconfig`: to configure home-manager `configuration`: to configure nix-darwin The secrets are defined in `configuration` then shuttled to `homeconfig` via `extraSpecialArgs.darwinSecrets`. The path to the secret is then leveraged by `homeconfig` to populate `~/secret1.txt` (i.e., `home.file."secret1.txt".source = config.lib.file.mkOutOfStoreSymlink darwinSecrets.secret1;`). Importantly, this circumvents the following error that would arise if the secret path was accessed directly (i.e., `home.file."secret1.txt".source = config.age.secrets.secret1.path;`): error: A definition for option `home-manager.users.andrew.home.file."secret1.txt".source' is not of type `absolute path'. Definition values: - In `<unknown-file>': "$(getconf DARWIN_USER_TEMP_DIR)/agenix/secret1" If any Nix experts observe any flaws in this approach, please raise them now. Otherwise, I hope it helps: { description = "nix-darwin & home-manager & agenix"; inputs = { nixpkgs.url = "github:NixOS/nixpkgs/master"; nix-darwin.url = "github:nix-darwin/nix-darwin/master"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; home-manager.url = "github:nix-community/home-manager"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; agenix.url = "github:ryantm/agenix"; }; outputs = inputs @ { self, nix-darwin, nixpkgs, home-manager, agenix, ... }: let homeconfig = { pkgs, config, lib, darwinSecrets, ... }: { imports = [agenix.homeManagerModules.default]; home.file."secret1.txt".source = config.lib.file.mkOutOfStoreSymlink darwinSecrets.secret1; home.stateVersion = "25.05"; home.packages = with pkgs; [agenix.packages.aarch64-darwin.default]; programs.home-manager.enable = true; }; configuration = { pkgs, config, lib, ... }: { age = { secrets = { secret1 = { symlink = true; file = ./secret1.age; mode = "777"; }; }; }; environment.systemPackages = [agenix.packages.aarch64-darwin.default]; home-manager = { useGlobalPkgs = true; users.andrew = homeconfig; useUserPackages = true; extraSpecialArgs = { darwinSecrets = { secret1 = config.age.secrets.secret1.path; }; }; }; nix.settings.experimental-features = "nix-command flakes"; nixpkgs.hostPlatform = "aarch64-darwin"; system = { configurationRevision = self.rev or self.dirtyRev or null; stateVersion = 5; }; }; in { darwinConfigurations."mac-book-pro" = nix-darwin.lib.darwinSystem { modules = [ agenix.darwinModules.default configuration home-manager.darwinModules.home-manager ]; }; }; }	03:49:26
	crgre joined the room.	15:17:31
31 May 2025
	tiferrei joined the room.	20:52:37
27 Oct 2022
	spacesbot - keeps a log of public NixOS channels joined the room.	14:03:00
	spacesbot - keeps a log of public NixOS channels	15:00:21
29 Oct 2022
	uep joined the room.	07:01:32
31 Oct 2022
	underpantsgnome changed their display name from underpantsgnome! to underpantsgnome.	20:39:49
6 Nov 2022
	Gerschtli joined the room.	11:13:57
12 Nov 2022
	Ash joined the room.	15:03:58
Ash	is it alright to check secret files into a public git repo?	15:04:41
ryantm	Ash: how much do you trust age encryption?	15:18:48
Ash	i guess a better way to phrase the question is "is it reasonable to trust age enough to do that"	15:35:49
Ilan Joselevich (Kranzes)	Most people trust it enough	15:40:04
shanesveller	Anyone answering that for you who isn't you is probably doing some form of appeal-to-authority, y'know? Its author is great, but everyone is fallible, so you gotta figure out your risk tolerance based on what info you want to protect. Typical "likeliness of compromise vs severity if compromised" kind of considerations.	18:23:32
13 Nov 2022
	Herman joined the room.	20:05:32
16 Nov 2022
	omlet joined the room.	20:34:23
17 Nov 2022
	REASON...UNKNOWN changed their display name from ctx to REASON...UNKNOWN.	13:27:40
19 Nov 2022
	tchab changed their display name from tomchab to tchab.	10:40:04
21 Nov 2022
	Player205 changed their display name from Александра Краснозерницкая to Player205.	18:56:05
	Player205 set a profile picture.	18:56:23
25 Nov 2022
	John Bargman joined the room.	03:09:53
26 Nov 2022
	ahmed changed their display name from rh to ahmed.	19:19:50
29 Nov 2022
	pl1y joined the room.	17:51:47
3 Dec 2022
	Alok Parlikar changed their display name from happyalu to Alok Parlikar.	15:50:06
5 Dec 2022
REASON...UNKNOWN	Is anyone using agenix with deploy-rs? deploy-rs fails telling me that `/nix/store/xxxx-source/secrets` does not exist	02:22:39

Show newer messages

Back to Room ListRoom Version: 6