| 25 Apr 2025 |
 @mynacol:mynacol.xyz | Basename explicitly does not seem to allow this syntax XD | 21:29:32 |
| @mynacol:mynacol.xyz | The reason was I did a bit nix foo to make two rather complex attrsets based on a single string and this string should now also be empty, leaving a leading dash in the generated age file path | 21:30:53 |
| 26 Apr 2025 |
 mmkaram | would anyone know how to access an agenix decrypted file in home manager, for things in my configuration.nix file I use config.age.secrets.whatever but I've been told I shouldn't pass config into my home.nix file
| 06:58:20 |
 K900 | You use the agenix HM module | 07:00:30 |
| K900 | And then use HM's config | 07:00:36 |
| mmkaram | so use
age.secrets = {};
in my home.nix?
| 07:01:24 |
| mmkaram | how would I access those variables in other parts of my home.nix
| 07:01:54 |
| mmkaram | again I'm used to the config.age.secrets syntax
| 07:02:11 |
| K900 | You use config.age.secrets | 07:05:47 |
| K900 | Where config is passed down from HM | 07:05:54 |
| K900 | You don't need to do that explicitly | 07:06:11 |
| mmkaram | seriously? my lsp says it can't find config which checks out because it's not an input to the home function
| 07:07:01 |
| K900 | You add it as an argument | 07:07:15 |
| mmkaram | okaaaay, and I can access the path from that I think, config.age.secrets.whatever.path
| 07:11:33 |
| mmkaram | how would I get what's actually in the value | 07:11:51 |
| mmkaram | builtins.readFile?
| 07:11:56 |
| K900 | That would entirely break the security model of agenix | 07:12:22 |
| mmkaram | right yeah that makes sense | 07:12:35 |
| K900 | The whole point of agenix is that your secrets are never visible at eval time | 07:12:36 |
| mmkaram | realized that after I wrote that message | 07:12:59 |
| mmkaram | how do most people go about reading the value | 07:13:08 |
| K900 | You don't | 07:13:12 |
| K900 | You need the application to read that file at runtime | 07:13:20 |
| K900 | Somehow | 07:13:26 |
| K900 | How exactly depends on the application | 07:13:34 |
| mmkaram | interesting | 07:14:31 |
|  ruby joined the room. | 14:41:13 |
 522 [it/its][ΘΔ] | generally speaking, services that handle secrets will let you pass them as a file (as in, you enter the filename)
like my listenbrainz-mpd config
services.listenbrainz-mpd = {
enable = true;
settings = {
submission = {
token_file = config.age.secrets.listenbrainz-mpd-token.path;
};
};
};
| 20:21:58 |
 tebriel | and sometimes they don't and you have to bend over backwards to find a way to inject them in another manner! (I feel icky about this script I wrote)
xdg.configFile."mcphub/servers.json" = {
source = jsonFormat.generate "servers.json" {
mcpServers = {
github-mcp = {
command = lib.getExe (
pkgs.writeShellApplication {
name = "github-mcp-server";
runtimeInputs = [pkgs-unstable.github-mcp-server];
text = ''
GITHUB_PERSONAL_ACCESS_TOKEN=$(cat ${osConfig.age.secrets."github-mcp-token".path})
export GITHUB_PERSONAL_ACCESS_TOKEN
${lib.getExe pkgs-unstable.github-mcp-server} "$@"
'';
}
);
args = ["stdio"];
env = {};
};
};
};
};
| 20:41:54 |
| 27 Apr 2025 |
|  bitfoo changed their display name from luzifer2222 to bitfoo. | 17:17:52 |
