6 Jan 2025 |
| jeroen left the room. | 16:40:02 |
12 Jan 2025 |
| @strutztm:strutztm.de joined the room. | 00:22:06 |
19 Jan 2025 |
| Waldemar Tomme (they/them) changed their display name from Waldemar Tomme to Waldemar Tomme (they/them). | 08:17:06 |
25 Jan 2025 |
| fwam changed their profile picture. | 04:32:11 |
28 Jan 2025 |
| fwam changed their profile picture. | 17:15:04 |
| Thomas m changed their display name from howlymowly to Thomas m. | 19:26:50 |
3 Feb 2025 |
| cameronraysmith joined the room. | 05:06:26 |
| Gus joined the room. | 06:05:32 |
Gus | Anyone have good patterns for decrypting "secrets" for eval-time configuration? E.g. I want to set services.caddy.virtualHosts.foo.hostName = "foo.${myTailnet}" . I don't care about myTailnet being in the nix store but I would prefer that it's not plaintext in my git repo | 06:13:21 |
Gus | I saw that maybe scalpel can solve this? | 06:13:42 |
Gus | wondering if there is a straightforward way that people recommend :) | 06:14:03 |
9 Feb 2025 |
LordKekz | Nix doesn't have eval-time secrets. But if you just want to avoid putting some variables in a public repo, you can make a separate private repo on your git forge of choice and add it as a flake input. You will then need to provide credentials to the private repo, e.g. via ~/.config/nix/nix.conf . | 22:21:01 |
Alexandros Liarokapis | Redacted or Malformed Event | 23:23:30 |
Alexandros Liarokapis | * If doing that be careful if you are in a multi-user setup | 23:23:40 |
11 Feb 2025 |
| @lunchtime:envs.net left the room. | 19:07:58 |
14 Feb 2025 |
| rane [they/them] joined the room. | 11:29:46 |
15 Feb 2025 |
| BenjB83 joined the room. | 10:15:18 |
| BenjB83 changed their display name from Benjamín Buske to BenjB83. | 10:42:58 |
16 Feb 2025 |
Waldemar Tomme (they/them) | Hi, I hope somebody here might be able to help me even though it might be slightly off-topic: I just configured agenix-rekey for my secret management together with my yubikey. Everythings works, but I don't know whether my identity file is correct like this:
# Serial: XXXXXXXX, Slot: 1
# Name: age identity XXXXXXXX
# Created: Fri, 08 Nov 2024 18:38:59 +0000
# PIN policy: Never (A PIN is NOT required to decrypt)
# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
# Recipient: age1yubikeyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AGE-PLUGIN-YUBIKEY-XXXXXXXXXXXXXXXXXXXXXX
As far as I understood this only contains public key information and is save to be committed (in theory publicly). If not how do I split the public and private part?
| 17:52:58 |
Waldemar Tomme (they/them) | Well, as so often the case I found the answer/explanation. For anyone else interested in the future: https://github.com/str4d/age-plugin-yubikey/issues/179 | 19:05:30 |
17 Feb 2025 |
| dgb joined the room. | 22:33:50 |
18 Feb 2025 |
| @stites:matrix.org left the room. | 12:56:59 |
| laurent joined the room. | 21:52:36 |
23 Feb 2025 |
| Patrick joined the room. | 01:49:40 |
| Patrick changed their display name from Patrick Hütter to Patrick. | 01:50:23 |
Patrick | Hi, i can't get agenix to working. Does somebody have an idea why my tailscale.age isn't get placed onto the host?
❯ nix run github:zhaofengli/colmena -- apply --experimental-flake-eval --on host-1 --show-trace
warning: ignoring untrusted substituter 'https://colmena.cachix.org', you are not a trusted user.
Run `man nix.conf` for more information on the `substituters` configuration option.
warning: ignoring the client-specified setting 'trusted-public-keys', because it is a restricted setting and you are not a trusted user
warning: Git tree '/Users/user/Workspace/project/infrastructure-as-code' is dirty
[INFO ] Using flake: git+file:///Users/user/Workspace/project/infrastructure-as-code?dir=nixos
warning: Git tree '/Users/user/Workspace/project/infrastructure-as-code' is dirty
warning: will not write lock file of flake 'path:/private/tmp/colmena-assets-r8xdrZ' because it has an unlocked input ('git+file:///Users/user/Workspace/project/infrastructure-as-code?dir=nixos')
[WARN ] Using direct flake evaluation (experimental)
[INFO ] Enumerating nodes...
warning: Git tree '/Users/user/Workspace/project/infrastructure-as-code' is dirty
warning: Git tree '/Users/user/Workspace/project/infrastructure-as-code' is dirty
warning: Git tree '/Users/user/Workspace/project/infrastructure-as-code' is dirty
[INFO ] Selected 1 out of 3 hosts.
❌ 3s Failed: Child process exited with error code: 1
host-1 ❌ 3s Evaluation failed: Child process exited with error code: 1
[ERROR] Failed to evaluate host-1 - Last 20 lines of logs:
[ERROR] stderr) 621| [{ inherit (module) file; inherit value; }]
[ERROR] stderr) | ^
[ERROR] stderr) 622| )
[ERROR] stderr)
[ERROR] stderr) … while calling the 'concatStringsSep' builtin
[ERROR] stderr) at /nix/store/glsqq1xn5al7d528hvlbm4hl3ladxmka-source/modules/age.nix:114:20:
[ERROR] stderr) 113|
[ERROR] stderr) 114| installSecrets = builtins.concatStringsSep "\n" (
[ERROR] stderr) | ^
[ERROR] stderr) 115| ["echo '[agenix] decrypting secrets...'"]
[ERROR] stderr)
[ERROR] stderr) … while calling 'installSecret'
[ERROR] stderr) at /nix/store/glsqq1xn5al7d528hvlbm4hl3ladxmka-source/modules/age.nix:64:19:
[ERROR] stderr) 63|
[ERROR] stderr) 64| installSecret = secretType: ''
[ERROR] stderr) | ^
[ERROR] stderr) 65| ${setTruePath secretType}
[ERROR] stderr)
[ERROR] stderr) error: path '/nix/store/lrfilxp20f920zgvm3bn71h6wsnp037y-source/nixos/secrets/tailscale.age' does not exist
[ERROR] failure) Child process exited with error code: 1
[ERROR] Failed to complete requested operation - Last 1 lines of logs:
[ERROR] failure) Child process exited with error code: 1
[ERROR] -----
[ERROR] Operation failed with error: Child process exited with error code: 1
Hint: Backtrace available - Use `RUST_BACKTRACE=1` environment variable to display a backtrace
| 14:12:08 |
elikoga | Run git add . and try again | 15:19:40 |
Patrick | elikoga: you are my hero! <3 This workend! So simple! I was search for this bug / problem a few hours, did setup a few machines again and again and couldn't fix this problem. Wow, so simple! | 19:28:56 |
Patrick | * elikoga: you are my hero! <3 This worked! So simple! I was search for this bug / problem a few hours, did setup a few machines again and again and couldn't fix this problem. Wow, so simple! | 19:29:14 |
elikoga | It's related to the fact that nix flakes in a git repository only copy git tracked files to the store | 19:29:34 |