!XLCFfvFhUkYwOMLbVx:nixos.org

agenix

328 Members
age-encrypted secrets for NixOS https://github.com/ryantm/agenix/95 Servers

Load older messages

SenderMessageTime
3 Jan 2025
@k900:0upti.meK900
In reply to@willpower3309:matrix.org
Hey all! Interesting question here - how many private keys would need to be known to be able to determine what the other keys that a secret is encrypted with are? Lets say I had a secret encrypted to 3 different hosts' private keys, with the public keys of those hosts known. If someone figured out one of my host's private keys, could they then determine my other hosts' private keys given the knowledge of the secret and the public keys of those hosts?
No 		21:52:16
4 Jan 2025
@philt3r:mozilla.orgphilt3r joined the room.16:05:14
6 Jan 2025
@jeroen:simonetti.nl@jeroen:simonetti.nl left the room.16:40:02
12 Jan 2025
@strutztm:strutztm.de@strutztm:strutztm.de joined the room.00:22:06
19 Jan 2025
@wiiplayer2:matrix.orgWaldemar Tomme (they/them) changed their display name from Waldemar Tomme to Waldemar Tomme (they/them).08:17:06
25 Jan 2025
@fwam:femdom.solutionsfwam changed their profile picture.04:32:11
28 Jan 2025
@fwam:femdom.solutionsfwam changed their profile picture.17:15:04
@howlymowly:matrix.orgThomas m changed their display name from howlymowly to Thomas m.19:26:50
3 Feb 2025
@cameronraysmith:matrix.orgcameronraysmith joined the room.05:06:26
@guhou:matrix.orgGus joined the room.06:05:32
@guhou:matrix.orgGus Anyone have good patterns for decrypting "secrets" for eval-time configuration? E.g. I want to set services.caddy.virtualHosts.foo.hostName = "foo.${myTailnet}". I don't care about myTailnet being in the nix store but I would prefer that it's not plaintext in my git repo 06:13:21
@guhou:matrix.orgGusI saw that maybe scalpel can solve this?06:13:42
@guhou:matrix.orgGuswondering if there is a straightforward way that people recommend :) 06:14:03
9 Feb 2025
@lordkekz:matrix.orgLordKekz Nix doesn't have eval-time secrets. But if you just want to avoid putting some variables in a public repo, you can make a separate private repo on your git forge of choice and add it as a flake input.
You will then need to provide credentials to the private repo, e.g. via ~/.config/nix/nix.conf. 		22:21:01
@aliarokapis:matrix.orgAlexandros LiarokapisRedacted or Malformed Event23:23:30
@aliarokapis:matrix.orgAlexandros Liarokapis* If doing that be careful if you are in a multi-user setup23:23:40
11 Feb 2025
@lunchtime:envs.net@lunchtime:envs.net left the room.19:07:58
14 Feb 2025
@rane:junkyard.systemsrane [they/them] joined the room.11:29:46
15 Feb 2025
@benjb83:matrix.orgBenjB83 joined the room.10:15:18
@benjb83:matrix.orgBenjB83 changed their display name from Benjamín Buske to BenjB83.10:42:58
16 Feb 2025
@wiiplayer2:matrix.orgWaldemar Tomme (they/them)

Hi, I hope somebody here might be able to help me even though it might be slightly off-topic:
I just configured agenix-rekey for my secret management together with my yubikey. Everythings works, but I don't know whether my identity file is correct like this:

#       Serial: XXXXXXXX, Slot: 1
#         Name: age identity XXXXXXXX
#      Created: Fri, 08 Nov 2024 18:38:59 +0000
#   PIN policy: Never  (A PIN is NOT required to decrypt)
# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
#    Recipient: age1yubikeyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AGE-PLUGIN-YUBIKEY-XXXXXXXXXXXXXXXXXXXXXX

As far as I understood this only contains public key information and is save to be committed (in theory publicly). If not how do I split the public and private part?

17:52:58
@wiiplayer2:matrix.orgWaldemar Tomme (they/them)Well, as so often the case I found the answer/explanation. For anyone else interested in the future: https://github.com/str4d/age-plugin-yubikey/issues/17919:05:30
17 Feb 2025
@dillonb:matrix.orgdgb joined the room.22:33:50
18 Feb 2025
@stites:matrix.org@stites:matrix.org left the room.12:56:59
@laurent:matrix.fdn.frlaurent joined the room.21:52:36
23 Feb 2025
@phuetter:matrix.orgPatrick joined the room.01:49:40
@phuetter:matrix.orgPatrick changed their display name from Patrick Hütter to Patrick.01:50:23
@phuetter:matrix.orgPatrick

Hi, i can't get agenix to working. Does somebody have an idea why my tailscale.age isn't get placed onto the host?

❯ nix run github:zhaofengli/colmena -- apply --experimental-flake-eval --on host-1 --show-trace
warning: ignoring untrusted substituter 'https://colmena.cachix.org', you are not a trusted user.
Run `man nix.conf` for more information on the `substituters` configuration option.
warning: ignoring the client-specified setting 'trusted-public-keys', because it is a restricted setting and you are not a trusted user
warning: Git tree '/Users/user/Workspace/project/infrastructure-as-code' is dirty
[INFO ] Using flake: git+file:///Users/user/Workspace/project/infrastructure-as-code?dir=nixos
warning: Git tree '/Users/user/Workspace/project/infrastructure-as-code' is dirty
warning: will not write lock file of flake 'path:/private/tmp/colmena-assets-r8xdrZ' because it has an unlocked input ('git+file:///Users/user/Workspace/project/infrastructure-as-code?dir=nixos')
[WARN ] Using direct flake evaluation (experimental)
[INFO ] Enumerating nodes...
warning: Git tree '/Users/user/Workspace/project/infrastructure-as-code' is dirty
warning: Git tree '/Users/user/Workspace/project/infrastructure-as-code' is dirty
warning: Git tree '/Users/user/Workspace/project/infrastructure-as-code' is dirty
[INFO ] Selected 1 out of 3 hosts.
             ❌ 3s Failed: Child process exited with error code: 1
host-1       ❌ 3s Evaluation failed: Child process exited with error code: 1                                                                                                     
[ERROR] Failed to evaluate host-1 - Last 20 lines of logs:
[ERROR]   stderr)           621|                   [{ inherit (module) file; inherit value; }]
[ERROR]   stderr)              |                                                     ^
[ERROR]   stderr)           622|                 )
[ERROR]   stderr) 
[ERROR]   stderr)        … while calling the 'concatStringsSep' builtin
[ERROR]   stderr)          at /nix/store/glsqq1xn5al7d528hvlbm4hl3ladxmka-source/modules/age.nix:114:20:
[ERROR]   stderr)           113|
[ERROR]   stderr)           114|   installSecrets = builtins.concatStringsSep "\n" (
[ERROR]   stderr)              |                    ^
[ERROR]   stderr)           115|     ["echo '[agenix] decrypting secrets...'"]
[ERROR]   stderr) 
[ERROR]   stderr)        … while calling 'installSecret'
[ERROR]   stderr)          at /nix/store/glsqq1xn5al7d528hvlbm4hl3ladxmka-source/modules/age.nix:64:19:
[ERROR]   stderr)            63|
[ERROR]   stderr)            64|   installSecret = secretType: ''
[ERROR]   stderr)              |                   ^
[ERROR]   stderr)            65|     ${setTruePath secretType}
[ERROR]   stderr) 
[ERROR]   stderr)        error: path '/nix/store/lrfilxp20f920zgvm3bn71h6wsnp037y-source/nixos/secrets/tailscale.age' does not exist
[ERROR]  failure) Child process exited with error code: 1
[ERROR] Failed to complete requested operation - Last 1 lines of logs:
[ERROR]  failure) Child process exited with error code: 1
[ERROR] -----
[ERROR] Operation failed with error: Child process exited with error code: 1
Hint: Backtrace available - Use `RUST_BACKTRACE=1` environment variable to display a backtrace
14:12:08
@elikoga:matrix.orgelikoga Run git add . and try again 15:19:40
@phuetter:matrix.orgPatrick elikoga: you are my hero! <3 This workend! So simple! I was search for this bug / problem a few hours, did setup a few machines again and again and couldn't fix this problem. Wow, so simple! 19:28:56

Show newer messages

Back to Room ListRoom Version: 6