| 1 Jan 2025 |
|  xored joined the room. | 00:51:27 |
| xored | hey guys i've a question, when using age to define a secret inside a home manager module, is there anything extra I need to do to have the secret available under the home agenix path? i have something like this in my home manager config:
programs.atuin = {
enable = true;
key_path = config.age.secrets.atuinKey.path;
}
age.secrets.atuinKey.file = inputs.self + /secrets/atuinKey.age;
| 00:55:24 |
| xored | when I inspect $XDG_RUNTIME_DIR/agenix.d i don't see it there | 00:56:09 |
| xored | if it helps my OS level secrets are working fine (under /run/agenix) | 00:58:36 |
| xored | oh it turns out that's just my setup, i don't have my keys on home, they're saved on 1password, so the home module didn't seem to be able to decrypt the file | 01:28:10 |
|  NixOS Moderation Botchanged room power levels. | 14:26:34 |
| 3 Jan 2025 |
|  elikoga changed their display name from elikoga (@38c3 📞488{0,1,9}) to elikoga. | 10:28:09 |
 willmckinnon | Hey all! Interesting question here - how many private keys would need to be known to be able to determine what the other keys that a secret is encrypted with are? Lets say I had a secret encrypted to 3 different hosts' private keys, with the public keys of those hosts known. If someone figured out one of my host's private keys, could they then determine my other hosts' private keys given the knowledge of the secret and the public keys of those hosts? | 21:36:56 |
 K900 | In reply to@willpower3309:matrix.org
Hey all! Interesting question here - how many private keys would need to be known to be able to determine what the other keys that a secret is encrypted with are? Lets say I had a secret encrypted to 3 different hosts' private keys, with the public keys of those hosts known. If someone figured out one of my host's private keys, could they then determine my other hosts' private keys given the knowledge of the secret and the public keys of those hosts? No | 21:52:16 |
| 4 Jan 2025 |
|  philt3r joined the room. | 16:05:14 |
| 6 Jan 2025 |
|  jeroen left the room. | 16:40:02 |
| 12 Jan 2025 |
|  @strutztm:strutztm.de joined the room. | 00:22:06 |
| 19 Jan 2025 |
|  Waldemar Tomme (they/them) changed their display name from Waldemar Tomme to Waldemar Tomme (they/them). | 08:17:06 |
| 25 Jan 2025 |
|  fwam changed their profile picture. | 04:32:11 |
| 28 Jan 2025 |
| fwam changed their profile picture. | 17:15:04 |
|  Thomas m changed their display name from howlymowly to Thomas m. | 19:26:50 |
| 3 Feb 2025 |
|  cameronraysmith joined the room. | 05:06:26 |
|  Gus joined the room. | 06:05:32 |
| Gus | Anyone have good patterns for decrypting "secrets" for eval-time configuration? E.g. I want to set services.caddy.virtualHosts.foo.hostName = "foo.${myTailnet}". I don't care about myTailnet being in the nix store but I would prefer that it's not plaintext in my git repo | 06:13:21 |
| Gus | I saw that maybe scalpel can solve this? | 06:13:42 |
| Gus | wondering if there is a straightforward way that people recommend :) | 06:14:03 |
| 9 Feb 2025 |
 LordKekz | Nix doesn't have eval-time secrets. But if you just want to avoid putting some variables in a public repo, you can make a separate private repo on your git forge of choice and add it as a flake input.
You will then need to provide credentials to the private repo, e.g. via ~/.config/nix/nix.conf. | 22:21:01 |
 Alexandros Liarokapis | Redacted or Malformed Event | 23:23:30 |
| Alexandros Liarokapis | * If doing that be careful if you are in a multi-user setup | 23:23:40 |
| 11 Feb 2025 |
|  @lunchtime:envs.net left the room. | 19:07:58 |
| 14 Feb 2025 |
|  rane [they/them] joined the room. | 11:29:46 |
| 15 Feb 2025 |
|  BenjB83 joined the room. | 10:15:18 |
| BenjB83 changed their display name from Benjamín Buske to BenjB83. | 10:42:58 |
| 16 Feb 2025 |
| Waldemar Tomme (they/them) | Hi, I hope somebody here might be able to help me even though it might be slightly off-topic:
I just configured agenix-rekey for my secret management together with my yubikey. Everythings works, but I don't know whether my identity file is correct like this:
# Serial: XXXXXXXX, Slot: 1
# Name: age identity XXXXXXXX
# Created: Fri, 08 Nov 2024 18:38:59 +0000
# PIN policy: Never (A PIN is NOT required to decrypt)
# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
# Recipient: age1yubikeyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AGE-PLUGIN-YUBIKEY-XXXXXXXXXXXXXXXXXXXXXX
As far as I understood this only contains public key information and is save to be committed (in theory publicly). If not how do I split the public and private part?
| 17:52:58 |
| Waldemar Tomme (they/them) | Well, as so often the case I found the answer/explanation. For anyone else interested in the future: https://github.com/str4d/age-plugin-yubikey/issues/179 | 19:05:30 |
