!XLCFfvFhUkYwOMLbVx:nixos.org

agenix

328 Members
age-encrypted secrets for NixOS https://github.com/ryantm/agenix/95 Servers

You have reached the beginning of time (for this room).


SenderMessageTime
3 Feb 2025
@cameronraysmith:matrix.orgcameronraysmith joined the room.05:06:26
@guhou:matrix.orgGus joined the room.06:05:32
@guhou:matrix.orgGus Anyone have good patterns for decrypting "secrets" for eval-time configuration? E.g. I want to set services.caddy.virtualHosts.foo.hostName = "foo.${myTailnet}". I don't care about myTailnet being in the nix store but I would prefer that it's not plaintext in my git repo 06:13:21
@guhou:matrix.orgGusI saw that maybe scalpel can solve this?06:13:42
@guhou:matrix.orgGuswondering if there is a straightforward way that people recommend :) 06:14:03
9 Feb 2025
@lordkekz:matrix.orgLordKekz Nix doesn't have eval-time secrets. But if you just want to avoid putting some variables in a public repo, you can make a separate private repo on your git forge of choice and add it as a flake input.
You will then need to provide credentials to the private repo, e.g. via ~/.config/nix/nix.conf.
22:21:01
@aliarokapis:matrix.orgAlexandros LiarokapisRedacted or Malformed Event23:23:30
@aliarokapis:matrix.orgAlexandros Liarokapis* If doing that be careful if you are in a multi-user setup23:23:40
11 Feb 2025
@lunchtime:envs.net@lunchtime:envs.net left the room.19:07:58
14 Feb 2025
@rane:junkyard.systemsrane [they/them] joined the room.11:29:46
15 Feb 2025
@benjb83:matrix.orgBenjB83 joined the room.10:15:18
@benjb83:matrix.orgBenjB83 changed their display name from Benjamín Buske to BenjB83.10:42:58
16 Feb 2025
@wiiplayer2:matrix.orgWaldemar Tomme (they/them)

Hi, I hope somebody here might be able to help me even though it might be slightly off-topic:
I just configured agenix-rekey for my secret management together with my yubikey. Everythings works, but I don't know whether my identity file is correct like this:

#       Serial: XXXXXXXX, Slot: 1
#         Name: age identity XXXXXXXX
#      Created: Fri, 08 Nov 2024 18:38:59 +0000
#   PIN policy: Never  (A PIN is NOT required to decrypt)
# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
#    Recipient: age1yubikeyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AGE-PLUGIN-YUBIKEY-XXXXXXXXXXXXXXXXXXXXXX

As far as I understood this only contains public key information and is save to be committed (in theory publicly). If not how do I split the public and private part?

17:52:58
@wiiplayer2:matrix.orgWaldemar Tomme (they/them)Well, as so often the case I found the answer/explanation. For anyone else interested in the future: https://github.com/str4d/age-plugin-yubikey/issues/17919:05:30

Show newer messages


Back to Room ListRoom Version: 6