3 Feb 2025 |
| cameronraysmith joined the room. | 05:06:26 |
| Gus joined the room. | 06:05:32 |
Gus | Anyone have good patterns for decrypting "secrets" for eval-time configuration? E.g. I want to set services.caddy.virtualHosts.foo.hostName = "foo.${myTailnet}" . I don't care about myTailnet being in the nix store but I would prefer that it's not plaintext in my git repo | 06:13:21 |
Gus | I saw that maybe scalpel can solve this? | 06:13:42 |
Gus | wondering if there is a straightforward way that people recommend :) | 06:14:03 |
9 Feb 2025 |
LordKekz | Nix doesn't have eval-time secrets. But if you just want to avoid putting some variables in a public repo, you can make a separate private repo on your git forge of choice and add it as a flake input. You will then need to provide credentials to the private repo, e.g. via ~/.config/nix/nix.conf . | 22:21:01 |
Alexandros Liarokapis | Redacted or Malformed Event | 23:23:30 |
Alexandros Liarokapis | * If doing that be careful if you are in a multi-user setup | 23:23:40 |
11 Feb 2025 |
| @lunchtime:envs.net left the room. | 19:07:58 |
14 Feb 2025 |
| rane [they/them] joined the room. | 11:29:46 |
15 Feb 2025 |
| BenjB83 joined the room. | 10:15:18 |
| BenjB83 changed their display name from BenjamÃn Buske to BenjB83. | 10:42:58 |
16 Feb 2025 |
Waldemar Tomme (they/them) | Hi, I hope somebody here might be able to help me even though it might be slightly off-topic: I just configured agenix-rekey for my secret management together with my yubikey. Everythings works, but I don't know whether my identity file is correct like this:
# Serial: XXXXXXXX, Slot: 1
# Name: age identity XXXXXXXX
# Created: Fri, 08 Nov 2024 18:38:59 +0000
# PIN policy: Never (A PIN is NOT required to decrypt)
# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
# Recipient: age1yubikeyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AGE-PLUGIN-YUBIKEY-XXXXXXXXXXXXXXXXXXXXXX
As far as I understood this only contains public key information and is save to be committed (in theory publicly). If not how do I split the public and private part?
| 17:52:58 |
Waldemar Tomme (they/them) | Well, as so often the case I found the answer/explanation. For anyone else interested in the future: https://github.com/str4d/age-plugin-yubikey/issues/179 | 19:05:30 |