| 4 Dec 2024 |
|  OrfeasZ joined the room. | 17:36:44 |
| OrfeasZ | Hello, I'm having an issue with agenix and was wondering if anybody has any solutions: I have an OCI container that uses an environment file that's decrypted by agenix. However, agenix seems to always use the same path for that file (/run/agenix/whatever.env) even when its contents change. This makes it so when I update the env file and rebuild my system, the container doesn't get rebuilt since the path hasn't changed. | 17:38:31 |
| OrfeasZ | * Hello, I'm having an issue with agenix and was wondering if anybody has any solutions: I have an OCI container that uses an environment file that's decrypted by agenix. However, agenix seems to always use the same path for that file (/run/agenix/whatever.env) even when its contents change. This makes it so when I update the env file and rebuild my system, the container doesn't get recreated since the path hasn't changed. | 17:42:54 |
| OrfeasZ | Alright, looks like I was able to work around this by making agenix use a hash of the encrypted file as the file name:
age.secrets."my-secret" = {
file = ./my-secret.age;
name = builtins.hashFile "sha256" ./my-secret.age;
};
| 19:30:57 |
| OrfeasZ | not ideal, but seems to do the job for now! | 19:31:09 |
 LordKekz | Yeah.. but why do you need the container to rebuild? If it's just to make it restart on system activation, it should be possible to reload the systemd unit on activation somehow. Not sure which option you need tho. | 19:37:15 |
| OrfeasZ | Restarting the container doesn't make it pick up new environment variables. It needs to be re-created. | 19:40:13 |
| LordKekz | Ah, I see. Then you the hash thing is probably as good as it gets | 19:43:42 |
| LordKekz | * Ah, I see. Then the hash thing is probably as good as it gets | 19:43:51 |
| OrfeasZ | Yeah should be fine for now | 19:44:23 |
| OrfeasZ | Only "real issue" is that it's based on the hash of the encrypted contents and not the plain text contents, which means that the same source file re-encrypted without any changes will cause a re-creation. | 19:45:27 |
| OrfeasZ | But making it based on the plain text content also reveals that they haven't changed, which is also not great. | 19:45:52 |
| OrfeasZ | So you know, trade-offs. | 19:45:57 |
