!XLCFfvFhUkYwOMLbVx:nixos.org

agenix

327 Members
age-encrypted secrets for NixOS https://github.com/ryantm/agenix/95 Servers

You have reached the beginning of time (for this room).

SenderMessageTime
22 Nov 2024
@zacharyweiss:matrix.orgZach joined the room.16:59:48
23 Nov 2024
@aidalgol:matrix.org@aidalgol:matrix.org joined the room.19:13:42
@lordkekz:matrix.orgLordKekz joined the room.19:32:59
25 Nov 2024
@nullcube:matrix.orgNullCube joined the room.09:59:40
26 Nov 2024
@ericschoville:matrix.orgEric Schoville joined the room.04:06:56
@xiaoxiangmoe:matrix.org🐰 xiaoxiangmoe joined the room.04:58:41
27 Nov 2024
@thedragon44:matrix.org@thedragon44:matrix.org left the room.23:23:40
28 Nov 2024
@denkn:denkn.at𝔇𝔢𝔫𝔎𝔫 changed their display name from DenKn to 𝔇𝔢𝔫𝔎𝔫.10:54:07
29 Nov 2024
@bl1nk:matrix.orgbl1nk changed their profile picture.01:11:33
@bl1nk:matrix.orgbl1nk changed their profile picture.01:11:53
30 Nov 2024
@ysomic:matrix.orgySomic joined the room.01:17:42
@ysomic:matrix.orgySomic

Reading this github issue, I imagine my reasoning is flawed about how home-manager integration works?

Is there some resources I could learn from, because this does not seem to work, the file is not present on my activation script nor does agenix ask for my passphrase before switching

{
  self,
  config,
  lib,
  pkgs,
  ...
}: let
  secretsDir = "${self}/data/secrets";
  commonPub = "${secretsDir}/common/pub.gpg";

  mkGpgImportsWithFunc = keys: let
    importStatements =
      lib.concatMapStrings (key: ''
        echo "Attempting to import key: ${key}"
        import_gpg_key "${config.age.secrets.${key}.path}"
      '')
      keys;
  in ''
    import_gpg_key() {
      local key_path="$1"
      if [ -f "$key_path" ]; then
        local gpg_output
        gpg_output=$(run ${pkgs.gnupg}/bin/gpg --import "$key_path" 2>&1)
        local gpg_exit_code=$?

        if echo "$gpg_output" | grep -q "not changed"; then
          echo "Warning: Key $key_name already exists and wasn't modified"
        elif echo "$gpg_output" | grep -q "secret key already exists"; then
          echo "Warning: Secret key $key_name already exists"
        fi

        if [ $gpg_exit_code -ne 0 ]; then
          echo "Error: Failed to import GPG key: $key_path"
          echo "GPG output: $gpg_output"
          failed=1
        else
          echo "GPG imported: $key_path"
        fi

        echo "Will shred GPG Key: $key_path"
        run ${pkgs.coreutils}/bin/shred -u "$key_path"
        [ "$failed" = "1" ] && return 1
      else
        echo "Path not found: $key_path"
      fi
    }

    ${importStatements}
  '';

  gpgKeys = [
    "common/gpg"
  ];

  assertions = [
    {
      assertion = lib.all (key: lib.hasAttr key config.age.secrets) gpgKeys;
      message = let
        # Find which keys are missing
        missingKeys = lib.filter (key: !(lib.hasAttr key config.age.secrets)) gpgKeys;
      in "The following GPG keys are in gpgKeys but not in age.secrets: ${toString missingKeys}";
    }
  ];
in {
  inherit assertions;

  age.secrets = {
    "common/gpg" = {
      file = "${secretsDir}/common/gpg.age";
      path = "${config.home.homeDirectory}/secrets/gpg/common.gpg.temp";
    };
  };

  programs.gpg = {
    enable = true;
    publicKeys = [
      {
        source = commonPub;
        trust = "ultimate";
      }
    ];
  };

  services.gpg-agent = {
    enable = true;
    enableBashIntegration = true;
    pinentryPackage = pkgs.pinentry-curses;
  };

  home.activation = {
    importPrivateGpgKeys =
      lib.hm.dag.entryAfter ["writeBoundary"]
      (mkGpgImportsWithFunc gpgKeys);
  };
}
01:43:57

Show newer messages

Back to Room ListRoom Version: 6