| 12 Sep 2024 |
 goodlander | ok let me see if I can figure that out | 04:20:08 |
 eyJhb | agenix -e somefile.age <<< mywallpaper.jpg | 07:01:42 |
| eyJhb | ? | 07:01:43 |
| eyJhb | goodlander: tagging you in case you don't get notifications. Might work. :) | 07:21:39 |
| goodlander | In reply to @eyjhb:eyjhb.dk
goodlander: tagging you in case you don't get notifications. Might work. :) This just encrypted the string "mywallpaper.jpg" however this did appear to work:
cat mywallpaper.jpg | agenix -e somefile.age | 15:26:59 |
| eyJhb | Eh, I guess I fucked my brackets up. Thought I would be cool with my <<< :D Glad it worked out however. | 15:40:59 |
| goodlander | Now that I'm trying to do a rebuild I get this:
error: access to absolute path '/run/agenix/mywallpaper' is forbidden in pure eval mode (use '--impure' to override) | 18:56:59 |
|  @thedragon44:matrix.org joined the room. | 23:14:56 |
| 13 Sep 2024 |
 ryantm | Sounds like you're using the path as a file as the input to some builder. You should only use it as a string. | 00:57:24 |
|  @42398234iuodfhjkdsfjdsfsdffgs:matrix.org joined the room. | 09:28:37 |
|  Alper Çelik joined the room. | 14:20:58 |
| Alper Çelik | hello is it fine to store encrypted secrets on a public github repo ? | 14:22:51 |
 K900 | Yes | 14:36:58 |
| ryantm | Depends on your threat model. | 14:49:27 |
| 14 Sep 2024 |
|  Mahmoud changed their profile picture. | 11:30:48 |
| 15 Sep 2024 |
| eyJhb | Surely I'll not be the first one to do this. I have an existing setup of gpg keys, that I have backed up various places. I would like to use my gpg keys w/ agenix, in case I loose my ssh key. So, my thinking is to generate a age key, encrypt that with my gpg key, and place inside the repo. So in case I fuck something up, I can always decrypt it, and get access to my secrets. Does this sound 100% idiotic? Am I missing something? | 10:42:49 |
| eyJhb | * Surely I'll not be the first one to do this. I have an existing setup of gpg keys, that I have backed up various places. I would like to use my gpg keys w/ agenix, in case I lose my ssh key. So, my thinking is to generate a age key, encrypt that with my gpg key, and place inside the repo. So in case I fuck something up, I can always decrypt it, and get access to my secrets. Does this sound 100% idiotic? Am I missing something? | 10:45:51 |
| K900 | I don't think that sounds completely insane but also yuck | 10:46:19 |
| eyJhb | Perfect, that's just what I was going for. | 10:47:23 |
| eyJhb | I looked into using sops-nix, as I could use my gpg key there, but it feels very complex compared to what I need. agenix is just very very KISS in that regards.
The only other thing I considered, was adding a age key to my yubikey, but then I would need to have N times age secrets to manage. | 10:48:31 |
| eyJhb | But granted, managing GPG keys is usually quite yuck. | 10:48:45 |
| eyJhb | In reply to @ryantm:matrix.org
Yes, you can use nix to read a directory's contents and use that as your secrets.nix output. I guess this would require you to touch the file first, maybe? | 12:16:04 |
| eyJhb | Because you can't edit a file, which does not exists. Or rather, when you do agenix -e somefile.age, it will try to find the file in the secrets.nix file, and THEN IF it is in there, you can edit it. Otherwise you get a "attribute missing" error. | 12:20:10 |
| 16 Sep 2024 |
|  silentlurker joined the room. | 19:56:14 |
| 17 Sep 2024 |
|  titaniumtown joined the room. | 02:46:19 |
| titaniumtown | hihihi, i am switching a ton of my stuff over to agenix. quick question though. How can I properly use a nix file as a secret. For instance. I have a wifi-passwords.nix, with declarations for each network and such. And I import it and such. But the thing is that I have to build my system, restart agenix. make sure the secret is there. and then uncomment the part referencing the secret. | 02:47:53 |
| titaniumtown | hihihi, i am switching a ton of my stuff over to agenix. quick question though. How can I properly use a nix file as a secret. For instance. I have a wifi-passwords.nix, with declarations for each network and such. And I import it and such. But the thing is that I have to build my system, restart agenix. make sure the secret is there. and then uncomment the part referencing the secret.
Is there a better way of doing this? | 02:48:00 |
| titaniumtown | hihihi, i am switching a ton of my stuff over to agenix. quick question though. How can I properly use a nix file as a secret. For instance. I have a wifi-passwords.nix, with declarations for each network and such. And I import it and such. But the thing is that I have to build my system, restart agenix. make sure the secret is there. and then uncomment the part referencing the secret.
Is there a better way of doing this?
There are some options that just require an actual string. not a file. I'm doing the best I can :( | 02:48:47 |
| K900 | You could just use git-crypt or something for those | 04:53:37 |
| K900 | Since you're doing impure anyway | 04:53:41 |
