!XLCFfvFhUkYwOMLbVx:nixos.org

agenix

331 Members
age-encrypted secrets for NixOS https://github.com/ryantm/agenix/98 Servers

Load older messages


SenderMessageTime
12 Sep 2024
@goodlander:matrix.orggoodlanderok let me see if I can figure that out04:20:08
@eyjhb:eyjhb.dkeyJhbagenix -e somefile.age <<< mywallpaper.jpg07:01:42
@eyjhb:eyjhb.dkeyJhb?07:01:43
@eyjhb:eyjhb.dkeyJhb goodlander: tagging you in case you don't get notifications. Might work. :) 07:21:39
@goodlander:matrix.orggoodlander
In reply to @eyjhb:eyjhb.dk
goodlander: tagging you in case you don't get notifications. Might work. :)
This just encrypted the string "mywallpaper.jpg" however this did appear to work:
cat mywallpaper.jpg | agenix -e somefile.age
15:26:59
@eyjhb:eyjhb.dkeyJhb Eh, I guess I fucked my brackets up. Thought I would be cool with my <<< :D Glad it worked out however. 15:40:59
@goodlander:matrix.orggoodlanderNow that I'm trying to do a rebuild I get this: error: access to absolute path '/run/agenix/mywallpaper' is forbidden in pure eval mode (use '--impure' to override)18:56:59
@thedragon44:matrix.org@thedragon44:matrix.org joined the room.23:14:56
13 Sep 2024
@ryantm:matrix.orgryantmSounds like you're using the path as a file as the input to some builder. You should only use it as a string.00:57:24
@42398234iuodfhjkdsfjdsfsdffgs:matrix.org@42398234iuodfhjkdsfjdsfsdffgs:matrix.org joined the room.09:28:37
@alper-celik:matrix.orgAlper Çelik joined the room.14:20:58
@alper-celik:matrix.orgAlper Çelikhello is it fine to store encrypted secrets on a public github repo ?14:22:51
@k900:0upti.meK900Yes14:36:58
@ryantm:matrix.orgryantmDepends on your threat model.14:49:27
14 Sep 2024
@mahmoudk1000:matrix.orgMahmoud changed their profile picture.11:30:48
15 Sep 2024
@eyjhb:eyjhb.dkeyJhb Surely I'll not be the first one to do this. I have an existing setup of gpg keys, that I have backed up various places. I would like to use my gpg keys w/ agenix, in case I loose my ssh key. So, my thinking is to generate a age key, encrypt that with my gpg key, and place inside the repo. So in case I fuck something up, I can always decrypt it, and get access to my secrets. Does this sound 100% idiotic? Am I missing something?10:42:49
@eyjhb:eyjhb.dkeyJhb * Surely I'll not be the first one to do this. I have an existing setup of gpg keys, that I have backed up various places. I would like to use my gpg keys w/ agenix, in case I lose my ssh key. So, my thinking is to generate a age key, encrypt that with my gpg key, and place inside the repo. So in case I fuck something up, I can always decrypt it, and get access to my secrets. Does this sound 100% idiotic? Am I missing something?10:45:51
@k900:0upti.meK900 I don't think that sounds completely insane but also yuck 10:46:19
@eyjhb:eyjhb.dkeyJhbPerfect, that's just what I was going for. 10:47:23
@eyjhb:eyjhb.dkeyJhbI looked into using sops-nix, as I could use my gpg key there, but it feels very complex compared to what I need. agenix is just very very KISS in that regards. The only other thing I considered, was adding a age key to my yubikey, but then I would need to have N times age secrets to manage. 10:48:31
@eyjhb:eyjhb.dkeyJhbBut granted, managing GPG keys is usually quite yuck.10:48:45
@eyjhb:eyjhb.dkeyJhb
In reply to @ryantm:matrix.org
Yes, you can use nix to read a directory's contents and use that as your secrets.nix output.
I guess this would require you to touch the file first, maybe?
12:16:04
@eyjhb:eyjhb.dkeyJhb Because you can't edit a file, which does not exists. Or rather, when you do agenix -e somefile.age, it will try to find the file in the secrets.nix file, and THEN IF it is in there, you can edit it. Otherwise you get a "attribute missing" error. 12:20:10
16 Sep 2024
@silentlurker:matrix.orgsilentlurker joined the room.19:56:14
17 Sep 2024
@titaniumtown:envs.nettitaniumtown joined the room.02:46:19
@titaniumtown:envs.nettitaniumtown hihihi, i am switching a ton of my stuff over to agenix. quick question though. How can I properly use a nix file as a secret. For instance. I have a wifi-passwords.nix, with declarations for each network and such. And I import it and such. But the thing is that I have to build my system, restart agenix. make sure the secret is there. and then uncomment the part referencing the secret. 02:47:53
@titaniumtown:envs.nettitaniumtown hihihi, i am switching a ton of my stuff over to agenix. quick question though. How can I properly use a nix file as a secret. For instance. I have a wifi-passwords.nix, with declarations for each network and such. And I import it and such. But the thing is that I have to build my system, restart agenix. make sure the secret is there. and then uncomment the part referencing the secret.

Is there a better way of doing this?
02:48:00
@titaniumtown:envs.nettitaniumtown hihihi, i am switching a ton of my stuff over to agenix. quick question though. How can I properly use a nix file as a secret. For instance. I have a wifi-passwords.nix, with declarations for each network and such. And I import it and such. But the thing is that I have to build my system, restart agenix. make sure the secret is there. and then uncomment the part referencing the secret.

Is there a better way of doing this?

There are some options that just require an actual string. not a file. I'm doing the best I can :(
02:48:47
@k900:0upti.meK900You could just use git-crypt or something for those04:53:37
@k900:0upti.meK900Since you're doing impure anyway04:53:41

Show newer messages


Back to Room ListRoom Version: 6