| 22 Aug 2024 |
 @pascal.dietrich:mintux.de | On my system, I am the admin AND user with one single key. | 19:09:05 |
 uep | yes | 19:09:20 |
| uep | that's the second row. You still want the first row for the host key as well | 19:10:02 |
| uep | the minimum useful case is one of each | 19:10:24 |
| uep | more if the key is shared between hosts, there are multiple admins, backup keys, etc etc | 19:11:31 |
| @pascal.dietrich:mintux.de | Or is the idea, that I have one key for me (eventually with a password) and one without one for the system? | 19:12:27 |
| uep | I suspect your host won't boot properly and won't decrypt the secret except when you're running switch in a user session with sudo etc | 19:13:45 |
| uep | thhd | 19:13:51 |
| uep | * the ssh host key is the usual choice for that system key. yes. | 19:14:34 |
| @pascal.dietrich:mintux.de | And why do I need two keys? Wouldn't one be sufficient technically? | 19:16:04 |
| uep | yes but then you have to enter it on every boot and activation, which is what you're complaining about :) | 19:17:11 |
| @pascal.dietrich:mintux.de | Ok. Makes sense. | 19:17:39 |
| uep | you need two keys, one (at least) for each of the circumstances in the dot points above | 19:18:06 |
| uep | if you really want just one key, it should be the host key, and you decide you never want an admin to edit it (perhaps you just generate an entirely new secret whenever a change happens) | 19:20:21 |
| uep | think of it like sending a message to the future host while it boots, it needs to be able to decrypt your message | 19:22:01 |
| @pascal.dietrich:mintux.de | Ok. Thanks a lot for your explanations. | 19:22:59 |
| uep | np, good luck | 19:23:18 |
| 29 Aug 2024 |
|  @feathecutie:tchncs.de left the room. | 12:40:43 |
| 31 Aug 2024 |
|  undltd joined the room. | 15:33:53 |
| undltd | Hi everyone. Is there a way to specify in secrets.nix something like "mysecret-*.age" = [ key1 key2 ] so that I don't have to list every file explicitly? | 15:37:23 |
| undltd | Hi everyone. Is there a way to specify in secrets.nix something like "mysecret-*.age".publicKeys = [ key1 key2 ] so that I don't have to list every file explicitly? | 15:38:05 |
| undltd | Also, would it be possible to somehow use an agenix secret for one of the values in virtualisation.oci-containers.containers.<name>.environment? | 16:32:35 |
 ryantm | Yes, you can use nix to read a directory's contents and use that as your secrets.nix output. | 18:31:59 |
| ryantm | Are those containers built when building the OS? If so, no and there wouldn't be much point. | 18:33:46 |
|  @thedevofnight:matrix.org joined the room. | 19:25:12 |
| @thedevofnight:matrix.org changed their display name from Devon Wolfe to thedevofnight. | 19:28:07 |
| @thedevofnight:matrix.org left the room. | 19:28:56 |
| 1 Sep 2024 |
| undltd | In reply to@ryantm:matrix.org
Are those containers built when building the OS? If so, no and there wouldn't be much point. That is a good question... Looks like the containers are instantiated (podman / docker run) by a systemd unit, so that would be during activation. Also I notice there is an environmentFiles option that maps to docker run / podman run --env-file option, which should be ideal to use with agenix. So yeah, should work! | 09:01:48 |
| undltd | That is a good question... Looks like the containers are instantiated (podman / docker run) by a systemd unit, so that would be during boot / activation. Also I notice there is an environmentFiles option that maps to docker run / podman run --env-file option, which should be ideal to use with agenix. So yeah, should work! | 09:02:16 |
| undltd | In reply to@ryantm:matrix.org
Yes, you can use nix to read a directory's contents and use that as your secrets.nix output. How can I access nixpkgs' lib in secrets.nix? | 09:37:51 |
