!XLCFfvFhUkYwOMLbVx:nixos.org

agenix

350 Members
age-encrypted secrets for NixOS https://github.com/ryantm/agenix/103 Servers

Load older messages


SenderMessageTime
27 Mar 2025
@raijin_:matrix.org@raijin_:matrix.orgimage.png
Download image.png
15:59:19
@raijin_:matrix.org@raijin_:matrix.org

rane [they/them]: thanks so much for your explanations, I think I'm starting to understand. I'm kind of a visual learner, so I diagrammed out my current setup here. Maybe that will shed light on where my misunderstanding lies.

A private key only needs to be present when you are decrypting the existing values

But what public key does this private key correspond to? One of the public keys defined and assigned to the secret in secrets.nix? Or one of the original keys in identityPaths that encrypted the secret?

A yubikey is just one thing you use

So I would have a public key entry in secrets.nix for the YubiKey just as I would for a host?

So if you store the public key of a machine which needs access to a secret in the secrets.nix file and give it "access" to a secret, agenix,

I think I have this part, because when I get a new host (non-server), I generate a new keypair on that machine and add the pubkey to secrets.nix. I then add that key as a target in secrets.nix. (for the secrets defined in user_secrets.nix)? But obviously I'm missing something when trying to rekey my secrets for the new machine, because the operation does not generate new files.

15:59:22
28 Mar 2025
@scottytheengineer:matrix.orgscottytheengineer joined the room.18:16:13
30 Mar 2025
@98765abc:mozilla.org98765abc joined the room.02:13:30
31 Mar 2025
@taw420:matrix.orgtaw420 joined the room.21:13:40
3 Apr 2025
@benjaminsparks:chat.alugha.appBen Sparks joined the room.16:18:24
4 Apr 2025
@divit:matrix.orgdivit joined the room.12:22:35
5 Apr 2025
@tinybronca:sibnsk.netunderpantsgnome left the room.15:41:33
8 Apr 2025
@morbidity3080:deep.fo@morbidity3080:deep.fo joined the room.10:39:18
@morbidity3080:deep.fo@morbidity3080:deep.fo left the room.10:39:52
9 Apr 2025
@codebam:fedora.imSean joined the room.19:06:15
@codebam:fedora.imSeanhttps://github.com/ryantm/agenix/issues/115 where do I get my host ssh key from?19:25:08
@codebam:fedora.imSeanoh, I don't need one19:44:32
10 Apr 2025
@fwam:femdom.solutionsfwam changed their profile picture.19:57:47
11 Apr 2025
@thoughtcrime69:matrix.orgthoughtcrime69 joined the room.14:39:59
@ambroisie:belanyi.frAmbroisie left the room.22:09:34
16 Apr 2025
@wesleyjrz:matrix.orgwesleyjrz joined the room.12:10:05
17 Apr 2025
@mmkaram:matrix.orgmmkaram joined the room.04:29:42
@oneeyed:matrix.orgSam changed their display name from Sam to Sam (away → 5/5).17:17:41
18 Apr 2025
@saik3617:matrix.orgSaik joined the room.16:20:15
@saik3617:matrix.orgSaik

Hello, heres a simple question that I've had a hard time finding an answer to:

is there a way to have a subfolder within secrets/?

I prefer subfoldering--category/secret_name.age--over appending--category.secret_name.age

16:22:34
@eyjhb:eyjhb.dkeyJhb
In reply to @saik3617:matrix.org

Hello, heres a simple question that I've had a hard time finding an answer to:

is there a way to have a subfolder within secrets/?

I prefer subfoldering--category/secret_name.age--over appending--category.secret_name.age

Yes, just create it and use it
16:32:18
@eyjhb:eyjhb.dkeyJhb @Saik https://git.fricloud.dk/fricloud/server-configs/src/branch/main/secrets/secrets.nix#L20 16:33:01
@eyjhb:eyjhb.dkeyJhbAnd then I use it like this https://git.fricloud.dk/fricloud/server-configs/src/branch/main/secrets/default.nix#L616:33:27
@eyjhb:eyjhb.dkeyJhbYou can see all the secrets in that folder as well.16:33:48
@saik3617:matrix.orgSaikThanks!17:08:32
@saik3617:matrix.orgSaik

Additionally, is there a way to modularize an environment file?

Something like

virtualisation.oci-containers.containers.postgres = {
  environmentFiles = [
    # Dynamically building an env file, which contains POSTGRES_PASSWORD=<contents of postgres-password.age>
    config.age.buildEnvFile "POSTGRES_PASSWORD" config.age.secrets.postgres-password.path
  ];
};
# then, i can construct a different envFile:
virtualisation.oci-containers.containers.grafana = {
  environmentFile = [
    # Note that the same value is being used, but is named something else, DATABASE_PASS
    # This prevents me needing two `.age` files for the same value.
    config.age.buildEnvFile "DATABASE_PASS" config.age.secrets.postgres-password.path
  ];
};
17:17:16
@eyjhb:eyjhb.dkeyJhbI'll try to take a look once I'm at my PC again. Hard to see code formatting on the phone :)17:47:05
@eyjhb:eyjhb.dkeyJhbI guess in theory you could MAKE something that does that, but I don't think it's currently possible. I want that as well for some of the things I have.. Because I specify them in a .env file, to make it work for the given application, but at the same time, I have a single file for specifying it elsewere. My usecase is e.g. creating a LDAP user which allows a given user to send emails, and then using that LDAP user in a given service to send welcome emails.18:13:54
@eyjhb:eyjhb.dkeyJhb It could actually be fun to implement, but right now, sorry to disappoint Saik , I don't think it's possible. Or at least, not easily 18:14:47

Show newer messages


Back to Room ListRoom Version: 6