| 27 Mar 2025 |
 @raijin_:matrix.org | 
Download image.png | 15:59:19 |
| @raijin_:matrix.org | rane [they/them]: thanks so much for your explanations, I think I'm starting to understand. I'm kind of a visual learner, so I diagrammed out my current setup here. Maybe that will shed light on where my misunderstanding lies.
A private key only needs to be present when you are decrypting the existing values
But what public key does this private key correspond to? One of the public keys defined and assigned to the secret in secrets.nix? Or one of the original keys in identityPaths that encrypted the secret?
A yubikey is just one thing you use
So I would have a public key entry in secrets.nix for the YubiKey just as I would for a host?
So if you store the public key of a machine which needs access to a secret in the secrets.nix file and give it "access" to a secret, agenix,
I think I have this part, because when I get a new host (non-server), I generate a new keypair on that machine and add the pubkey to secrets.nix. I then add that key as a target in secrets.nix. (for the secrets defined in user_secrets.nix)? But obviously I'm missing something when trying to rekey my secrets for the new machine, because the operation does not generate new files.
| 15:59:22 |
| 28 Mar 2025 |
|  scottytheengineer joined the room. | 18:16:13 |
| 30 Mar 2025 |
|  98765abc joined the room. | 02:13:30 |
| 31 Mar 2025 |
|  taw420 joined the room. | 21:13:40 |
| 3 Apr 2025 |
|  Ben Sparks joined the room. | 16:18:24 |
| 4 Apr 2025 |
|  divit joined the room. | 12:22:35 |
| 5 Apr 2025 |
|  underpantsgnome left the room. | 15:41:33 |
| 8 Apr 2025 |
|  @morbidity3080:deep.fo joined the room. | 10:39:18 |
| @morbidity3080:deep.fo left the room. | 10:39:52 |
| 9 Apr 2025 |
|  Sean joined the room. | 19:06:15 |
| Sean | https://github.com/ryantm/agenix/issues/115
where do I get my host ssh key from? | 19:25:08 |
| Sean | oh, I don't need one | 19:44:32 |
| 10 Apr 2025 |
|  fwam changed their profile picture. | 19:57:47 |
| 11 Apr 2025 |
|  thoughtcrime69 joined the room. | 14:39:59 |
|  Ambroisie left the room. | 22:09:34 |
| 16 Apr 2025 |
|  wesleyjrz joined the room. | 12:10:05 |
| 17 Apr 2025 |
|  mmkaram joined the room. | 04:29:42 |
|  Sam changed their display name from Sam to Sam (away → 5/5). | 17:17:41 |
| 18 Apr 2025 |
|  Saik joined the room. | 16:20:15 |
| Saik | Hello, heres a simple question that I've had a hard time finding an answer to:
is there a way to have a subfolder within secrets/?
I prefer subfoldering--category/secret_name.age--over appending--category.secret_name.age
| 16:22:34 |
 eyJhb | In reply to @saik3617:matrix.org
Hello, heres a simple question that I've had a hard time finding an answer to:
is there a way to have a subfolder within secrets/?
I prefer subfoldering--category/secret_name.age--over appending--category.secret_name.age
Yes, just create it and use it | 16:32:18 |
| eyJhb | @Saik https://git.fricloud.dk/fricloud/server-configs/src/branch/main/secrets/secrets.nix#L20 | 16:33:01 |
| eyJhb | And then I use it like this https://git.fricloud.dk/fricloud/server-configs/src/branch/main/secrets/default.nix#L6 | 16:33:27 |
| eyJhb | You can see all the secrets in that folder as well. | 16:33:48 |
| Saik | Thanks! | 17:08:32 |
| Saik | Additionally, is there a way to modularize an environment file?
Something like
virtualisation.oci-containers.containers.postgres = {
environmentFiles = [
# Dynamically building an env file, which contains POSTGRES_PASSWORD=<contents of postgres-password.age>
config.age.buildEnvFile "POSTGRES_PASSWORD" config.age.secrets.postgres-password.path
];
};
# then, i can construct a different envFile:
virtualisation.oci-containers.containers.grafana = {
environmentFile = [
# Note that the same value is being used, but is named something else, DATABASE_PASS
# This prevents me needing two `.age` files for the same value.
config.age.buildEnvFile "DATABASE_PASS" config.age.secrets.postgres-password.path
];
};
| 17:17:16 |
| eyJhb | I'll try to take a look once I'm at my PC again. Hard to see code formatting on the phone :) | 17:47:05 |
| eyJhb | I guess in theory you could MAKE something that does that, but I don't think it's currently possible. I want that as well for some of the things I have.. Because I specify them in a .env file, to make it work for the given application, but at the same time, I have a single file for specifying it elsewere. My usecase is e.g. creating a LDAP user which allows a given user to send emails, and then using that LDAP user in a given service to send welcome emails. | 18:13:54 |
| eyJhb | It could actually be fun to implement, but right now, sorry to disappoint Saik , I don't think it's possible. Or at least, not easily | 18:14:47 |
