| 8 Mar 2025 |
 laurent | In reply to @Valodim:stratum0.org
It does not need to be backed up. Just create a new one and rekey on redeployment Do you mean to re encrypt all secrets with the then new host key? | 08:13:45 |
 Valodim | Yes | 08:14:05 |
| Valodim | The same as you'll have to do on other occasions when public keys changes, e.g. when some secret should be available for a new host | 08:14:57 |
| Valodim | Maybe study the agenix docs some more. it's in there :) | 08:15:13 |
| laurent | In reply to @Valodim:stratum0.org
Maybe study the agenix docs some more. it's in there :) I reckon thats what i have to do haha. Been wanting to take shortcuts with nix to be able to have a quick working env but its time to go back to the doc now that i understand more the ecosystem | 08:17:33 |
|  Qyriad changed their display name from qyriad to Qyriad. | 21:41:03 |
| 9 Mar 2025 |
|  kiwicutter joined the room. | 23:34:49 |
| 10 Mar 2025 |
| kiwicutter | So, ive been using agenix for a bit and only now thought to myself hey, maybe i should check how (easily) recreating my system actually is in case i ever need to do so. The issue i ran into was, of course, that the install media can't decrypt any secrets during nixos-install. Is there a way to supply a user or a previous host key to that or do i have to re-key everything? | 00:01:46 |
| Valodim | Personally I find it's easiest to deploy a relatively blank nixos (e.g. just disk config), rekey, then do the full in install. Doesn't hurt to have new host keys once in a while, but ymmv | 06:35:11 |
 Daniel RodrÃguez Rivero | If that is the intended usage, would not be SOPS simpler? It will work fine without the secrets, then you put them and run again to get the data decryted for real | 08:19:45 |
| Valodim | agenix also "works fine" without secrets, the secret files just won't be there 🤷 | 08:25:52 |
| Daniel RodrÃguez Rivero | then you don't need a relatively blank anything, no? | 08:28:16 |
| Daniel RodrÃguez Rivero | just don't depend on secrets for your system to function | 08:28:33 |
| Valodim | maybe I just misunderstood what you meant by "sops will work fine without the secrets". I'd think it behaves very similar to agenix in this regard | 08:33:54 |
| kiwicutter | Yeah fair point tbh, as long as the secrets don't prevent the system from running itll be easy enough to rekey right after. | 08:42:17 |
| kiwicutter | I guess the host keys will only be generated during a first startup though and not already during nixos-install? Else one could already check those and rekey right after the install.. | 08:43:32 |
| Daniel RodrÃguez Rivero | As far as I know, they just put empty files in places, instead of failing. Is that what agenix does too? | 08:54:16 |
| Daniel RodrÃguez Rivero | But in order to rekey, you need to do that in an environment where the secrets are available. No? so you can't do that in the host being built | 08:57:41 |
| kiwicutter | As long as i have my "master" key i can just go about and re-key everything no problem or am i missing something | 14:50:10 |
|  Gaël joined the room. | 22:27:10 |
|  Charles left the room. | 22:30:10 |
| 12 Mar 2025 |
 xored | Hi everyone, I've been trying to use the path option to decrypt a secret to $home/.config/ntfy/client.yaml, but is not working, my best guess is that is not being evaluated? | 02:53:43 |
 elikoga | Are you using straight up "$home"? Either that's not evaluated or placed at the home of the agenix activation script user (probably root?) | 02:56:11 |
| xored | No I am using an interpolated string | 02:56:48 |
| xored | put that to save typing hahaha | 02:57:07 |
| xored | oh for the love of god, it was wrong name in cfg = config.modulename that i pasted from another file | 02:59:13 |
| xored | no wonder it did not eval | 02:59:23 |
| 16 Mar 2025 |
|  memyk joined the room. | 12:38:26 |
| 18 Mar 2025 |
 @raijin_:matrix.org | I'm a little confused on how I use Agenix secrets with multiple machines?
I have Agenix set up on machine A, and a key on machine A was used to create/encrypt the secrets
I installed NixOS on machine B, and I have generated a new keypair to belong to this machine.
If I add my new public key to secrets.nix, and I designate that this key can read a given secret in .publicKeys, will this work?
I'm struggling to see how a malicious actor couldn't just download the repo, add their keys, and decrypt? The "original" key (on machine A) has to be used to decrypt at some point right? What am I missing here? Do I just have to share the same keypair across machines? Obviously not, or else why can we configure multiple?
| 22:47:03 |
| 19 Mar 2025 |
 K900 | You need to rekey your secrets manually on a machine that can decrypt them | 00:34:28 |
