29 May 2024 |
| NixOS Moderation Bot unbanned @5m5z3q888q5prxkg:chat.lightnovel-dungeon.de. | 12:48:33 |
31 May 2024 |
| parasew | CDC joined the room. | 11:11:36 |
2 Jun 2024 |
| 4o1x5 joined the room. | 20:01:00 |
4o1x5 | Hello there, I have a service that sadly does not support password files and requires secrets to be passed on via a string, any way i could include that string with agenix? I don't really care if its readable in the nix store. | 20:02:21 |
3 Jun 2024 |
Charles | If you don't care if it goes in the nix store in plain text then you don't need to use agenix | 05:30:47 |
Charles | If you do care, you can try modifying the NixOS module to generate a template config and then fill in the template with the secrets in ExecStartPre or whatever | 05:33:25 |
4o1x5 | In reply to @charles:computer.surgery If you don't care if it goes in the nix store in plain text then you don't need to use agenix well yeah i guess, the main reason is that i usually make my configs public and i don't want raw passwords out there | 06:27:00 |
4o1x5 | I am using agenix for every service that has an option for it, but sometimes the software I run doesn't have options in nixpkgs and I run them in oci containers | 06:27:35 |
Charles | you could always write a nixos module for them yourself | 14:22:19 |
Charles | In reply to @4o1x5:4o1x5.dev well yeah i guess, the main reason is that i usually make my configs public and i don't want raw passwords out there Hmm actually, I think this would be impossible because you'd have to be able to decrypt the secret at eval time in order to get it into the store, but if you can decrypt it at eval time, then so can anyone else | 14:53:38 |
Charles | Unless you do impure stuff, which, ew | 14:54:52 |
522 | In reply to @charles:computer.surgery Hmm actually, I think this would be impossible because you'd have to be able to decrypt the secret at eval time in order to get it into the store, but if you can decrypt it at eval time, then so can anyone else something like https://www.agwa.name/projects/git-crypt/ which keeps the secret in plaintext on the FS would work | 16:16:35 |
522 | if the use case is just "i have my config in a public git repo and don't want secrets there, but it's fine for them to be local" | 16:17:03 |
4 Jun 2024 |
| roshan | byteio.in 🌷 joined the room. | 14:00:12 |
5 Jun 2024 |
uep | yes that's what I use for that case | 04:20:21 |
| dithpri joined the room. | 23:31:49 |
7 Jun 2024 |
| conr joined the room. | 20:15:21 |
conr | Is agenix a good usecase for encrypting your config information and keys on nix config stored on a public git repo? | 20:16:25 |
ryantm | Depends on your threat model | 20:27:16 |
conr | high threat, i'm really important. | 20:34:47 |
conr | lol | 20:34:49 |
conr | this part of the tutorial for installing with flakes,
agenix -e secret1.age , is this on the nix machine or remote machine with your ed25519 public key? | 20:36:37 |
hexa | this is to edit a secret locally | 20:54:23 |
hexa | * this is to edit a secret locally, before deployment | 20:54:32 |
conr | so like on my mac install agenix with brew and do it? | 20:57:55 |
conr | then deploy to the nixos server? | 20:58:09 |
conr | hexa: ^ | 20:58:40 |
hexa | yeah | 20:59:20 |
conr | is brew formula just age ? | 21:00:01 |
hexa | agenix is a wrapping age | 21:00:19 |