 | agenix | 380 Members |
| age-encrypted secrets for NixOS https://github.com/ryantm/agenix/ | 99 Servers |
| agenix | 380 Members |
| age-encrypted secrets for NixOS https://github.com/ryantm/agenix/ | 99 Servers |
| Sender | Message | Time |
|---|---|---|
| 15 Sep 2023 | ||
 jeroen | Cannot comment on the error, but I'm pretty sure authorizedKeys is meant for public keys and not private keys. | 07:19:08 |
 stelcodes joined the room. | 07:56:49 | |
| stelcodes | You're getting that error because all those paths in keyFiles are being read behind the scenes (via builtins.readFile) and when you readFile <path-outside-nix-store> you get that purity error. Also jeroen is right, you're not supposed to put private keys there. | 08:01:07 |
| stelcodes | I'm actually wondering something related to this type of use case. Maybe this has been discussed before but lets say I *really* want to reference my decrypted secrets at evaluation time as strings and I don't care if they're globally readable from the nix store. Is there any way to decrypt a secret into the nix store via a derivation? I was looking at the experimental `impure-derivations` feature but I don't think it would work.My use case is using agenix to encrypt wireguard enpoint IP addresses for use with wg-quick. Unfortunately there's no way to reference the decrypted | 08:12:47 |
| stelcodes | secret path at runtime because the IP address must be in the .conf file which is written to the store during evaluation. | 08:14:25 |
| stelcodes | Currently I'm just using `lib.fileContents <secret>.path` which requires two rebuilds (first one fails, second one suceeds). It's not ideal and I'm wondering if there's any type of hack that could yield the decrypted secrets during nixos-rebuild. | 08:16:38 |
 sbc64 set a profile picture. | 09:39:32 | |
 ryantm | stelcodes: is it that you don't care about the IP address being readable, but you do care about other parts of the file? | 09:56:05 |
| 16 Sep 2023 | ||
 Paul Meyer (katexochen) changed their display name from katexochen to Paul Meyer (katexochen). | 08:20:14 | |
| 17 Sep 2023 | ||
| stelcodes | ryantm: Yes exactly. The wg-quick config format only allows the interface private key value to be read in from a file because it's obviously very sensitive. I also want some other values in the configuration to not be public information (I post my NixOS config to GitHub in a public repo) so I'm encrypting those too using agenix. Because I have to reference the strings at NixOS config rebuild time, I'm currently having to rebuild once to deploy the secrets without the wireguard config (so the decrypted secret paths get created) and then rebuild again with the wireguard config. To change the secrets I have to rebuild twice once again. It's not ideal and I've seen discussion from people who do the same, but I'm wondering if there's any hack that could decrypt an age file into the store so the fragile double rebuilding process could be avoided. | 23:12:58 |
| stelcodes | Also, I just watched Xe's newest talk at the All Systems Go! Linux conference in Berlin and they give agenix a couple shoutouts and recommends using it for managing secrets on NixOS https://xeiaso.net/talks/asg-2023-nixos | 23:21:44 |
| 18 Sep 2023 | ||
| sbc64 | What is the current standard for providing secrets to a systemd service? An environment systemd file seems to be the only way since credential loading is still not supported in NixOS. So are environment systemd files managed by agencies the way to go? | 11:46:47 |
| sbc64 | The above post from Xe mentions that secrets are still an issue in NixOS, which is why I’m asking what is the current best practice for using agenix with programs that don’t specify a credential file. | 11:48:57 |
| sbc64 | Agencies-> agenix | 12:44:39 |
 hexa | nix itself doesn't have secret handling integrated, which isn't really an issue, given that a variety of tools exist to facilitate different kinds of secret storages | 12:54:41 |
| hexa | for long-living secrets you could use LoadCredential= in a systemd unit to pass it into the service environment | 12:55:10 |
| 20 Sep 2023 | ||
 uep | The simple thing to realise is the distinction between evaluation time when nix is running, and system runtime when the resulting build is booting and running, and nix is not there anymore. The secrets are needed at the latter time, which means a separate runtime tool (like agenix) is needed to decrypt them. That tool is configured (like all the others) with nix, but nix doesn't need to see the secrets. | 00:01:45 |
| uep | The distinction is harder to see when there are secrets as fields inside a config file that nix is building, it gets a bit more tangled - but that's just because whatever thing you're configuring tangles secrets into other config | 00:03:49 |
 Charles ⚡️ | tangential question: if i'm writing a program that requires secrets to function, what's the least annoying way i can make my program ingest secrets? | 00:04:53 |
| Charles ⚡️ | * tangential question on that topic: if i'm writing a program that requires secrets to function, what's the least annoying way i can make my program ingest secrets? | 00:05:06 |
| uep | separate files that the secrets manager can deploy, and the config can refer to, is a common enough pattern that it will always need to work | 00:06:12 |
| uep | that's not necessarily the same thing as "least annoying"; maybe something with the systemd keystore will eventually be that | 00:07:05 |
| Charles ⚡️ | well, i mean "least annoying" in terms of nix | 00:07:22 |
| uep | hard to say just yet because it's not really a common pattern in widespread use | 00:07:31 |
| Charles ⚡️ | * well, i mean "least annoying" in terms of nix (or more like "most well-supported by nix and adjacent systems") | 00:08:19 |
| uep | but yeah, if your config file has a "TLS private key path" field, that can be set by nix to a location where the runtime secret is decrypted, you're well on the way | 00:09:14 |
 ErrorNoInternet joined the room. | 06:23:35 | |
| ErrorNoInternet | Hi, I'm new to Nix. I want to use agenix for a home-manager module (specifically nheko), but that module doesn't take in a file for secrets, it takes in a string. Is there a way I can read from the file during eval time? Using | 06:51:50 |
| uep | as just above, if you read the secret at eval time, the file nix creates will contain the secret and go in the store unprotected | 07:31:22 |
| ErrorNoInternet | So I guess nheko itself would have to support reading the secret from another file? | 08:11:31 |