| 22 Dec 2022 |
 ryantm | null_radix: yeah, either way. | 17:25:56 |
| 24 Dec 2022 |
 dasj19 | Hi ryantm FYI, i just pulled together a solution for password updates via the perl script in NixOS https://github.com/NixOS/nixpkgs/pull/207593 | 17:34:16 |
| 25 Dec 2022 |
|  ahmed left the room. | 10:35:09 |
| 26 Dec 2022 |
 Tommy | Hey there. That's possibly a stupid question but I'm kind of stuck here: I understand how the builtins.readFile is an anti-pattern but I nevertheless like to use agenix to encrypt my known wifi psk. What is the proper way to implement this since networking.wireless.networks.<name> only has a string option for the psk not an option to provide a file? | 14:44:52 |
| ryantm | Tommy: proper way might require fixing NixOS. | 15:22:15 |
| Tommy | Mhmm. What does that mean? Implementing an option like `networking.wireless. networks.<name>.passwordFile`? And what are options not being proper and also not storing the passwords in the nix store? | 15:28:12 |
| ryantm | Right | 15:32:09 |
|  ari ❄ left the room. | 22:01:28 |
| 30 Dec 2022 |
|  Federico Damián Schonborn joined the room. | 00:13:58 |
 ofungus | Hello all, first of all thanks for providing agenix. It works like a charm.
I am now working on a use case where I want to provide a grub passwordFile via agenix. But unfortunately updating the grub2 menu happens before agenix decrypting the passwordFile to its place like mentioned in this issue before https://github.com/ryantm/agenix/issues/74. Is there a better approach as to the described one in the issue. Thanks a lot | 19:08:45 |
| ryantm | ofungus: you could try learning which activation script does the grub password and add `agenixInstall` to the deps. Like we do for the users one https://github.com/ryantm/agenix/blob/a630400067c6d03c9b3e0455347dc8559db14288/modules/age.nix#L221 | 19:41:56 |
| ofungus | Ah ok, makes sense. I’ll look into it . Thanks | 19:43:21 |
| ryantm | It might make sense to add it to the age module. There are a lot of users with weird decryption and impermanence setups who might be affected though. I don't know enough details. | 19:45:52 |
| 1 Jan 2023 |
|  Solid Rhino joined the room. | 20:44:18 |
| 4 Jan 2023 |
|  /madonius [er|him] changed their display name from /madonius to /madonius [er|him]. | 14:16:46 |
| 5 Jan 2023 |
 [0x4A6F] | In reply to @ryantm:matrix.org
Tommy: proper way might require fixing NixOS. Proper way would be to write documentation for developers to handle secrets in nixos module system. There are many dark places in nixpkgs. ;) Any inputs for that? | 18:38:51 |
| 6 Jan 2023 |
 Wanja Hentze | In reply to @0x4a6f:matrix.org
Proper way would be to write documentation for developers to handle secrets in nixos module system. There are many dark places in nixpkgs. ;) Any inputs for that?
commandline option available for providing secret (without leaking to process list?)
danger: the method described there (--secret $(cat ${cfg.secretFilePath})) does leak to process list
| 08:10:55 |
| Wanja Hentze | the shell expands that cat invocation before passing the command line, it all still ends up in argv of the process | 08:11:47 |
| Wanja Hentze | I don't know of a way to pass secrets directly via command line option that doesn't leak that way | 08:12:36 |
| Wanja Hentze | you can play silly games with ptrace probably, but I wouldn't want to rely on that | 08:17:58 |
| 11 Jan 2023 |
|  Pedro Alves set a profile picture. | 13:07:07 |
| 13 Jan 2023 |
|  Jarkad joined the room. | 10:45:40 |
| Jarkad left the room. | 10:46:22 |
| 14 Jan 2023 |
|  raphi joined the room. | 11:20:06 |
| 16 Jan 2023 |
 REASON...UNKNOWN | Is there any strategy for setting secret ownership for services with DynamicUser=true | 03:23:31 |
| REASON...UNKNOWN | Oh I guess the loadcredential business | 03:28:25 |
| 18 Jan 2023 |
|  Fabián Heredia joined the room. | 03:56:10 |
| 27 Jan 2023 |
|  CIA Penaiple joined the room. | 08:09:57 |
|  acire left the room. | 12:04:40 |
| 29 Jan 2023 |
|  @muirrum:matrix.org left the room. | 15:52:04 |
