| 29 Oct 2023 |
 Charles ⚡️ | why does this happen?
$ nix eval '.#nixosConfigurations.blue.config.age.secrets."garage/rpc".file' /nix/store/5figp7jxkcwhw790j79p64533vl2d7pb-source/secrets/garage/rpc.age
$ git checkout HEAD^
$ nix eval '.#nixosConfigurations.blue.config.age.secrets."garage/rpc".file' /nix/store/5p5zlykmcrbmyhik4xgxilng1h3xcqan-source/secrets/garage/rpc.age
the hashes are different but the contents of the file are the same
| 04:37:03 |
| Charles ⚡️ | * why does this happen?
$ nix eval '.#nixosConfigurations.blue.config.age.secrets."garage/rpc".file'
/nix/store/5figp7jxkcwhw790j79p64533vl2d7pb-source/secrets/garage/rpc.age
$ git checkout HEAD^
$ nix eval '.#nixosConfigurations.blue.config.age.secrets."garage/rpc".file'
/nix/store/5p5zlykmcrbmyhik4xgxilng1h3xcqan-source/secrets/garage/rpc.age
the hashes are different but the contents of the file are the same
| 04:37:33 |
| Charles ⚡️ | the goal is to have a systemd restartTriggers for a service that uses an agenix secret, and this does work, but it restarts every time instead of just when it changes | 04:38:43 |
| Charles ⚡️ | maybe i should builtins.readFile it so the restartTriggers just has the ciphertext? | 04:39:39 |
| Charles ⚡️ | no that doesn't work because the contents can't be a nix string | 04:42:07 |
| Charles ⚡️ | builtins.hashFileing it worked | 04:49:19 |
|  jacekpoz | 11:13:09 |
| jacekpoz | 11:13:14 |
| jacekpoz | 11:58:31 |
| jacekpoz | 11:58:40 |
| jacekpoz | 13:45:23 |
| jacekpoz | 13:45:31 |
| jacekpoz | 17:43:51 |
| jacekpoz | 17:43:59 |
| jacekpoz | 17:45:02 |
| jacekpoz | 20:54:25 |
| jacekpoz | 20:54:34 |
| 31 Oct 2023 |
 peter-lustig | If I have two hosts, laptop and personal computer that should be able to do remote deployments to a server, how should the top section of this secrets.nix file look like? I do the deployments with nixos-rebuild --target-host, and I am a bit confused on how I would achieve this:
let
server = "";
in
{
"hedgedoc-environment-file.age".publicKeys = [ server ];
"discord-bot-token.age".publicKeys = [ server ];
}
| 09:15:32 |
 K900 ⚡️ | The server's SSH host key | 09:20:56 |
| peter-lustig | In reply to @k900:0upti.me
The server's SSH host key just the public key of the server? | 09:23:36 |
| K900 ⚡️ | Yes | 09:23:44 |
| peter-lustig | but if i want to do remote deployments do I not need the public keys of the machines as well | 09:24:09 |
| peter-lustig | laptop and pc | 09:24:12 |
| K900 ⚡️ | No | 09:24:19 |
| K900 ⚡️ | Well | 09:24:21 |
| K900 ⚡️ | It depends on whether you want to edit those files in the future | 09:24:31 |
| peter-lustig | In reply to @k900:0upti.me
It depends on whether you want to edit those files in the future i guess I would just ssh onto the server and then do the agenix -e stuff | 09:24:51 |
| K900 ⚡️ | You can always reencrypt to the server's host key if you want | 09:24:56 |
| K900 ⚡️ | You just won't be able to decrypt the existing contents not on the server | 09:25:12 |
 jeroen | In reply to @k900:0upti.me
No, how would it work then I thought it might use the ssh-agent, but this confirms my suspicion, thank you! | 09:33:47 |
