| 29 Oct 2023 |
 Charles ⚡️ | the goal is to have a systemd restartTriggers for a service that uses an agenix secret, and this does work, but it restarts every time instead of just when it changes | 04:38:43 |
| Charles ⚡️ | maybe i should builtins.readFile it so the restartTriggers just has the ciphertext? | 04:39:39 |
| Charles ⚡️ | no that doesn't work because the contents can't be a nix string | 04:42:07 |
| Charles ⚡️ | builtins.hashFileing it worked | 04:49:19 |
|  jacekpoz | 11:13:09 |
| jacekpoz | 11:13:14 |
| jacekpoz | 11:58:31 |
| jacekpoz | 11:58:40 |
| jacekpoz | 13:45:23 |
| jacekpoz | 13:45:31 |
| jacekpoz | 17:43:51 |
| jacekpoz | 17:43:59 |
| jacekpoz | 17:45:02 |
| jacekpoz | 20:54:25 |
| jacekpoz | 20:54:34 |
| 31 Oct 2023 |
 peter-lustig | If I have two hosts, laptop and personal computer that should be able to do remote deployments to a server, how should the top section of this secrets.nix file look like? I do the deployments with nixos-rebuild --target-host, and I am a bit confused on how I would achieve this:
let
server = "";
in
{
"hedgedoc-environment-file.age".publicKeys = [ server ];
"discord-bot-token.age".publicKeys = [ server ];
}
| 09:15:32 |
 K900 ⚡️ | The server's SSH host key | 09:20:56 |
| peter-lustig | In reply to @k900:0upti.me
The server's SSH host key just the public key of the server? | 09:23:36 |
| K900 ⚡️ | Yes | 09:23:44 |
| peter-lustig | but if i want to do remote deployments do I not need the public keys of the machines as well | 09:24:09 |
| peter-lustig | laptop and pc | 09:24:12 |
| K900 ⚡️ | No | 09:24:19 |
| K900 ⚡️ | Well | 09:24:21 |
| K900 ⚡️ | It depends on whether you want to edit those files in the future | 09:24:31 |
| peter-lustig | In reply to @k900:0upti.me
It depends on whether you want to edit those files in the future i guess I would just ssh onto the server and then do the agenix -e stuff | 09:24:51 |
| K900 ⚡️ | You can always reencrypt to the server's host key if you want | 09:24:56 |
| K900 ⚡️ | You just won't be able to decrypt the existing contents not on the server | 09:25:12 |
 jeroen | In reply to @k900:0upti.me
No, how would it work then I thought it might use the ssh-agent, but this confirms my suspicion, thank you! | 09:33:47 |
| peter-lustig | K900 ⚡️: i got [agenix] creating new generation in /run/agenix.d/1
[agenix] decrypting secrets...
decrypting '/nix/store/426r27dfbgqaw3kn8sa78xk25148rbvb-hedgedoc-environment-file.age' to '/run/agenix.d/1/hedgedoc-environment-file'...
Error: No matching keys found
on my server
| 22:47:50 |
| peter-lustig | but server public key and user public key is stored in secret.nix | 22:48:03 |
