agenix - Public Room Timeline

	agenix	385 Members
	age-encrypted secrets for NixOS https://github.com/ryantm/agenix/	104 Servers

Load older messages

Sender	Message	Time
14 Oct 2023
uep	I do not recommend this and it's very likely probably not what you want, but it's there	06:48:09
uep	All of the magic that agenix does is especially to set up decryption at runtime, from encrypted store contents.	06:49:08
uep	That's for good reason, but if you're sure you don't want it to work that way, you don't need it	06:49:29
luzifer2222	uep thank you for `git crypt` recommendation, I will have a look into it. Sometimes some "secrets" are more about being secret in public but not on the "private" computer. E.g. Don't exposing an IP Range or a Username of a business account. But if it comes to real secrets (Passwords, AuthKeys, API Keys...) YES! I want and will using `agenix` for now.	11:03:37
ryantm	agenix is not going to support decrypting during evaluation time. That is antithetical to the point of it.	12:00:54
uep	In reply to @luzifer2222:matrix.org uep thank you for `git crypt` recommendation, I will have a look into it. Sometimes some "secrets" are more about being secret in public but not on the "private" computer. E.g. Don't exposing an IP Range or a Username of a business account. But if it comes to real secrets (Passwords, AuthKeys, API Keys...) YES! I want and will using `agenix` for now. Yes, exactly. When I said "only want to encrypt things in git", I was focussing on that case. Perhaps I should have said "things you only want encrypted in git", and of course there can be different threat models and needs for different things.	23:14:12
16 Oct 2023
willmckinnon	hello! i am having trouble using both the home-manager module and nixos module, when i add `agenix.homeManagerModules.default` to my home-manager imports, I get an infinite recursion error	03:55:38
willmckinnon	anyone know how to fix this?	03:55:49
ryantm	Do you do anything related aside.from importing it? Can you show your code?	04:11:10
willmckinnon	In reply to @ryantm:matrix.org Do you do anything related aside.from importing it? Can you show your code? flake outputs: outputs = { self, nixpkgs, home-manager, impermanence, deploy-rs, agenix, ... }: let mkNixos = modules: nixpkgs.lib.nixosSystem { inherit modules; system = "x86_64-linux"; specialArgs = { inherit impermanence home-manager agenix; }; }; mkHome = modules: pkgs: home-manager.lib.homeManagerConfiguration { inherit modules pkgs; extraSpecialArgs = { inherit impermanence agenix; }; }; in { nixosConfigurations = { desktop = mkNixos [ ./hosts/desktop ]; server = mkNixos [ ./hosts/server ]; surface = mkNixos [ ./hosts/surface ]; }; homeConfigurations."will" = mkHome [ ./home ] nixpkgs.legacyPackages."x86_64-linux"; # TODO: ex https://github.com/disassembler/network/blob/18e4d34b3d09826f1239772dc3c2e8c6376d5df6/nixos/deploy.nix deploy.nodes = { server = { hostname = "10.27.27.3"; profiles.system = { user = "root"; sshUser = "root"; path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.server; }; }; }; }; Home manager base config { pkgs, impermanence, agenix, ... }: { imports = [ impermanence.nixosModules.home-manager.impermanence agenix.homeManagerModules.default ./modules/discord.nix ./modules/emacs.nix ./modules/foot.nix ./modules/games.nix ./modules/git.nix ./modules/gtk.nix ./modules/kde-connect.nix ./modules/notetaking.nix ./modules/photography.nix ./modules/qt.nix ./modules/ssh-client.nix ./modules/sway.nix ./modules/video.nix ./modules/vim.nix ./modules/waybar.nix ./modules/web-browsers.nix ./modules/zsh.nix ]; programs.home-manager.enable = true; # TODO: already declared in nix.nix file, don't double declare nixpkgs.config.allowUnfree = true; home = { username = "will"; homeDirectory = "/home/will"; stateVersion = "22.05"; }; }	06:07:53
willmckinnon	I also import home manager into my nixos config with: { pkgs, config, home-manager, impermanence, agenix, ... }: { imports = [ home-manager.nixosModules.home-manager ]; programs.zsh.enable = true; age.secrets = { hashedWillPassword.file = ../secrets/hashedWillPassword.age; hashedRootPassword.file = ../secrets/hashedRootPassword.age; }; users = { mutableUsers = false; defaultUserShell = pkgs.zsh; users = { root.hashedPasswordFile = config.age.secrets.hashedRootPassword.path; will = { isNormalUser = true; hashedPasswordFile = config.age.secrets.hashedWillPassword.path; extraGroups = [ "wheel" "libvirtd" "input" "kvm" "docker" "video" ]; }; }; }; home-manager = { useUserPackages = true; extraSpecialArgs = { inherit impermanence; }; users.will = import ../home; }; }	06:10:36
willmckinnon	ah, i think my issue is that i didnt inherit agenix in line 32 of the last snippet	06:11:04
willmckinnon	yup, that was it. Thanks for being my rubber ducky!	06:13:08
	fea (she/they) changed their display name from feathecutie (she/they) to fea (she/they).	22:51:52
17 Oct 2023
	marin joined the room.	19:17:22
19 Oct 2023
willmckinnon	The below snippet is in my host manager config: ``` age.secrets.willPrivateKey = { file = ../../secrets/willPrivateKey.age; path = "/home/will/.ssh/id_ed25519"; mode = "600"; }; ``` However, the path argument doesn't seem to work: ``` ❯ pwd /home/will/.ssh ❯ ls config id_ed25519.pub known_hosts ``` Anyone know what the issue is?	06:10:58
uep	I've not used the hm module, so this may be a little off for that context, but in the system context, there are two attrsets where you need to talk about age things:	07:10:22
uep	`age.secrets.<name>.` where you talk about the encrypted* source file as an input `config.age.secrets.<name>.` where you talk about where and how it should be decrypted* as an output	07:11:41
uep	you seem to be mixing bits of them together here	07:11:54
uep	`file` being part of the input set, and `path` and `mode` being part of the output set	07:12:57
uep	so I have, for one example: `let host = config.networking.hostName; prvk = "nix_store_${host}.prv"; in { age.secrets.${prvk}.file = ../secrets/${prvk}.age; nix.settings.secret-key-files = config.age.secrets.${prvk}.path; # … }`	07:14:20
uep	for nix store signing keys	07:14:39
	REASON...UNKNOWN	16:14:51
willmckinnon	I see, I was under the impression from the readme snippet ``` { age.secrets.monitrc = { file = ../secrets/monitrc.age; path = "/etc/monitrc"; }; } ``` That the monitrc file would be decrypted to /etc/monitrc	20:40:48
willmckinnon	So I copied this in my config	20:41:01
willmckinnon	Is that not the case?	20:41:04
uep	Sorry, I shouldn't post when I'm tired. The wording above is confusing and makes things worse. It's not where you set things, it's where they get pulled into the system. What I mean is, you need to refer to the result in `config.*.path` as part of your configuration, otherwise laziness means it's not actually emitted.	22:12:47
uep	* Sorry, I shouldn't post when I'm tired. The wording above is confusing and makes things worse. It's not where you set things, it's where they get pulled into the system. What I mean is, you need to refer to the result in `config.*.path` as part of your configuration, otherwise laziness means it's not actually emitted, maybe	22:38:12
ryantm	willmckinnon: what output do you see when agenix decryption runs?	23:22:57
20 Oct 2023
willmckinnon	activating the configuration... [agenix] creating new generation in /run/agenix.d/2 [agenix] decrypting secrets... decrypting '/nix/store/v8xizlamwqsnxq2r2730f7pw2m7xd3j4-desktopSyncthingCert.age' to '/run/agenix.d/2/desktopSyncthingCert'... decrypting '/nix/store/xgv9sn1qkqh203b519a7vkmhw28yfg01-desktopSyncthingKey.age' to '/run/agenix.d/2/desktopSyncthingKey'... decrypting '/nix/store/0gz2plhs9bn7425hpis01km8phamsglf-hashedRootPassword.age' to '/run/agenix.d/2/hashedRootPassword'... decrypting '/nix/store/qlhmfn40hwj2x3di4ri6agwr88hjypxa-hashedWillPassword.age' to '/run/agenix.d/2/hashedWillPassword'... [agenix] symlinking new secrets to /run/agenix (generation 2)... [agenix] removing old secrets (generation 1)... [agenix] chowning... setting up /etc... reloading user units for will... setting up tmpfiles	01:00:40

Show newer messages

Back to Room ListRoom Version: 6