| 23 Oct 2023 |
 marin | In reply to @gigahawk:matrix.org
for now I have the server exposing an SMB network share and I've just been transferring the encrypted secrets that way, but it's a little janky in any case I believe you'll need nixos running on that server in order to have secrets decrypted by agenix on boot | 15:11:54 |
 gigahawk | Yea it's just annoying to have to ssh into it to create the secret, paste in the actual secret from my host, then transfer the files back to the host to commit to the repo | 15:29:48 |
| gigahawk | Easier to just create everything from the host and then pull it on the server side | 15:30:19 |
 willmckinnon | In reply to @gigahawk:matrix.org
Easier to just create everything from the host and then pull it on the server side Have you looked into deploy-rs? | 15:55:17 |
| gigahawk | Yea I'm aware of the various deployment tools, but my setup isn't really that complicated and for now I still prefer just running nixos-rebuild on the machine I'm working on | 15:59:06 |
| 25 Oct 2023 |
|  Federico Damián Schonborn changed their profile picture. | 00:13:16 |
| 26 Oct 2023 |
 jeroen | Question about agenix's homeManager module... does it work when there's a password on the key?
I am getting an error 'No matching keys found' in the launchd logging, even though I am able to edit the .age file using the supplied key from age.identityPaths | 08:02:14 |
 K900 ⚡️ | No, how would it work then | 08:27:54 |
 Charles ⚡️ | I finally switched to agenix today yesterday, I wrote a bunch of nix around it to automate setting all the age.secrets.<name>.files and I'm pretty happy with it: https://or.computer.surgery/charles/servy-fleet/-/commit/b01fc595fcf956fe462d2b57beaa0670a6163482 | 09:01:31 |
| Charles ⚡️ | I wonder if this would be worth upstreaming? Maybe with some more configurability, since the secrets is a little hardcoded | 09:02:26 |
| Charles ⚡️ | * I wonder if this would be worth upstreaming in some capacity? Maybe with some more configurability, since the
secrets is a little hardcoded | 09:02:38 |
| Charles ⚡️ | * I wonder if this would be worth upstreaming in some capacity? Maybe with some more configurability, since the `secrets` directory is a little hardcoded | 09:02:56 |
| Charles ⚡️ | The only thing I miss is having an agent to avoid giving my password every time, which gets really bad when rekeying | 09:03:49 |
| Charles ⚡️ | In reply to @charles:computer.surgery
I wonder if this would be worth upstreaming in some capacity? Maybe with some more configurability, since the secrets directory is a little hardcoded In particular I mean the little NixOS module in flake.nix and the mkSecret and mkSecrets functions (mainly the latter, the former is mostly just implementation details) in secrets.nix | 09:06:09 |
| 27 Oct 2023 |
| Federico Damián Schonborn changed their profile picture. | 01:24:47 |
| 29 Oct 2023 |
| Charles ⚡️ | I stripped out the library functions to a standalone file so it's easier to steal:
- https://or.computer.surgery/charles/servy-fleet/-/blob/60273f09fe0853a8d42ace9287878d4bbe08fae1/lib/secrets.nix
Here's how I use it:
- https://or.computer.surgery/charles/servy-fleet/-/blob/60273f09fe0853a8d42ace9287878d4bbe08fae1/flake.nix#L77-78
- https://or.computer.surgery/charles/servy-fleet/-/blob/60273f09fe0853a8d42ace9287878d4bbe08fae1/secrets.nix
| 04:07:43 |
| Charles ⚡️ | why does this happen?
$ nix eval '.#nixosConfigurations.blue.config.age.secrets."garage/rpc".file' /nix/store/5figp7jxkcwhw790j79p64533vl2d7pb-source/secrets/garage/rpc.age
$ git checkout HEAD^
$ nix eval '.#nixosConfigurations.blue.config.age.secrets."garage/rpc".file' /nix/store/5p5zlykmcrbmyhik4xgxilng1h3xcqan-source/secrets/garage/rpc.age
the hashes are different but the contents of the file are the same
| 04:37:03 |
| Charles ⚡️ | * why does this happen?
$ nix eval '.#nixosConfigurations.blue.config.age.secrets."garage/rpc".file'
/nix/store/5figp7jxkcwhw790j79p64533vl2d7pb-source/secrets/garage/rpc.age
$ git checkout HEAD^
$ nix eval '.#nixosConfigurations.blue.config.age.secrets."garage/rpc".file'
/nix/store/5p5zlykmcrbmyhik4xgxilng1h3xcqan-source/secrets/garage/rpc.age
the hashes are different but the contents of the file are the same
| 04:37:33 |
| Charles ⚡️ | the goal is to have a systemd restartTriggers for a service that uses an agenix secret, and this does work, but it restarts every time instead of just when it changes | 04:38:43 |
| Charles ⚡️ | maybe i should builtins.readFile it so the restartTriggers just has the ciphertext? | 04:39:39 |
| Charles ⚡️ | no that doesn't work because the contents can't be a nix string | 04:42:07 |
| Charles ⚡️ | builtins.hashFileing it worked | 04:49:19 |
|  jacekpoz | 11:13:09 |
| jacekpoz | 11:13:14 |
| jacekpoz | 11:58:31 |
| jacekpoz | 11:58:40 |
| jacekpoz | 13:45:23 |
| jacekpoz | 13:45:31 |
| jacekpoz | 17:43:51 |
| jacekpoz | 17:43:59 |
