| 26 Oct 2023 |
 Charles ⚡️ | In reply to @charles:computer.surgery
I wonder if this would be worth upstreaming in some capacity? Maybe with some more configurability, since the secrets directory is a little hardcoded In particular I mean the little NixOS module in flake.nix and the mkSecret and mkSecrets functions (mainly the latter, the former is mostly just implementation details) in secrets.nix | 09:06:09 |
| 27 Oct 2023 |
|  Federico Damián Schonborn changed their profile picture. | 01:24:47 |
| 29 Oct 2023 |
| Charles ⚡️ | I stripped out the library functions to a standalone file so it's easier to steal:
- https://or.computer.surgery/charles/servy-fleet/-/blob/60273f09fe0853a8d42ace9287878d4bbe08fae1/lib/secrets.nix
Here's how I use it:
- https://or.computer.surgery/charles/servy-fleet/-/blob/60273f09fe0853a8d42ace9287878d4bbe08fae1/flake.nix#L77-78
- https://or.computer.surgery/charles/servy-fleet/-/blob/60273f09fe0853a8d42ace9287878d4bbe08fae1/secrets.nix
| 04:07:43 |
| Charles ⚡️ | why does this happen?
$ nix eval '.#nixosConfigurations.blue.config.age.secrets."garage/rpc".file' /nix/store/5figp7jxkcwhw790j79p64533vl2d7pb-source/secrets/garage/rpc.age
$ git checkout HEAD^
$ nix eval '.#nixosConfigurations.blue.config.age.secrets."garage/rpc".file' /nix/store/5p5zlykmcrbmyhik4xgxilng1h3xcqan-source/secrets/garage/rpc.age
the hashes are different but the contents of the file are the same
| 04:37:03 |
| Charles ⚡️ | * why does this happen?
$ nix eval '.#nixosConfigurations.blue.config.age.secrets."garage/rpc".file'
/nix/store/5figp7jxkcwhw790j79p64533vl2d7pb-source/secrets/garage/rpc.age
$ git checkout HEAD^
$ nix eval '.#nixosConfigurations.blue.config.age.secrets."garage/rpc".file'
/nix/store/5p5zlykmcrbmyhik4xgxilng1h3xcqan-source/secrets/garage/rpc.age
the hashes are different but the contents of the file are the same
| 04:37:33 |
| Charles ⚡️ | the goal is to have a systemd restartTriggers for a service that uses an agenix secret, and this does work, but it restarts every time instead of just when it changes | 04:38:43 |
| Charles ⚡️ | maybe i should builtins.readFile it so the restartTriggers just has the ciphertext? | 04:39:39 |
| Charles ⚡️ | no that doesn't work because the contents can't be a nix string | 04:42:07 |
| Charles ⚡️ | builtins.hashFileing it worked | 04:49:19 |
|  jacekpoz | 11:13:09 |
| jacekpoz | 11:13:14 |
| jacekpoz | 11:58:31 |
| jacekpoz | 11:58:40 |
| jacekpoz | 13:45:23 |
| jacekpoz | 13:45:31 |
| jacekpoz | 17:43:51 |
| jacekpoz | 17:43:59 |
| jacekpoz | 17:45:02 |
| jacekpoz | 20:54:25 |
| jacekpoz | 20:54:34 |
| 31 Oct 2023 |
 peter-lustig | If I have two hosts, laptop and personal computer that should be able to do remote deployments to a server, how should the top section of this secrets.nix file look like? I do the deployments with nixos-rebuild --target-host, and I am a bit confused on how I would achieve this:
let
server = "";
in
{
"hedgedoc-environment-file.age".publicKeys = [ server ];
"discord-bot-token.age".publicKeys = [ server ];
}
| 09:15:32 |
 K900 ⚡️ | The server's SSH host key | 09:20:56 |
| peter-lustig | In reply to @k900:0upti.me
The server's SSH host key just the public key of the server? | 09:23:36 |
| K900 ⚡️ | Yes | 09:23:44 |
| peter-lustig | but if i want to do remote deployments do I not need the public keys of the machines as well | 09:24:09 |
| peter-lustig | laptop and pc | 09:24:12 |
| K900 ⚡️ | No | 09:24:19 |
| K900 ⚡️ | Well | 09:24:21 |
| K900 ⚡️ | It depends on whether you want to edit those files in the future | 09:24:31 |
| peter-lustig | In reply to @k900:0upti.me
It depends on whether you want to edit those files in the future i guess I would just ssh onto the server and then do the agenix -e stuff | 09:24:51 |
