| 10 Mar 2023 |
 peter-lustig | Hello. How could I represent the following secrets for firefox-syncserver with agenix?
secrets = builtins.toFile "sync-secrets" ''
SYNC_MASTER_SECRET=this-secret-is-actually-leaked-to-/nix/store
'';
Do I just write SYNC_MASTER_SECRET=something in the agenix file?
| 21:39:41 |
| peter-lustig | * Hello. How could I represent the following secrets for firefox-syncserver with agenix?
secrets = builtins.toFile "sync-secrets" ''
SYNC_MASTER_SECRET=this-secret-is-actually-leaked-to-/nix/store
'';
Do I just write SYNC_MASTER_SECRET=something in the .age file?
| 21:40:02 |
 cole-h | If firefox-syncserver accepts a path to a file with that, yeah that would work. | 21:41:30 |
| cole-h | * If firefox-syncserver accepts a path to a file with those contents, yeah that would work. | 21:41:36 |
| peter-lustig | In reply to @cole-h:matrix.org
If firefox-syncserver accepts a path to a file with those contents, yeah that would work. Looks like it takes a path:
Description
A file containing the various secrets. Should be in the format expected by systemd’s EnvironmentFile directory. Two secrets are currently available: SYNC_MASTER_SECRET and SYNC_TOKENSERVER__FXA_METRICS_HASH_SECRET.
Type
path
| 21:42:31 |
| cole-h | Then yeah, that should work. Just point it to config.age.secrets.<firefox-syncserver-server>.path | 21:44:48 |
| peter-lustig | In reply to @cole-h:matrix.org
Then yeah, that should work. Just point it to config.age.secrets.<firefox-syncserver-server>.path This should work, right?
secrets = builtins.toFile "sync-secrets" config.age.secrets.mainserver-firefox-syncserver-secrets.age;
Modified the example config in the manual:
https://nixos.org/manual/nixos/unstable/index.html#module-services-firefox-syncserver-quickstart
| 21:46:05 |
| cole-h | errr not exactly | 21:46:16 |
| cole-h | Drop the builtins.toFile "sync-secrets" | 21:46:29 |
| peter-lustig | oh yeah i just saw | 21:46:40 |
| cole-h | Otherwise you're creating a file named sync-secrets with the contents being the path to that secret file | 21:46:59 |
| cole-h | And also .age at the end should probably be .path | 21:47:25 |
| peter-lustig | yep | 21:47:59 |
| peter-lustig | What I wonder is what I need the SYNC_MASTER_SECRET for. Literally cannot find any explanation. | 21:48:22 |
| cole-h | https://github.com/mozilla-services/syncstorage-rs/blob/f416d8a8c44c4c294f9403b40f136bda85bdd709/docs/config.md?plain=1#L13 | 21:51:38 |
| cole-h | Looks like it's just something the sync server uses | 21:51:50 |
| peter-lustig | Oh, I thought I needed a 256-bit random key | 21:52:35 |
| cole-h | That would probably be more secure | 21:53:12 |
| peter-lustig | In reply to @cole-h:matrix.org
That would probably be more secure So all I need in the .age file is SYNC_MASTER_SECRET=something? | 21:57:45 |
| cole-h | In its decrypted contents; that's what I would believe. | 21:58:08 |
| peter-lustig | lets see if this works | 22:00:47 |
| peter-lustig | It seems like everything worked perfectly fine :) | 22:13:09 |
| peter-lustig | I assume the Master Secret is so only the server with that secret on it can use the syncserver | 22:22:37 |
| 11 Mar 2023 |
| peter-lustig | I am generating a private key for wireguard with the following command: wg genkey > ~/wireguard-keys/private. I want to put the output of that command in an encrypted age file. How would I do that? | 14:17:17 |
 ryantm | peter-lustig: agenix supports piping clear text to a secret now! | 14:35:50 |
| peter-lustig | In reply to @ryantm:matrix.org
peter-lustig: agenix supports piping clear text to a secret now! how? | 14:39:17 |
| ryantm | peter-lustig: wg genkey | agenix -e secret name.age | 15:36:30 |
| ryantm | * peter-lustig: wg genkey | agenix -e secret_name.age | 15:36:56 |
| 12 Mar 2023 |
| peter-lustig | ryantm: after setting my user and root password with agenix (followed the docs) and set mutableUsers = false in my nixos configuration, for some reason the passwords in the agenix file do not work to login. Any idea? | 10:03:01 |
| peter-lustig | nevermind fixed problem | 13:47:05 |
