| 28 Mar 2023 |
 ryantm | Hallucinations | 18:56:22 |
 qverkk | yeah thats waht i thought, couldnt find anything about this on github XD | 18:57:54 |
| qverkk | altho it would be nice to use an existing keepassxc db for nixos secrets | 18:58:20 |
 raphi | chatgpt output is wrong unless proven otherwise | 19:01:10 |
| 29 Mar 2023 |
 jeroen | does anyone have a hint as to why my agenix does not decrypt secrets at boot, but works fine after a rebuild switch? | 16:39:16 |
 cole-h | Hard to tell without logs but sounds like a secret path may not be available at boot | 16:41:46 |
| jeroen | what kind of logs would I need to look at? I still have the system at fresh boot state, so /run/agenix is empty | 16:42:34 |
| cole-h | The activation logs should be in dmesg / journalctl -k somewhere | 16:43:05 |
| jeroen | age secret files are under /etc/nixos so should be available | 16:43:28 |
| jeroen | hmm, I think it's cause the system has it's ssh keys somewhere else | 16:44:22 |
| cole-h | There's an option for that IIRC. | 16:46:02 |
| jeroen | the ssh host keys are on a persistant zfs volume which is not yet available at decrypt time ...
[agenix] WARNING: config.age.identityPaths entry /persist/system/etc/ssh/ssh_host_ed25519_key not present!
| 16:46:11 |
| jeroen | * the ssh host keys are on a persistant zfs volume filesystem which is not yet available at decrypt time ...
[agenix] WARNING: config.age.identityPaths entry /persist/system/etc/ssh/ssh_host_ed25519_key not present!
| 16:47:44 |
| cole-h | Might be able to get it to work by marking that fs as neededForBoot (a NixOS option) | 16:48:37 |
| jeroen | tnx, I'll give that a go | 16:54:56 |
| 30 Mar 2023 |
| jeroen | that actually fixed it | 15:19:08 |
| 31 Mar 2023 |
|  j0 joined the room. | 18:42:05 |
| 5 Apr 2023 |
|  craige joined the room. | 00:04:43 |
| * craige waves | 00:06:14 |
| craige | Is anyone able to clarify the context of, for example user1 in the tutorial?
https://github.com/ryantm/agenix#tutorial
Are those intended to be on a remote host user (for decryption) or a local user for key management?
I think it's the latter but I just wanted that clarified.
Thanks 🙂
| 00:09:14 |
| ryantm | User1 is intended to be the user who is encrypting secrets locally and the remotely deploying them. | 00:13:34 |
| ryantm | To system1 and system2 | 00:13:56 |
| craige | Excellent. Thanks Ryan 🙂 | 00:14:14 |
| 10 Apr 2023 |
|  KaijuBacon joined the room. | 07:24:54 |
|  digital (fav:she/they) joined the room. | 20:40:48 |
| 11 Apr 2023 |
| jeroen | Is there any best practise on how to use agenix combined with nixos containers? (the systemd based one) | 08:06:34 |
| jeroen | bind mounts sound out of the question, as that would expose all system secrets to the container | 08:07:48 |
 uep | I'm going to state an assumption: if you put the agenix bits for secret handling in the config of the container, to use the secrets as part of the config for some service within the container, then it should just work as intended: those secrets will be decrypted in the context of the container by its systemd units etc. | 09:22:59 |
| uep | it would be a separate host with a separate key that would need to exist, etc. | 09:23:40 |
| jeroen | that sounds locical | 14:14:00 |
