| 21 Aug 2021 |
matthewcroughan - nix.zone | and the network administrator is a BOFH | 03:00:54 |
6aa4fd | do they just use Mac based firewalling? | 03:01:01 |
matthewcroughan - nix.zone | Not sure about the firewall details, it's a free for all. | 03:01:18 |
matthewcroughan - nix.zone | https://youtu.be/GE94BJg3U1Q | 03:01:26 |
matthewcroughan - nix.zone | This video should explain it. | 03:01:28 |
6aa4fd | In reply to @matthewcroughan:defenestrate.it Not sure about the firewall details, it's a free for all. time to get ya shit out brotha | 03:06:05 |
matthewcroughan - nix.zone | I'm not that paranoid really. | 03:06:16 |
6aa4fd | anyways good luck with the tunnel, ping me if it hisses | 03:06:37 |
matthewcroughan - nix.zone | A NixOS machine is a pretty good and secure internet facing base. | 03:06:39 |
6aa4fd | sure unless they get any user with read access | 03:07:00 |
matthewcroughan - nix.zone | Only two users on the machine. Me and the other Administrator. | 03:07:31 |
6aa4fd | until we have granular store permissions its pretty dicey as production | 03:07:37 |
matthewcroughan - nix.zone | Two users with a shell, and ssh access, ssh keys only. | 03:07:47 |
matthewcroughan - nix.zone | In reply to @6aa4fd:tchncs.de until we have granular store permissions its pretty dicey as production How do you figure? What does the store have to do with it? | 03:08:08 |
matthewcroughan - nix.zone | Nothing sensitive is in the nix store. | 03:08:19 |
6aa4fd | yeah well if you don't expose anything but ssh, back ports are the only thing that matters, its not exactly a conpetjtkve field | 03:08:26 |
6aa4fd | well sure but a shit load of services you configure with the nix store do have write-sensitive information in the store | 03:09:10 |
6aa4fd | so not actually true, though it would be nice | 03:09:28 |
matthewcroughan - nix.zone | The nix store is not world writable. | 03:09:29 |
6aa4fd | read-sensitive, sorry | 03:09:40 |
matthewcroughan - nix.zone | I disagree, what are you thinking of? | 03:09:51 |
matthewcroughan - nix.zone | I mean, you can put it there yourself, but you'd be mad to. | 03:10:00 |
6aa4fd | so do you use environment variables instead | 03:10:18 |
matthewcroughan - nix.zone | I use agenix which stores secrets encrypted in the store. | 03:10:36 |
matthewcroughan - nix.zone | https://github.com/MatthewCroughan/nixcfg/commit/add19ff13691d39b0da7f1601f1d3299a05d986f | 03:10:57 |
matthewcroughan - nix.zone | example of some usage | 03:10:59 |
matthewcroughan - nix.zone | https://github.com/MatthewCroughan/nixcfg/commit/2d0b2a11a9bfd3a2d831fd13715c1bb16e191ef7 | 03:11:10 |
matthewcroughan - nix.zone | a second example of some usage | 03:11:13 |
6aa4fd | okay, maybe nix-sops or this will save the day | 03:11:50 |
matthewcroughan - nix.zone | The secrets are then decrypted in the activation script, to /run/secrets which the correct permissions | 03:11:52 |