| 19 Dec 2025 |
 hexa | yes, lib.types.port | 02:49:24 |
| hexa | for secrets either lib.types.str, because paths could leak into the store, which is world-readable | 02:49:50 |
| hexa | alternatively lib.types.pathWith { inStore = false; } | 02:50:07 |
| hexa | but that might make it hard to test | 02:50:11 |
| hexa | escapeShellArgs makes sense when there is user input, that needs escaping | 02:51:18 |
| hexa | there is also utils.escapeSystemdExecArgs, which is more suited to systemd units | 02:51:35 |
 zsuper | okay, i have the raw secret option as str, but you're saying make the secretFile option also just a str? | 02:51:36 |
| hexa | the nixos config being built might also end up in the nix store, so plain text secret string options are also a bad idea | 02:52:27 |
| hexa | I would also recommend to construct ExecStart from a list for proper tokenization | 02:52:47 |
| hexa | so escapeShellArgs or escapeSystemdExecArgs, the plural versions | 02:53:00 |
| hexa | literalExpression gets used in e.g. defaultText or exampleText to render the string as nix code without evaluating it | 02:53:37 |
| hexa | it gets rendered in place of the actual default or example value | 02:53:49 |
| hexa | which might be a reference to something else | 02:54:06 |
| zsuper | regarding this, my plan is to create a raw secret option as well as a secretFile option (where the latter takes precedence), just to keep options open for users. But I'll use a regular str for both to avoid secret paths getting copied to the store. | 02:57:58 |
| hexa | the raw secret string option is a bad idea | 02:58:32 |
| zsuper | but it's fine if used with sopsnix right? | 02:58:59 |
| hexa | they pass files | 02:59:24 |
| hexa | not strings | 02:59:25 |
| zsuper | i have not yet setup/learned how sopsnix works, so I am unsure tbh | 02:59:31 |
| hexa | agenix/sopsnix encrypt and pass files | 02:59:42 |
| zsuper | i see, okay thanks | 02:59:57 |
| zsuper | then ill re-evaluate how i go about this. but thanks for the advice regardless! | 03:00:17 |
|  班泽 💕 joined the room. | 08:08:40 |
| 班泽 💕 left the room. | 08:25:17 |
| zsuper | okay, i've been working on the PR for the nixos/bore module, but I'm at a bit of a roadblock when it comes to nixos tests. Since bore local requires a connection to a remote proxy server (i.e. "bore.pub"), should the nixos tests really be connecting to it to verify functionality? Rather, how does networking work with the test suite? Or should I only run tests for the server variant, which simply needs to check if it can listen on 0.0.0.0:<specified port>? | 20:59:24 |
| zsuper | actually i think i might be able to set up a server and a local proxy on the same machine that just interact with each other | 21:14:52 |
| 20 Dec 2025 |
| zsuper | if anyone has free time, could you skim over this PR and see if things look fine? https://github.com/NixOS/nixpkgs/pull/472353
I'm hoping to ask some non-reviewers before I post in the Nixpkgs Review Requests, just so I can minimize the number of cycles I approach reviewers, who might be busy. Thanks in advance! | 02:39:01 |
| zsuper | * if anyone has free time, could you skim over this PR and see if things look fine? https://github.com/NixOS/nixpkgs/pull/472353
I'm hoping to ask some non-reviewers before I post in the Nixpkgs Review Requests channel, just so I can minimize the number of cycles I approach reviewers, who might be busy. Thanks in advance! | 02:39:10 |
