flori_ava_star:~:cursor_blinking: :made-with-estrogen: :verifiedlesbian: (@star)

@lis@mk.catgirlsfor.science

4mo

let's try deploying the SSH host key declaratively so that we can decrypt the host key with the host key that we haven't decrypted yet

– lis, since yesterday

1

0

3

0

lis

@lis@mk.catgirlsfor.science

4mo

a lot of time wasted on realising sops-nix is not in fact a magic tool that can supply data at build time without introducing impurity

1

0

3

0

lis

@lis@mk.catgirlsfor.science

4mo

but hey that's how you learn

2

0

1

0

lis

@lis@mk.catgirlsfor.science

4mo

so i suppose it's impossible to pre-generate any secret that nix has to touch, and therefore it's impossible to create a system that uses secrets purely from a nix expression

because anything nix has to touch must be considered public knowledge (as in, ends up in at least one world-readable nix store or can be recreated from there)

therefore, there is no safe way nix would be able to access any of the secrets you define in sops, they're black boxes shipped to the target host and only encrypted there

strictly speaking, you could pass secrets with --arg/--argstr, or you could use --impure and just read environment variables or arbitrary files, and sops even has exec-env and exec-file subcommands to do just that, but even then i'm pretty sure everything you pass this way ends up in some .drv

which means the target host has to have some state that can't be managed with nix; at the very least the recipient key

3

0

1

0