pipe (generated) key to agenix

[edrex]

I just got agenix set up today. Yay!

I'd like to be able to generate machine keys without a lot of manual steps. It's a small, useful thing and I'd be happy to submit and impl if we can settle on a spec.

Rather than integrating a particular password gen how about adding support for taking the cleartext from stdin?

Either overload the existing -e mode:

cat /dev/urandom | head -c 128 | agenix -e mysecret.age

or add a new mode like -i

wdyt?

[ryantm]

@edrex, this seems good and would also support the #9 use case. It doesn't seem like it needs a new flag, and it should be allowed even if you cannot decrypt mysecret.age, I think.

Note we may switch to this Rust implementation for the agenix CLI https://github.com/ryantm/agenix/issues/23 so cc @cole-h

[edrex]

been afk for a bit, will pick this up (and catch up on Rust CLI status) when I get back to personal infra+Nix work

[cole-h]

FWIW, I've added support for reading initial contents from stdin in https://github.com/cole-h/agenix-cli/commit/124ddbd7b93fe02e59dec622f8085d41217c71b5. cat /dev/urandom | head -c 128 | agenix [filename] -s will create [filename] with the data read from /dev/urandom.

[veehaitch]

Recently, ragenix also introduced support for reading from stdin for both non-existing and existing secret files. Instead of adding a new command line option, we decided to use EDITOR=-/--editor -:

cat /dev/urandom | head -c 128 | ragenix --editor "-" -e mysecret.age

[whentze]

FWIW, I'm using the following hackaround to make this possible with vanilla agenix:

some_cmd | EDITOR='cp /dev/stdin' agenix -e secret.age