| 29 Dec 2025 |
 ed209 | * I'm trying to run agenix with age-tpm (again) and it doesn't seem to decrypt secrets on reboot. they do decrypt on nixos-rebuild switch | 17:31:15 |
| ed209 | a ha:
Dec 29 13:14:58 sachiel-vm stage-2-init: [agenix] creating new generation in /run/agenix.d/1
Dec 29 13:14:58 sachiel-vm stage-2-init: [agenix] decrypting secrets...
Dec 29 13:14:58 sachiel-vm stage-2-init: decrypting '/nix/store/9p0wfsrivi2b198dai1kdv3s31kfiicy-source/password.age' to '/run/agenix.d/1/password'...
Dec 29 13:14:58 sachiel-vm stage-2-init: chmod: cannot access '/run/agenix.d/1/password.tmp': No such file or directory
Dec 29 13:14:58 sachiel-vm stage-2-init: mv: cannot stat '/run/agenix.d/1/password.tmp': No such file or directory
Dec 29 13:14:58 sachiel-vm stage-2-init: [agenix] symlinking new secrets to /run/agenix (generation 1)...
Dec 29 13:14:58 sachiel-vm stage-2-init: Activation script snippet 'agenixInstall' failed (1)
Dec 29 13:14:58 sachiel-vm stage-2-init: warning: password file ‘/run/agenix/password’ does not exist
Dec 29 13:14:58 sachiel-vm stage-2-init: [agenix] chowning...
Dec 29 13:14:58 sachiel-vm stage-2-init: chown: cannot access '/run/agenix.d/1/password': No such file or directory
Dec 29 13:14:58 sachiel-vm stage-2-init: Activation script snippet 'agenixChown' failed (1)
| 18:16:50 |
| ed209 | maybe the TPM isn't available this early in boot? | 18:18:31 |
| ed209 | cause /run/current-system/activate works | 18:38:12 |
| ed209 | boot.initrd.availableKernelModules = ["tpm_crb" "tpm_tis"]; did the trick! | 18:51:22 |
| 30 Dec 2025 |
|  ladams joined the room. | 14:47:18 |
|  andromeda joined the room. | 17:10:28 |
| andromeda | I already put this in #impermanence:nixos.org ftr. is there an elegant solution to the sort of 'conflict' between Agenix and Impermanence? That being, Agenix uses the host keys in /etc/ssh before Impermanence fetches the persistant directory /etc/ssh. This leads Agenix to fail. The solution I've found is not pretty; it mounts /nix/persist (my persistant directory) to /btrfs_tmp/root/nix before copying /btrfs_tmp/root/nix/persist/etc/ssh to /btrfs_tmp/root/etc/ssh. This arrangement is showcased in https://git.mtgmonkey.net/Andromeda/conf/src/commit/0468cf2621e8ef812f774bbf2eed396b4c0d4602 in machines/lenovo and is what I am currently using. | 17:12:48 |
|  jappie changed their display name from jasper @ 39c3 ☎️ 62749 to jasper. | 23:38:40 |
| jappie | 23:40:10 |
| 31 Dec 2025 |
| ed209 | In reply to @andromeda:tchncs.de
I already put this in #impermanence:nixos.org ftr. is there an elegant solution to the sort of 'conflict' between Agenix and Impermanence? That being, Agenix uses the host keys in /etc/ssh before Impermanence fetches the persistant directory /etc/ssh. This leads Agenix to fail. The solution I've found is not pretty; it mounts /nix/persist (my persistant directory) to /btrfs_tmp/root/nix before copying /btrfs_tmp/root/nix/persist/etc/ssh to /btrfs_tmp/root/etc/ssh. This arrangement is showcased in https://git.mtgmonkey.net/Andromeda/conf/src/commit/0468cf2621e8ef812f774bbf2eed396b4c0d4602 in machines/lenovo and is what I am currently using. why not just
age.identityPaths = [
"/persist/etc/ssh/ssh_host_ed25519_key"
]
full disclosure i haven't yet tried this | 17:01:08 |
|  odilf joined the room. | 18:15:00 |
| ed209 | okay, i just did this and it does work! | 18:27:02 |
| ed209 | what I can't figure out is how to make sure my user pw gets set at install time... I guess you kind of can't | 18:33:35 |
 K900 | You probably want to just use hashedPassword | 18:37:48 |
| ed209 | In reply to @k900:0upti.me
You probably want to just use hashedPassword I'm using hashedPasswordFile = config.age.secrets.password.path; is that not right | 19:00:24 |
| ed209 | oh I guess you mean for a totally unencrypted hash. | 19:17:52 |
 hexa | encrypting a hash feels a bit redundant 🤔 | 19:35:05 |
| ed209 | In reply to @hexa:lossy.network
encrypting a hash feels a bit redundant 🤔 worried about future attacks against the hash. but i can put it in my private flake only and its prob fine | 20:00:38 |
| hexa | if they build on the same primitive then that's not much help | 20:06:09 |
| hexa | though age supports pq things since very recently | 20:06:25 |
| ed209 | In reply to @hexa:lossy.network
if they build on the same primitive then that's not much help issue is my config is public | 20:36:32 |
| ed209 | but thats resolvable | 20:37:33 |
| 1 Jan 2026 |
|  debtquity joined the room. | 21:01:40 |
| 2 Jan 2026 |
|  findus joined the room. | 14:57:52 |
| 3 Jan 2026 |
| findus | Hi, I tried agenix together with nix-generate for proxmox images and I still need to do one rebuild-switch after deploying the resulting images to have the secret mount present. Is there a trick to have them available on first boot? | 08:12:47 |
| findus | * Hi, I tried agenix together with nix-generate for proxmox images and I still need to do one rebuild-switch after deploying the resulting image to have the secret mount present. Is there a trick to have them available on first boot? | 08:12:58 |
| ed209 | In reply to @Findus:stratum0.org
Hi, I tried agenix together with nix-generate for proxmox images and I still need to do one rebuild-switch after deploying the resulting images to have the secret mount present. Is there a trick to have them available on first boot? I've run into the same issue (not proxmox but generating qcow2). I couldn't find a workaround | 13:42:23 |
| 4 Jan 2026 |
| jappie changed their display name from jasper to jappie. | 10:59:43 |
| 8 Jan 2026 |
|  pltrz set a profile picture. | 23:50:06 |
