| 23 Nov 2025 |
 K900 | And activation generally runs before everything else. | 23:14:17 |
| K900 | So it doesn't really matter in practice | 23:14:27 |
| K900 | I feel like a better question is, what are you trying to do where this difference matters? | 23:15:25 |
 Alexandros Liarokapis | The reason I am asking is because I am writing a small bitwarden secret manager module which would fetch secrets through network call so I want some way to store the secrets in case network is not available and thinking whether or not keeping encrypted at rest gives any security advantage. I can see this being the case if TPM is used to store the key for example but not for normal ssh keys. | 23:15:21 |
| Alexandros Liarokapis | idea is you add the machine-scoped/project-scoped/secret-scoped BWS key on /var/lib/bws/auth or similar. Rest of the interface is pretty much the same as agenix minus the age/ssh-specific configs and using .id instead of .file And I am kind of split between keeping the secrets at /var/lib/bws/secrets unencrypted but with proper permissions or encrypting with some identity key as agenix and decrypting on startup to /run/secrets but I don't think the latter gives any security advantage in practice, I /could/ use TPM however which would give some protection against stolen disk contents. | 23:19:08 |
| 3 Dec 2025 |
|  Gus joined the room. | 12:29:10 |
| 4 Dec 2025 |
|  @onur-ozkan:matrix.org joined the room. | 04:20:47 |
|  isabel changed their profile picture. | 16:42:13 |
| 11 Dec 2025 |
|  suua joined the room. | 16:11:07 |
| 12 Dec 2025 |
|  whispers [& it/fae] changed their profile picture. | 04:51:16 |
| 13 Dec 2025 |
|  @MartiniMoe:matrix.org left the room. | 07:35:43 |
|  Josh joined the room. | 22:41:55 |
| Josh | Redacted or Malformed Event | 23:20:22 |
| Josh changed their display name from Joshua Campbell to Josh. | 23:25:01 |
| 16 Dec 2025 |
|  @azahi:azahi.cc joined the room. | 18:22:06 |
| 17 Dec 2025 |
|  aura joined the room. | 11:03:34 |
| 24 Dec 2025 |
|  pltrz joined the room. | 12:36:21 |
| 26 Dec 2025 |
| isabel changed their profile picture. | 11:37:59 |
|  jappie changed their display name from jappie to jappie @ 39c3. | 15:49:41 |
| 27 Dec 2025 |
| jappie changed their display name from jappie @ 39c3 to jasper @ 39c3 ☎️ 62749. | 13:30:50 |
|  gabyx joined the room. | 22:34:34 |
| gabyx | Hi all, I was wondering if its possible that agenix can reference a symlink like:
{
age.secrets.monitrc.file = ../secrets/monitrc.age; # <<- this is a symlink to another file somewhere else (submodule) in the repository
}
apparently the above does not work so far.
I wanted to separate out some secrets into private submodules.
| 22:36:57 |
 hexa | https://github.com/FiloSottile/age/releases/tag/v1.3.0 | 22:37:11 |
 Defelo | In reply to @hexa:lossy.network
https://github.com/FiloSottile/age/releases/tag/v1.3.0 https://github.com/NixOS/nixpkgs/pull/474666 | 23:58:31 |
| 28 Dec 2025 |
| gabyx | reviewed it, looks nice | 00:11:29 |
| Defelo | (updated to 1.3.1 and removed the version patch) | 12:46:40 |
| @azahi:azahi.cc left the room. | 23:09:41 |
| 29 Dec 2025 |
 ed209 | I'm trying to run agenix with age-tpm (again) and it doesn't seem to decrypt secrets on reboot. they do decrypt on nixos-rebuild switch | 17:30:55 |
| ed209 | * I'm trying to run agenix with age-tpm (again) and it doesn't seem to decrypt secrets on reboot. they do decrypt on nixos-rebuild switch | 17:31:15 |
| ed209 | a ha:
Dec 29 13:14:58 sachiel-vm stage-2-init: [agenix] creating new generation in /run/agenix.d/1
Dec 29 13:14:58 sachiel-vm stage-2-init: [agenix] decrypting secrets...
Dec 29 13:14:58 sachiel-vm stage-2-init: decrypting '/nix/store/9p0wfsrivi2b198dai1kdv3s31kfiicy-source/password.age' to '/run/agenix.d/1/password'...
Dec 29 13:14:58 sachiel-vm stage-2-init: chmod: cannot access '/run/agenix.d/1/password.tmp': No such file or directory
Dec 29 13:14:58 sachiel-vm stage-2-init: mv: cannot stat '/run/agenix.d/1/password.tmp': No such file or directory
Dec 29 13:14:58 sachiel-vm stage-2-init: [agenix] symlinking new secrets to /run/agenix (generation 1)...
Dec 29 13:14:58 sachiel-vm stage-2-init: Activation script snippet 'agenixInstall' failed (1)
Dec 29 13:14:58 sachiel-vm stage-2-init: warning: password file ‘/run/agenix/password’ does not exist
Dec 29 13:14:58 sachiel-vm stage-2-init: [agenix] chowning...
Dec 29 13:14:58 sachiel-vm stage-2-init: chown: cannot access '/run/agenix.d/1/password': No such file or directory
Dec 29 13:14:58 sachiel-vm stage-2-init: Activation script snippet 'agenixChown' failed (1)
| 18:16:50 |
