| 3 Sep 2025 |
|  ed209 joined the room. | 19:18:26 |
| ed209 | I'm looking for ways to store build-time secrets using agenix, but it seems to be a bit tricky to do. is there an easy way to (potentially imperitively) decrypted a subset of secrets so they're available on the system before deploying/building images? | 19:21:04 |
 K900 | Build-time secrets are basically always bad | 19:22:46 |
| K900 | Why do you want that? | 19:22:52 |
| ed209 | i should say deploy time... like how else do you give luks the key to use when provisioning a system? | 19:23:26 |
| K900 | Can you explain what you're actually trying to do? | 19:23:46 |
| ed209 | the main use case is using nixos-anywhere to provision a system with luks | 19:25:38 |
| ed209 | * the main use case is using nixos-anywhere to provision a system with luks (using disko) | 19:26:16 |
| ed209 | * the main use case is using nixos-anywhere to provision a system with luks (using disko) | 19:26:27 |
| ed209 | I'm certainly open to a better way. the secret is only needed when creating the luks volume, and then is unecessary/not stored | 19:27:16 |
| K900 | I feel like this is a nixos-anywhere problem | 19:27:47 |
| K900 | As in, the key should be provisioned by nixos-anywhere | 19:27:54 |
| K900 | Because it's what's doing the installing | 19:28:03 |
| K900 | I don't know if it can actually do that | 19:28:14 |
| K900 | But I know it is too early for agenix to do anything | 19:28:25 |
| ed209 | In reply to @k900:0upti.me
I don't know if it can actually do that there is a mechanism for this | 19:28:25 |
| K900 | (and same for other agenix shaped tools) | 19:28:41 |
| ed209 | found it, its --disk-encryption-keys... I guess I can manually decrypt secrets but would be cool if you could have it automatically done during deployment | 19:30:52 |
| ed209 | * found it, its --disk-encryption-keys is the nixos-anywhere flag... I guess I can manually decrypt secrets but would be cool if you could have it automatically done during deployment | 19:33:43 |
| 4 Sep 2025 |
|  curious_cuttlefish joined the room. | 04:41:16 |
| 8 Sep 2025 |
|  Inayet set a profile picture. | 02:15:48 |
| ed209 | is it just me, or is deploying secrets in nixos-install (not sure if it matters but I'm technically doing disko-install) not possible? | 12:18:33 |
| ed209 | error msg:
decrypting '/nix/store/9hypanvdrbg77832x73c2j9cx8543gva-source/password.age' to '/run/agenix.d/1/password'...
age: error: tpm plugin: couldn't start plugin: chdir /mnt/disko-install-root/tmp.gzeSgr8SI6: no such file or directory
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/password.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/password.tmp': No such file or directory
[agenix] symlinking new secrets to /run/agenix (generation 1)...
Activation script snippet 'agenixInstall' failed (1)
warning: password file ‘/run/agenix/password’ does not exist
[agenix] chowning...
chown: cannot access '/run/agenix.d/1/password': No such file or directory
Activation script snippet 'agenixChown' failed (1)
| 12:37:35 |
 eyJhb | But, isn't the secrets just part of the config? So they should be copied to the store, and then decrypted on activation | 12:37:49 |
| eyJhb | Haven't seen that error before however | 12:38:30 |
| ed209 | it does work if i say, install w/ temp password and then do nixos-rebuild switch | 12:39:07 |
| ed209 | also maybe I should try rebooting and see if its safe to ignore that error 😅 | 12:42:20 |
| ed209 | yeah, i don't get it... but it doesn't seem to decrypt on reboot | 22:20:59 |
| ed209 | but if I run 'nixos-rebuilt switch` it works fine | 22:26:19 |
| 9 Sep 2025 |
| ed209 | so I'm actually starting to think the issue is age-yubikey-tpm. works when I do nixos-rebuilt switch but not on boot etc, get a very similar error message | 10:30:38 |
