| 3 Nov 2025 |
 goodlander | Redacted or Malformed Event | 03:30:46 |
| goodlander | I added a host to my flake intended to build an installer iso to help make bootstrapping new systems with my config easier. My approach is that I'm just copying one of the plaintext ssh keys used as an agenix identity into the isos global store and then placing it with environment.etc; this is just a personal installer iso afterall and I can manage it without leaking the key in my config. I then set this location as an age.identityPath however it didn't seem to work the way I'd hoped. Nothing managed by agenix was decrypted.
Has anyone done something like this before? Is the plan sound? | 03:37:48 |
|  @kttns0ut:matrix.org joined the room. | 10:15:12 |
| 4 Nov 2025 |
|  whispers [& it/fae] joined the room. | 20:07:21 |
|  @dawnofmidnight:catgirl.cloud left the room. | 20:07:27 |
| 6 Nov 2025 |
|  nhnn changed their profile picture. | 15:13:58 |
| nhnn changed their profile picture. | 15:18:37 |
| 7 Nov 2025 |
|  @emma:rory.gay left the room. | 22:44:12 |
| 9 Nov 2025 |
|  faye joined the room. | 13:35:35 |
| faye | Hey, I hadn't touched my configuration in a while and now whenever I rebuild I get the following:
decrypting '/nix/store/kifxdc5xbd91csl70giasl45kv07fmrm-incubator' to '/run/agenix.d/35/incubator'...
decrypting '/nix/store/z4rx6vnsp0in6i2bv8vq7j9gpmx8ai3h-wakapi-conf' to '/run/agenix.d/35/waka-conf'...
age: error: failed to obtain passphrase: could not read passphrase for "/home/akemi/.ssh/drainpixie": standard input is not a terminal, and /dev/tty is not available: open /dev/tty: no such device or address
age: report unexpected or unhelpful errors at https://filippo.io/age/report
age: error: failed to obtain passphrase: could not read passphrase for "/home/akemi/.ssh/drainpixie": standard input is not a terminal, and /dev/tty is not available: open /dev/tty: no such device or address
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/35/waka-conf.tmp'chmod: cannot access '/run/agenix.d/35/incubator.tmp': No such file or directory
: No such file or directory
mv: cannot stat '/run/agenix.d/35/waka-conf.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/35/incubator.tmp': No such file or directory
[agenix] symlinking new secrets to /run/agenix (generation 35)...
[agenix] removing old secrets (generation 34)...
[agenix] chowning...
chown: cannot access '/run/agenix.d/35/incubator': No such file or directory
chown: cannot access '/run/agenix.d/35/waka-conf': No such file or directory
This is my secrets.nix, for reference:
let
# Omitted for brevity
in {
"wakapi-salt".publicKeys = allUsers ++ [systems.incubator];
"wakapi-conf".publicKeys = allUsers ++ [systems.timeline];
"incubator".publicKeys = allUsers ++ [systems.timeline];
}
I can decrypt manually with the agenix cli just fine as long as I specificy the key with --identity | 13:39:17 |
| faye | Ok so I just found this and after running nix flake update agenix it is now finally prompting for my passphrase again... | 13:41:49 |
 K900 | FWIW doing interactive things in activation scripts is very much not a good idea | 13:59:53 |
| K900 | And will probably continue exploding absolutely horribly | 14:00:02 |
| faye | Meaning I should get rid of the passphrase entirely? | 14:00:33 |
| faye | That was on my to-do list frankly, I just haven't got around to switch yet | 14:00:59 |
| K900 | iff you want to use it with agenix, yes | 14:01:07 |
| faye | * That was on my to-do list frankly, I just haven't got around to switching yet | 14:01:07 |
| 12 Nov 2025 |
|  Inayet changed their display name from inayet to Inayet. | 12:37:03 |
| 16 Nov 2025 |
| @kttns0ut:matrix.org left the room. | 19:29:40 |
| 17 Nov 2025 |
|  Sylkos joined the room. | 20:16:28 |
| 18 Nov 2025 |
|  @eschguy:matrix.org left the room. | 20:47:57 |
| 19 Nov 2025 |
|  tioan joined the room. | 19:38:35 |
| 20 Nov 2025 |
|  John joined the room. | 05:37:45 |
| 21 Nov 2025 |
|  jappie joined the room. | 17:01:57 |
|  isabel changed their profile picture. | 18:14:24 |
| 23 Nov 2025 |
 Alexandros Liarokapis | Hi there. Is there an actual security advantage of not keeping secrets decrypted at rest say at /var/lib/agenix/secrets or similar and instead decrypting on startup? What is the threat model here exactly? If they could get access to /var/lib/agenix/secrets or similar they should also be able to get access to private decryption keys | 23:12:11 |
| K900 | You still need to redecrypt on activation | 23:14:09 |
| K900 | And activation generally runs before everything else. | 23:14:17 |
| K900 | So it doesn't really matter in practice | 23:14:27 |
| K900 | I feel like a better question is, what are you trying to do where this difference matters? | 23:15:25 |
