| 23 Nov 2025 |
 Alexandros Liarokapis | idea is you add the machine-scoped/project-scoped/secret-scoped BWS key on /var/lib/bws/auth or similar. Rest of the interface is pretty much the same as agenix minus the age/ssh-specific configs and using .id instead of .file And I am kind of split between keeping the secrets at /var/lib/bws/secrets unencrypted but with proper permissions or encrypting with some identity key as agenix and decrypting on startup to /run/secrets but I don't think the latter gives any security advantage in practice, I /could/ use TPM however which would give some protection against stolen disk contents. | 23:19:08 |
| 3 Dec 2025 |
|  Gus joined the room. | 12:29:10 |
| 4 Dec 2025 |
|  @onur-ozkan:matrix.org joined the room. | 04:20:47 |
|  isabel changed their profile picture. | 16:42:13 |
| 11 Dec 2025 |
|  suua joined the room. | 16:11:07 |
| 12 Dec 2025 |
|  whispers [& it/fae] changed their profile picture. | 04:51:16 |
| 13 Dec 2025 |
|  @MartiniMoe:matrix.org left the room. | 07:35:43 |
|  Josh joined the room. | 22:41:55 |
| Josh | Redacted or Malformed Event | 23:20:22 |
| Josh changed their display name from Joshua Campbell to Josh. | 23:25:01 |
| 16 Dec 2025 |
|  @azahi:azahi.cc joined the room. | 18:22:06 |
| 17 Dec 2025 |
|  aura joined the room. | 11:03:34 |
| 24 Dec 2025 |
|  pltrz joined the room. | 12:36:21 |
| 26 Dec 2025 |
| isabel changed their profile picture. | 11:37:59 |
|  jappie changed their display name from jappie to jappie @ 39c3. | 15:49:41 |
| 27 Dec 2025 |
| jappie changed their display name from jappie @ 39c3 to jasper @ 39c3 ☎️ 62749. | 13:30:50 |
|  gabyx joined the room. | 22:34:34 |
| gabyx | Hi all, I was wondering if its possible that agenix can reference a symlink like:
{
age.secrets.monitrc.file = ../secrets/monitrc.age; # <<- this is a symlink to another file somewhere else (submodule) in the repository
}
apparently the above does not work so far.
I wanted to separate out some secrets into private submodules.
| 22:36:57 |
 hexa | https://github.com/FiloSottile/age/releases/tag/v1.3.0 | 22:37:11 |
 Defelo | In reply to @hexa:lossy.network
https://github.com/FiloSottile/age/releases/tag/v1.3.0 https://github.com/NixOS/nixpkgs/pull/474666 | 23:58:31 |
| 28 Dec 2025 |
| gabyx | reviewed it, looks nice | 00:11:29 |
| Defelo | (updated to 1.3.1 and removed the version patch) | 12:46:40 |
| @azahi:azahi.cc left the room. | 23:09:41 |
| 29 Dec 2025 |
 ed209 | I'm trying to run agenix with age-tpm (again) and it doesn't seem to decrypt secrets on reboot. they do decrypt on nixos-rebuild switch | 17:30:55 |
| ed209 | * I'm trying to run agenix with age-tpm (again) and it doesn't seem to decrypt secrets on reboot. they do decrypt on nixos-rebuild switch | 17:31:15 |
| ed209 | a ha:
Dec 29 13:14:58 sachiel-vm stage-2-init: [agenix] creating new generation in /run/agenix.d/1
Dec 29 13:14:58 sachiel-vm stage-2-init: [agenix] decrypting secrets...
Dec 29 13:14:58 sachiel-vm stage-2-init: decrypting '/nix/store/9p0wfsrivi2b198dai1kdv3s31kfiicy-source/password.age' to '/run/agenix.d/1/password'...
Dec 29 13:14:58 sachiel-vm stage-2-init: chmod: cannot access '/run/agenix.d/1/password.tmp': No such file or directory
Dec 29 13:14:58 sachiel-vm stage-2-init: mv: cannot stat '/run/agenix.d/1/password.tmp': No such file or directory
Dec 29 13:14:58 sachiel-vm stage-2-init: [agenix] symlinking new secrets to /run/agenix (generation 1)...
Dec 29 13:14:58 sachiel-vm stage-2-init: Activation script snippet 'agenixInstall' failed (1)
Dec 29 13:14:58 sachiel-vm stage-2-init: warning: password file ‘/run/agenix/password’ does not exist
Dec 29 13:14:58 sachiel-vm stage-2-init: [agenix] chowning...
Dec 29 13:14:58 sachiel-vm stage-2-init: chown: cannot access '/run/agenix.d/1/password': No such file or directory
Dec 29 13:14:58 sachiel-vm stage-2-init: Activation script snippet 'agenixChown' failed (1)
| 18:16:50 |
| ed209 | maybe the TPM isn't available this early in boot? | 18:18:31 |
| ed209 | cause /run/current-system/activate works | 18:38:12 |
| ed209 | boot.initrd.availableKernelModules = ["tpm_crb" "tpm_tis"]; did the trick! | 18:51:22 |
| 30 Dec 2025 |
|  ladams joined the room. | 14:47:18 |
