| 27 Dec 2025 |
|  jappie changed their display name from jappie @ 39c3 to jasper @ 39c3 ☎️ 62749. | 13:30:50 |
|  gabyx joined the room. | 22:34:34 |
| gabyx | Hi all, I was wondering if its possible that agenix can reference a symlink like:
{
age.secrets.monitrc.file = ../secrets/monitrc.age; # <<- this is a symlink to another file somewhere else (submodule) in the repository
}
apparently the above does not work so far.
I wanted to separate out some secrets into private submodules.
| 22:36:57 |
 hexa | https://github.com/FiloSottile/age/releases/tag/v1.3.0 | 22:37:11 |
 Defelo | In reply to @hexa:lossy.network
https://github.com/FiloSottile/age/releases/tag/v1.3.0 https://github.com/NixOS/nixpkgs/pull/474666 | 23:58:31 |
| 28 Dec 2025 |
| gabyx | reviewed it, looks nice | 00:11:29 |
| Defelo | (updated to 1.3.1 and removed the version patch) | 12:46:40 |
|  @azahi:azahi.cc left the room. | 23:09:41 |
| 29 Dec 2025 |
 ed209 | I'm trying to run agenix with age-tpm (again) and it doesn't seem to decrypt secrets on reboot. they do decrypt on nixos-rebuild switch | 17:30:55 |
| ed209 | * I'm trying to run agenix with age-tpm (again) and it doesn't seem to decrypt secrets on reboot. they do decrypt on nixos-rebuild switch | 17:31:15 |
| ed209 | a ha:
Dec 29 13:14:58 sachiel-vm stage-2-init: [agenix] creating new generation in /run/agenix.d/1
Dec 29 13:14:58 sachiel-vm stage-2-init: [agenix] decrypting secrets...
Dec 29 13:14:58 sachiel-vm stage-2-init: decrypting '/nix/store/9p0wfsrivi2b198dai1kdv3s31kfiicy-source/password.age' to '/run/agenix.d/1/password'...
Dec 29 13:14:58 sachiel-vm stage-2-init: chmod: cannot access '/run/agenix.d/1/password.tmp': No such file or directory
Dec 29 13:14:58 sachiel-vm stage-2-init: mv: cannot stat '/run/agenix.d/1/password.tmp': No such file or directory
Dec 29 13:14:58 sachiel-vm stage-2-init: [agenix] symlinking new secrets to /run/agenix (generation 1)...
Dec 29 13:14:58 sachiel-vm stage-2-init: Activation script snippet 'agenixInstall' failed (1)
Dec 29 13:14:58 sachiel-vm stage-2-init: warning: password file ‘/run/agenix/password’ does not exist
Dec 29 13:14:58 sachiel-vm stage-2-init: [agenix] chowning...
Dec 29 13:14:58 sachiel-vm stage-2-init: chown: cannot access '/run/agenix.d/1/password': No such file or directory
Dec 29 13:14:58 sachiel-vm stage-2-init: Activation script snippet 'agenixChown' failed (1)
| 18:16:50 |
| ed209 | maybe the TPM isn't available this early in boot? | 18:18:31 |
| ed209 | cause /run/current-system/activate works | 18:38:12 |
| ed209 | boot.initrd.availableKernelModules = ["tpm_crb" "tpm_tis"]; did the trick! | 18:51:22 |
| 30 Dec 2025 |
|  ladams joined the room. | 14:47:18 |
|  andromeda joined the room. | 17:10:28 |
| andromeda | I already put this in #impermanence:nixos.org ftr. is there an elegant solution to the sort of 'conflict' between Agenix and Impermanence? That being, Agenix uses the host keys in /etc/ssh before Impermanence fetches the persistant directory /etc/ssh. This leads Agenix to fail. The solution I've found is not pretty; it mounts /nix/persist (my persistant directory) to /btrfs_tmp/root/nix before copying /btrfs_tmp/root/nix/persist/etc/ssh to /btrfs_tmp/root/etc/ssh. This arrangement is showcased in https://git.mtgmonkey.net/Andromeda/conf/src/commit/0468cf2621e8ef812f774bbf2eed396b4c0d4602 in machines/lenovo and is what I am currently using. | 17:12:48 |
| jappie changed their display name from jasper @ 39c3 ☎️ 62749 to jasper. | 23:38:40 |
| jappie | 23:40:10 |
| 31 Dec 2025 |
| ed209 | In reply to @andromeda:tchncs.de
I already put this in #impermanence:nixos.org ftr. is there an elegant solution to the sort of 'conflict' between Agenix and Impermanence? That being, Agenix uses the host keys in /etc/ssh before Impermanence fetches the persistant directory /etc/ssh. This leads Agenix to fail. The solution I've found is not pretty; it mounts /nix/persist (my persistant directory) to /btrfs_tmp/root/nix before copying /btrfs_tmp/root/nix/persist/etc/ssh to /btrfs_tmp/root/etc/ssh. This arrangement is showcased in https://git.mtgmonkey.net/Andromeda/conf/src/commit/0468cf2621e8ef812f774bbf2eed396b4c0d4602 in machines/lenovo and is what I am currently using. why not just
age.identityPaths = [
"/persist/etc/ssh/ssh_host_ed25519_key"
]
full disclosure i haven't yet tried this | 17:01:08 |
|  odilf joined the room. | 18:15:00 |
| ed209 | okay, i just did this and it does work! | 18:27:02 |
| ed209 | what I can't figure out is how to make sure my user pw gets set at install time... I guess you kind of can't | 18:33:35 |
 K900 | You probably want to just use hashedPassword | 18:37:48 |
| ed209 | In reply to @k900:0upti.me
You probably want to just use hashedPassword I'm using hashedPasswordFile = config.age.secrets.password.path; is that not right | 19:00:24 |
| ed209 | oh I guess you mean for a totally unencrypted hash. | 19:17:52 |
| hexa | encrypting a hash feels a bit redundant 🤔 | 19:35:05 |
| ed209 | In reply to @hexa:lossy.network
encrypting a hash feels a bit redundant 🤔 worried about future attacks against the hash. but i can put it in my private flake only and its prob fine | 20:00:38 |
| hexa | if they build on the same primitive then that's not much help | 20:06:09 |
| hexa | though age supports pq things since very recently | 20:06:25 |
