| 9 Jan 2026 |
 Ivy | is that something people would want? | 08:02:56 |
| Ivy | i have it working on darwin | 08:03:03 |
 findus | I've read the source code a little and it seems like agenix also uses systemd to mount the secrets partition when sysusers are enabled (https://mynixos.com/nixpkgs/option/systemd.sysusers.enable), but when enabling that every user defined in the nix config must be a system user, dad did not work out for me | 08:50:17 |
| findus | https://github.com/ryantm/agenix/blob/fcdea223397448d35d9b31f798479227e80183f6/modules/age.nix#L283 | 08:52:02 |
 whispers [& it/fae] | for what it's worth, it also uses the systemd service if userborn is used, which can handle both normal and system users | 12:59:21 |
| Ivy | how do you use agenix rekey over like ssh | 13:18:55 |
| Ivy | like how can i do that "sanely" | 13:19:01 |
 K900 | Do you mean, like, with a key stored in a forwarded SSH agent? | 13:19:57 |
| Ivy | like that | 13:20:16 |
| Ivy | but i know that ssh agents can only sign not encrypt or decrypt | 13:20:25 |
| K900 | Yeah you can't | 13:20:39 |
| K900 | That's a design decision by the SSH agent | 13:20:45 |
| Ivy | yes | 13:20:50 |
| Ivy | so i wanna know what would be another thing i can forward over ssh to use agenix-rekey | 13:21:07 |
| K900 | You basically have to get your key onto the machine that you're running rekey on | 13:21:08 |
| K900 | There is no such thing | 13:21:13 |
| Ivy | ugh | 13:21:16 |
| Ivy | can i forward ncsd from my yubikey over? | 13:21:29 |
| Ivy | like a socket for it? | 13:21:31 |
| K900 | age only operates on local key files normally | 13:22:07 |
| K900 | You can do more things with plugins | 13:22:11 |
| K900 | But I'm not sure there is a plugin that will allow you to directly do that | 13:22:19 |
| Ivy | yeah i mean with plugins sorry meant to clarify that | 13:22:24 |
| Ivy | like for example im using age-plugin-yubikey | 13:22:32 |
| Ivy | and i wonder if theres a way to forward my yubikey over ssh | 13:22:41 |
| K900 | I don't know what age-plugin-yubikey does | 13:23:17 |
| K900 | You could probably do horrible usbip things | 13:23:22 |
| K900 | At the very least | 13:23:26 |
| Ivy | i think it uses pcscd | 13:23:30 |
| Ivy | and might be possible to forward that | 13:23:41 |
