| 31 Dec 2025 |
 ed209 | In reply to @andromeda:tchncs.de
I already put this in #impermanence:nixos.org ftr. is there an elegant solution to the sort of 'conflict' between Agenix and Impermanence? That being, Agenix uses the host keys in /etc/ssh before Impermanence fetches the persistant directory /etc/ssh. This leads Agenix to fail. The solution I've found is not pretty; it mounts /nix/persist (my persistant directory) to /btrfs_tmp/root/nix before copying /btrfs_tmp/root/nix/persist/etc/ssh to /btrfs_tmp/root/etc/ssh. This arrangement is showcased in https://git.mtgmonkey.net/Andromeda/conf/src/commit/0468cf2621e8ef812f774bbf2eed396b4c0d4602 in machines/lenovo and is what I am currently using. why not just
age.identityPaths = [
"/persist/etc/ssh/ssh_host_ed25519_key"
]
full disclosure i haven't yet tried this | 17:01:08 |
|  odilf joined the room. | 18:15:00 |
| ed209 | okay, i just did this and it does work! | 18:27:02 |
| ed209 | what I can't figure out is how to make sure my user pw gets set at install time... I guess you kind of can't | 18:33:35 |
 K900 | You probably want to just use hashedPassword | 18:37:48 |
| ed209 | In reply to @k900:0upti.me
You probably want to just use hashedPassword I'm using hashedPasswordFile = config.age.secrets.password.path; is that not right | 19:00:24 |
| ed209 | oh I guess you mean for a totally unencrypted hash. | 19:17:52 |
 hexa | encrypting a hash feels a bit redundant 🤔 | 19:35:05 |
| ed209 | In reply to @hexa:lossy.network
encrypting a hash feels a bit redundant 🤔 worried about future attacks against the hash. but i can put it in my private flake only and its prob fine | 20:00:38 |
| hexa | if they build on the same primitive then that's not much help | 20:06:09 |
| hexa | though age supports pq things since very recently | 20:06:25 |
| ed209 | In reply to @hexa:lossy.network
if they build on the same primitive then that's not much help issue is my config is public | 20:36:32 |
| ed209 | but thats resolvable | 20:37:33 |
| 1 Jan 2026 |
|  debtquity joined the room. | 21:01:40 |
| 2 Jan 2026 |
|  findus joined the room. | 14:57:52 |
| 3 Jan 2026 |
| findus | Hi, I tried agenix together with nix-generate for proxmox images and I still need to do one rebuild-switch after deploying the resulting images to have the secret mount present. Is there a trick to have them available on first boot? | 08:12:47 |
| findus | * Hi, I tried agenix together with nix-generate for proxmox images and I still need to do one rebuild-switch after deploying the resulting image to have the secret mount present. Is there a trick to have them available on first boot? | 08:12:58 |
| ed209 | In reply to @Findus:stratum0.org
Hi, I tried agenix together with nix-generate for proxmox images and I still need to do one rebuild-switch after deploying the resulting images to have the secret mount present. Is there a trick to have them available on first boot? I've run into the same issue (not proxmox but generating qcow2). I couldn't find a workaround | 13:42:23 |
| 4 Jan 2026 |
|  jappie changed their display name from jasper to jappie. | 10:59:43 |
| 8 Jan 2026 |
|  pltrz set a profile picture. | 23:50:06 |
| 9 Jan 2026 |
| pltrz changed their profile picture. | 00:00:37 |
|  Ivy joined the room. | 05:43:24 |
| Ivy | i think ive implemented restarting units like sops-nix? | 08:02:47 |
| Ivy | is that something people would want? | 08:02:56 |
| Ivy | i have it working on darwin | 08:03:03 |
| findus | I've read the source code a little and it seems like agenix also uses systemd to mount the secrets partition when sysusers are enabled (https://mynixos.com/nixpkgs/option/systemd.sysusers.enable), but when enabling that every user defined in the nix config must be a system user, dad did not work out for me | 08:50:17 |
| findus | https://github.com/ryantm/agenix/blob/fcdea223397448d35d9b31f798479227e80183f6/modules/age.nix#L283 | 08:52:02 |
 whispers [& it/fae] | for what it's worth, it also uses the systemd service if userborn is used, which can handle both normal and system users | 12:59:21 |
| Ivy | how do you use agenix rekey over like ssh | 13:18:55 |
| Ivy | like how can i do that "sanely" | 13:19:01 |
