I don’t know how you would do this with ssh keys, since the ssh host keys are supposed to act as the master keys.
Have you considered using separate gpg/age keys instead? I usually bootstrap my boxes with gpg keys for sops-nix so that i can pre-seed the filesystem with the master keys. Not sure if that would work here, but I’m assuming its nicer to deal with.
In either case, you will have to get the yubikey to provision the master keys during installation (ie, before a reboot).
Some of the warnings seem to be from various flake inputs, and the trusted substituters in the nixConfig help with binary caching, since only an --accept-flake-config is necessary to use them, in my experience. Otherwise, I’d have to rebuild first if I only put them in nix.settings. Which settings should I remove from the nixConfig?
I do actually use separate keys for each host and user, but the master keys are usually only used to bootstrap new systems. At the moment, I’m using two Yubikeys and a deterministic age key as the master keys, the latter of which still seems to have a few kinks. … Or maybe that’s because of the Yubikeys as well…
Basically all of them.
Some can only be set by trusted users, some don’t make sense to be set for a singular evaluation and yet again others can’t even be read without being true anyway.
Since you said “basically”, are there any I should keep…? I’m finding the trusted substituters to be quite helpful, as I mentioned, as well as the number of cores, for example. Some things are a little hard to build on my machines. I’m mostly keeping them so I don’t have to rebuild every time I change a setting.
warning: unknown experimental feature 'recursive-nix'
warning: unknown setting 'eval-cores'
warning: unknown setting 'lazy-trees'
warning: unknown setting 'upgrade-nix-store-path-url'
fetching git input 'git+file:///mnt/etc/nixos'
building the flake in git+file:///mnt/etc/nixos?ref=refs/heads/master&rev=42846654213b36625b1e91f2f8c9c9850462b8ed...
warning: unknown experimental feature 'recursive-nix'
warning: unknown setting 'eval-cores'
warning: unknown setting 'lazy-trees'
warning: unknown setting 'upgrade-nix-store-path-url'
fetching git input 'git+file:///mnt/etc/nixos'
warning: unknown experimental feature 'recursive-nix'
fetching git input 'git+https://github.com/deemp/flake-compat'
trace: evaluation warning: The default value of `gtk.gtk4.theme` has changed from `config.gtk.theme` to `null`.
You are currently using the legacy default (`config.gtk.theme`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
gtk.gtk4.theme = config.gtk.theme;
To adopt the new default behavior, set:
gtk.gtk4.theme = null;
trace: evaluation warning: The default value of `xdg.userDirs.setSessionVariables` has changed from `true` to `false`.
You are currently using the legacy default (`true`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
xdg.userDirs.setSessionVariables = true;
To adopt the new default behavior, set:
xdg.userDirs.setSessionVariables = false;
trace: evaluation warning: The default value of `gtk.gtk4.theme` has changed from `config.gtk.theme` to `null`.
You are currently using the legacy default (`config.gtk.theme`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
gtk.gtk4.theme = config.gtk.theme;
To adopt the new default behavior, set:
gtk.gtk4.theme = null;
trace: evaluation warning: The default value of `xdg.userDirs.setSessionVariables` has changed from `true` to `false`.
You are currently using the legacy default (`true`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
xdg.userDirs.setSessionVariables = true;
To adopt the new default behavior, set:
xdg.userDirs.setSessionVariables = false;
trace: evaluation warning: The default value of `gtk.gtk4.theme` has changed from `config.gtk.theme` to `null`.
You are currently using the legacy default (`config.gtk.theme`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
gtk.gtk4.theme = config.gtk.theme;
To adopt the new default behavior, set:
gtk.gtk4.theme = null;
trace: evaluation warning: The default value of `xdg.userDirs.setSessionVariables` has changed from `true` to `false`.
You are currently using the legacy default (`true`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
xdg.userDirs.setSessionVariables = true;
To adopt the new default behavior, set:
xdg.userDirs.setSessionVariables = false;
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: The option `services.resolved.dnssec' defined in `/mnt/nix/store/bvjf984rjw5qdjvlkkkrsp212lzj5mnx-source/common' has been renamed to `services.resolved.settings.Resolve.DNSSEC'.
trace: evaluation warning: `boot.zfs.forceImportRoot` is using the default value of `true`. It is highly recommended to set it to `false`, the new default from 26.11 on, to reduce the risk of data loss. Alternatively, you can silence this warning by explicitly setting it to `true`.
trace: evaluation warning: mnw: both startAttrs."persisted.nvim" and optAttrs."persisted.nvim" are defined and not null
This will cause the plugin to be installed under /opt and /start.
trace: evaluation warning: The default value of `gtk.gtk4.theme` has changed from `config.gtk.theme` to `null`.
You are currently using the legacy default (`config.gtk.theme`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
gtk.gtk4.theme = config.gtk.theme;
To adopt the new default behavior, set:
gtk.gtk4.theme = null;
trace: evaluation warning: The default value of `xdg.userDirs.setSessionVariables` has changed from `true` to `false`.
You are currently using the legacy default (`true`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
xdg.userDirs.setSessionVariables = true;
To adopt the new default behavior, set:
xdg.userDirs.setSessionVariables = false;
trace: evaluation warning: The default value of `gtk.gtk4.theme` has changed from `config.gtk.theme` to `null`.
You are currently using the legacy default (`config.gtk.theme`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
gtk.gtk4.theme = config.gtk.theme;
To adopt the new default behavior, set:
gtk.gtk4.theme = null;
trace: evaluation warning: The default value of `xdg.userDirs.setSessionVariables` has changed from `true` to `false`.
You are currently using the legacy default (`true`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
xdg.userDirs.setSessionVariables = true;
To adopt the new default behavior, set:
xdg.userDirs.setSessionVariables = false;
trace: evaluation warning: The default value of `gtk.gtk4.theme` has changed from `config.gtk.theme` to `null`.
You are currently using the legacy default (`config.gtk.theme`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
gtk.gtk4.theme = config.gtk.theme;
To adopt the new default behavior, set:
gtk.gtk4.theme = null;
trace: evaluation warning: The default value of `xdg.userDirs.setSessionVariables` has changed from `true` to `false`.
You are currently using the legacy default (`true`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
xdg.userDirs.setSessionVariables = true;
To adopt the new default behavior, set:
xdg.userDirs.setSessionVariables = false;
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: The option `services.resolved.dnssec' defined in `/mnt/nix/store/bvjf984rjw5qdjvlkkkrsp212lzj5mnx-source/common' has been renamed to `services.resolved.settings.Resolve.DNSSEC'.
trace: evaluation warning: `boot.zfs.forceImportRoot` is using the default value of `true`. It is highly recommended to set it to `false`, the new default from 26.11 on, to reduce the risk of data loss. Alternatively, you can silence this warning by explicitly setting it to `true`.
trace: evaluation warning: mnw: both startAttrs."persisted.nvim" and optAttrs."persisted.nvim" are defined and not null
This will cause the plugin to be installed under /opt and /start.
these 30 derivations will be built:
/nix/store/19xgw0rlq6v37aj3ckdxzkakbfm4l1is-disko.drv
/nix/store/h3bgbj7g5kmsmzndhrjdwplirlx8v6pk-system-path.drv
/nix/store/8x2n4yar3czd5yp1029691561jbqch45-unit-accounts-daemon.service.drv
/nix/store/s6gbplqn9y9f5wk5rk5jz4fzcpsyv2b9-dbus-1.drv
/nix/store/69bfq6kdcjj5ff52145zcfnzby5sdbjw-X-Restart-Triggers-dbus-broker.drv
/nix/store/fpkv8lrylvnrwm6z7r5smhv94jxp5r0b-unit-dbus-broker.service.drv
/nix/store/57577riqngjs2rhvaiq2jfsl1gy072fq-X-Restart-Triggers-polkit.drv
/nix/store/w5ai0zz6sbjzz90kb6k02nq3mgxs6d8v-unit-polkit.service.drv
/nix/store/af2q2m0pv8fmj24v3hpaxdbd42p8qfai-system-units.drv
/nix/store/yq4zyybby8011v5mx5hcg62l1395iijf-unit-dbus-broker.service.drv
/nix/store/c7h19g4dnv404n45s9n150p2jq95yaw7-user-units.drv
/nix/store/mcw331xblx6n8x49ic3a6jj0piqfrnk5-set-environment.drv
/nix/store/p34whg8c8q3zl7641vz8a6yggdskxa5v-etc-pam-environment.drv
/nix/store/vzfwrjwww3cjlsxl36cc9hvync02vcgl-etc-zshenv.drv
/nix/store/wy9vdry3zl100b51rqf5lfcprbmg6aag-etc-profile.drv
/nix/store/cs6kwnh39hjk7jlnmnxkm80a8a56yrvx-etc.drv
/nix/store/dz87gsc6axvsh1m235l9dq3xzx4fw4ix-activate.drv
/nix/store/2635w863papn1aiwg3wcx9k48xhiqs50-nixos-system-silver-26.05.20251130.e953753.drv
/nix/store/m1y452ddig2379gnmc3ihqxzywdzm7rk-system-path.drv
/nix/store/3y3v7v4kp4pylxl8f9jbbanrpnbkm7n8-X-Restart-Triggers-polkit.drv
/nix/store/cjw7qpil5ni7yfyd68lharg3klvd7v64-unit-polkit.service.drv
/nix/store/aip9ih0jpm67240m39g0f7j9jb8ai9zk-dbus-1.drv
/nix/store/pb05q5j7r2ddrga4ff8ggqw71707qlfx-X-Restart-Triggers-dbus-broker.drv
/nix/store/njyq3xga3b6wyr7n1245ay4m47ya14v4-unit-dbus-broker.service.drv
/nix/store/366b4lm25pqglad1sc1yk61gmqmp4zrq-system-units.drv
/nix/store/jdkrrbm4xf56p80rwzfv8n8yd9mr14vc-unit-dbus-broker.service.drv
/nix/store/ph3xzvw0l4dm7hd9j2qdkx9kv2svnp8p-user-units.drv
/nix/store/jxh6madf6sw60kydzdqg71qw4ycrfqad-etc.drv
/nix/store/a7sjlw9220nd89557gsf4b2xvfl57j1w-activate.drv
/nix/store/nvdnp1kmfh8yvggh4aq3fpnfphpc0lrw-nixos-system-silver-26.05.20251130.e953753.drv
warning: unknown experimental feature 'recursive-nix'
warning: unknown setting 'eval-cores'
warning: unknown setting 'lazy-trees'
warning: unknown setting 'upgrade-nix-store-path-url'
building '/nix/store/19xgw0rlq6v37aj3ckdxzkakbfm4l1is-disko.drv'...
building '/nix/store/m1y452ddig2379gnmc3ihqxzywdzm7rk-system-path.drv'...
building '/nix/store/h3bgbj7g5kmsmzndhrjdwplirlx8v6pk-system-path.drv'...
building '/nix/store/aip9ih0jpm67240m39g0f7j9jb8ai9zk-dbus-1.drv'...
building '/nix/store/3y3v7v4kp4pylxl8f9jbbanrpnbkm7n8-X-Restart-Triggers-polkit.drv'...
building '/nix/store/pb05q5j7r2ddrga4ff8ggqw71707qlfx-X-Restart-Triggers-dbus-broker.drv'...
building '/nix/store/cjw7qpil5ni7yfyd68lharg3klvd7v64-unit-polkit.service.drv'...
building '/nix/store/njyq3xga3b6wyr7n1245ay4m47ya14v4-unit-dbus-broker.service.drv'...
building '/nix/store/jdkrrbm4xf56p80rwzfv8n8yd9mr14vc-unit-dbus-broker.service.drv'...
building '/nix/store/366b4lm25pqglad1sc1yk61gmqmp4zrq-system-units.drv'...
building '/nix/store/ph3xzvw0l4dm7hd9j2qdkx9kv2svnp8p-user-units.drv'...
building '/nix/store/jxh6madf6sw60kydzdqg71qw4ycrfqad-etc.drv'...
building '/nix/store/mcw331xblx6n8x49ic3a6jj0piqfrnk5-set-environment.drv'...
building '/nix/store/8x2n4yar3czd5yp1029691561jbqch45-unit-accounts-daemon.service.drv'...
building '/nix/store/a7sjlw9220nd89557gsf4b2xvfl57j1w-activate.drv'...
building '/nix/store/vzfwrjwww3cjlsxl36cc9hvync02vcgl-etc-zshenv.drv'...
building '/nix/store/57577riqngjs2rhvaiq2jfsl1gy072fq-X-Restart-Triggers-polkit.drv'...
building '/nix/store/p34whg8c8q3zl7641vz8a6yggdskxa5v-etc-pam-environment.drv'...
building '/nix/store/s6gbplqn9y9f5wk5rk5jz4fzcpsyv2b9-dbus-1.drv'...
building '/nix/store/wy9vdry3zl100b51rqf5lfcprbmg6aag-etc-profile.drv'...
building '/nix/store/w5ai0zz6sbjzz90kb6k02nq3mgxs6d8v-unit-polkit.service.drv'...
building '/nix/store/69bfq6kdcjj5ff52145zcfnzby5sdbjw-X-Restart-Triggers-dbus-broker.drv'...
building '/nix/store/yq4zyybby8011v5mx5hcg62l1395iijf-unit-dbus-broker.service.drv'...
building '/nix/store/fpkv8lrylvnrwm6z7r5smhv94jxp5r0b-unit-dbus-broker.service.drv'...
building '/nix/store/c7h19g4dnv404n45s9n150p2jq95yaw7-user-units.drv'...
building '/nix/store/af2q2m0pv8fmj24v3hpaxdbd42p8qfai-system-units.drv'...
building '/nix/store/cs6kwnh39hjk7jlnmnxkm80a8a56yrvx-etc.drv'...
building '/nix/store/dz87gsc6axvsh1m235l9dq3xzx4fw4ix-activate.drv'...
building '/nix/store/2635w863papn1aiwg3wcx9k48xhiqs50-nixos-system-silver-26.05.20251130.e953753.drv'...
building '/nix/store/nvdnp1kmfh8yvggh4aq3fpnfphpc0lrw-nixos-system-silver-26.05.20251130.e953753.drv'...
warning: unknown experimental feature 'recursive-nix'
warning: unknown setting 'eval-cores'
warning: unknown setting 'lazy-trees'
warning: unknown setting 'upgrade-nix-store-path-url'
installing the boot loader...
install: cannot create directory '/mnt/etc/static': File exists
/nix/store/ngn2v00axgbp0bj3ik88qhgy3a2l8qyl-nixos-enter/bin/nixos-enter: failed to set up resolv.conf
[agenix] creating new generation in /run/agenix.d/1
[agenix] decrypting secrets...
[agenix] WARNING: config.age.identityPaths entry /persist//root/.age/id not present!
[agenix] WARNING: config.age.identityPaths entry /root/.age/akd not present!
[agenix] WARNING: config.age.identityPaths entry /persist//root/.age/akd not present!
[agenix] WARNING: config.age.identityPaths entry /persist//root/.ssh/id_rsa not present!
[agenix] WARNING: config.age.identityPaths entry /persist//root/.ssh/id_ed25519 not present!
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/hashedPassword.age' to '/run/agenix.d/1/hashedPassword'...
age: error: yubikey plugin: Could not open YubiKey with serial 12392016
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/hashedPassword.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/hashedPassword.tmp': No such file or directory
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/password.age' to '/run/agenix.d/1/password'...
age: error: yubikey plugin: Could not open YubiKey with serial 12392016
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/password.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/password.tmp': No such file or directory
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/sha256HashedPassword.age' to '/run/agenix.d/1/sha256HashedPassword'...
age: error: yubikey plugin: Could not open YubiKey with serial 12392016
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/sha256HashedPassword.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/sha256HashedPassword.tmp': No such file or directory
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/tailscale/caddy.age' to '/run/agenix.d/1/tailscaleCaddy'...
age: error: yubikey plugin: Could not open YubiKey with serial 12392016
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/tailscaleCaddy.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/tailscaleCaddy.tmp': No such file or directory
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/tailscale/caddy2.age' to '/run/agenix.d/1/tailscaleCaddy2'...
age: error: yubikey plugin: Could not open YubiKey with serial 12392016
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/tailscaleCaddy2.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/tailscaleCaddy2.tmp': No such file or directory
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/tailscale/client.age' to '/run/agenix.d/1/tailscaleClient'...
age: error: yubikey plugin: Could not open YubiKey with serial 12392016
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/tailscaleClient.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/tailscaleClient.tmp': No such file or directory
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/wallpaper.age' to '/run/agenix.d/1/wallpaper'...
age: error: yubikey plugin: Could not open YubiKey with serial 12392016
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/wallpaper.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/wallpaper.tmp': No such file or directory
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/wireless.age' to '/run/agenix.d/1/wireless'...
age: error: yubikey plugin: Could not open YubiKey with serial 12392016
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/wireless.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/wireless.tmp': No such file or directory
[agenix] symlinking new secrets to /run/agenix (generation 1)...
Activation script snippet 'agenixInstall' failed (1)
warning: not applying GID change of group ‘syvlnet’ (993 -> 80085) in /etc/group
warning: not applying GID change of group ‘syvlorg’ (992 -> 43628) in /etc/group
[agenix] chowning...
chown: cannot access '/run/agenix.d/1/hashedPassword': No such file or directory
chown: cannot access '/run/agenix.d/1/password': No such file or directory
chown: cannot access '/run/agenix.d/1/sha256HashedPassword': No such file or directory
chown: cannot access '/run/agenix.d/1/tailscaleCaddy': No such file or directory
chown: cannot access '/run/agenix.d/1/tailscaleCaddy2': No such file or directory
chown: cannot access '/run/agenix.d/1/tailscaleClient': No such file or directory
chown: cannot access '/run/agenix.d/1/wallpaper': No such file or directory
chown: cannot access '/run/agenix.d/1/wireless': No such file or directory
Activation script snippet 'agenixChown' failed (1)
setting up /etc...
Not checking switch inhibitors (action = boot)
Running in a chroot, enabling --graceful.
Created directory "/boot/EFI".
Created directory "/boot/EFI/systemd".
Created directory "/boot/EFI/BOOT".
Created directory "/boot/loader".
Created directory "/boot/loader/keys".
Created directory "/boot/loader".
Created directory "/boot/loader/entries".
Created directory "/boot/EFI".
Created directory "/boot/EFI/Linux".
Copied "/nix/store/9rpism89x6lyjcwzzkp6kana25rs03nn-systemd-260.1/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/EFI/systemd/systemd-bootx64.efi".
Copied "/nix/store/9rpism89x6lyjcwzzkp6kana25rs03nn-systemd-260.1/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/EFI/BOOT/BOOTX64.EFI".
Random seed file /boot/loader/random-seed successfully refreshed (32 bytes).
Updated EFI boot entry "Linux Boot Manager".
installation finished!
If you do this you would use your Yubikey in step two as the „master key“. No need to do this during boot. Especially when you don’t have access to the system.
Although, since I’m installing the new system from an old system anyway, I wouldn’t need the Yubikey since the old system could just decrypt the secrets… Plus, apparently decryption isn’t supposed to be happening during boot anyway, so we’ll see what happens. I want key rotation to be as simple as deleting the old keys and rebuilding while a master key is available, so I wanted to keep generation in the config, if possible.
In my opinion, nixConfig-support should be removed from nix. It is broadly misunderstood and misused. It barely gives any value, and regularly annoys more users than it helps.
So, no, if you ask me, just remove everything. Instead make sure you have an installer that enables all the substitutors you need, if you ever want to use the flake for reinstalling.
Fair criticism. I also hate duplicate code, so it shouldn’t be too hard to extract the substituters using nix eval. I’ll look into it.
I went through the agenix module and I see they are adding a couple of activation scripts as well as a systemd-service.
Nothing of this should matter on switch-to-configuration boot. As boot does not run activation.
Though switch-to-configuration is ran in a nixos-entered environment, which might affect things. Because that does indeed do a partial activation.
I also checked the sops-nix modules, and they also seem to use activation scripts since forever, though at least allow for using a service optionally.
I am really lost now, and do not understand why it ever worked for me and eblechschmidt with sops-nix.
edit
This line in sops might make the difference… I can’t find some equivalent check in agenix:
Though I do not remember whether nixos-enter will actually ensure that being there, and the disk I wanted to install your config on for testing is not available to me anymore. So I can not do any testing
Regardless of whether /run/current-system existed or not, whether by bind mounting or not, the secrets seemed to be set up, even when setting up a new disk. I’ll remove the /run/... bind mounts, format the disk, and see whether the secrets are set up.
No sops-nix after removing /run/current-system:
warning: unknown experimental feature 'recursive-nix'
warning: unknown setting 'eval-cores'
warning: unknown setting 'lazy-trees'
warning: unknown setting 'upgrade-nix-store-path-url'
fetching git input 'git+file:///mnt/etc/nixos'
building the flake in git+file:///mnt/etc/nixos?ref=refs/heads/master&rev=d78381feaa1c65ff8676d7464e099fc5512a4d49...
warning: unknown experimental feature 'recursive-nix'
warning: unknown setting 'eval-cores'
warning: unknown setting 'lazy-trees'
warning: unknown setting 'upgrade-nix-store-path-url'
fetching git input 'git+file:///mnt/etc/nixos'
warning: unknown experimental feature 'recursive-nix'
fetching git input 'git+https://github.com/deemp/flake-compat'
trace: evaluation warning: The default value of `gtk.gtk4.theme` has changed from `config.gtk.theme` to `null`.
You are currently using the legacy default (`config.gtk.theme`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
gtk.gtk4.theme = config.gtk.theme;
To adopt the new default behavior, set:
gtk.gtk4.theme = null;
trace: evaluation warning: The default value of `xdg.userDirs.setSessionVariables` has changed from `true` to `false`.
You are currently using the legacy default (`true`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
xdg.userDirs.setSessionVariables = true;
To adopt the new default behavior, set:
xdg.userDirs.setSessionVariables = false;
trace: evaluation warning: The default value of `gtk.gtk4.theme` has changed from `config.gtk.theme` to `null`.
You are currently using the legacy default (`config.gtk.theme`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
gtk.gtk4.theme = config.gtk.theme;
To adopt the new default behavior, set:
gtk.gtk4.theme = null;
trace: evaluation warning: The default value of `xdg.userDirs.setSessionVariables` has changed from `true` to `false`.
You are currently using the legacy default (`true`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
xdg.userDirs.setSessionVariables = true;
To adopt the new default behavior, set:
xdg.userDirs.setSessionVariables = false;
trace: evaluation warning: The default value of `gtk.gtk4.theme` has changed from `config.gtk.theme` to `null`.
You are currently using the legacy default (`config.gtk.theme`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
gtk.gtk4.theme = config.gtk.theme;
To adopt the new default behavior, set:
gtk.gtk4.theme = null;
trace: evaluation warning: The default value of `xdg.userDirs.setSessionVariables` has changed from `true` to `false`.
You are currently using the legacy default (`true`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
xdg.userDirs.setSessionVariables = true;
To adopt the new default behavior, set:
xdg.userDirs.setSessionVariables = false;
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: The option `services.resolved.dnssec' defined in `/mnt/nix/store/92si8hc2bn5kx0szdjxcjmm5fqlgd17f-source/common' has been renamed to `services.resolved.settings.Resolve.DNSSEC'.
trace: evaluation warning: `boot.zfs.forceImportRoot` is using the default value of `true`. It is highly recommended to set it to `false`, the new default from 26.11 on, to reduce the risk of data loss. Alternatively, you can silence this warning by explicitly setting it to `true`.
trace: evaluation warning: mnw: both startAttrs."persisted.nvim" and optAttrs."persisted.nvim" are defined and not null
This will cause the plugin to be installed under /opt and /start.
trace: evaluation warning: The default value of `gtk.gtk4.theme` has changed from `config.gtk.theme` to `null`.
You are currently using the legacy default (`config.gtk.theme`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
gtk.gtk4.theme = config.gtk.theme;
To adopt the new default behavior, set:
gtk.gtk4.theme = null;
trace: evaluation warning: The default value of `xdg.userDirs.setSessionVariables` has changed from `true` to `false`.
You are currently using the legacy default (`true`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
xdg.userDirs.setSessionVariables = true;
To adopt the new default behavior, set:
xdg.userDirs.setSessionVariables = false;
trace: evaluation warning: The default value of `gtk.gtk4.theme` has changed from `config.gtk.theme` to `null`.
You are currently using the legacy default (`config.gtk.theme`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
gtk.gtk4.theme = config.gtk.theme;
To adopt the new default behavior, set:
gtk.gtk4.theme = null;
trace: evaluation warning: The default value of `xdg.userDirs.setSessionVariables` has changed from `true` to `false`.
You are currently using the legacy default (`true`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
xdg.userDirs.setSessionVariables = true;
To adopt the new default behavior, set:
xdg.userDirs.setSessionVariables = false;
trace: evaluation warning: The default value of `gtk.gtk4.theme` has changed from `config.gtk.theme` to `null`.
You are currently using the legacy default (`config.gtk.theme`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
gtk.gtk4.theme = config.gtk.theme;
To adopt the new default behavior, set:
gtk.gtk4.theme = null;
trace: evaluation warning: The default value of `xdg.userDirs.setSessionVariables` has changed from `true` to `false`.
You are currently using the legacy default (`true`) because `home.stateVersion` is less than "26.05".
To silence this warning and keep legacy behavior, set:
xdg.userDirs.setSessionVariables = true;
To adopt the new default behavior, set:
xdg.userDirs.setSessionVariables = false;
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: 'runCommandNoCC' has been renamed to/replaced by 'runCommand'
trace: evaluation warning: The option `services.resolved.dnssec' defined in `/mnt/nix/store/92si8hc2bn5kx0szdjxcjmm5fqlgd17f-source/common' has been renamed to `services.resolved.settings.Resolve.DNSSEC'.
trace: evaluation warning: `boot.zfs.forceImportRoot` is using the default value of `true`. It is highly recommended to set it to `false`, the new default from 26.11 on, to reduce the risk of data loss. Alternatively, you can silence this warning by explicitly setting it to `true`.
trace: evaluation warning: mnw: both startAttrs."persisted.nvim" and optAttrs."persisted.nvim" are defined and not null
This will cause the plugin to be installed under /opt and /start.
these 14 derivations will be built:
/nix/store/c8d9qqg4a31whrxfyf06xvjxvhm22xj4-root-passage-identities-recipients-files.drv
/nix/store/kqkqfhcflx16q3lafhwgspx1igd5a9n4-unit-root-passage-identities-recipients-files.service.drv
/nix/store/7z4s46f3kj8ly97l22wyndl2hsnkkyxn-syvlnet-passage-identities-recipients-files.drv
/nix/store/q6zx43a461rljsby0fbvrbgx4xx6bcq5-unit-syvlnet-passage-identities-recipients-files.service.drv
/nix/store/sl54w5ha6h95s40910nvqlcjp4v4ffkq-syvlorg-passage-identities-recipients-files.drv
/nix/store/r1nn3l4shahl3wkc9z0ibz0jzwnpwlqv-unit-syvlorg-passage-identities-recipients-files.service.drv
/nix/store/ad3pa6bw038r54ij9sx7wpknmdnnp4dk-system-units.drv
/nix/store/qgrsxv4lmpdnra0f94mm9z2baa5bm3xm-etc.drv
/nix/store/nb1dzkw9g49n3kh82pm0dpcgq1dfhvjp-activate.drv
/nix/store/09lbyypci5an80dik3zv138qy575w30x-nixos-system-silver-26.05.20251130.e953753.drv
/nix/store/34n4rb3frbvb3v5c56yij1i4sy4w4dw6-system-units.drv
/nix/store/11rpkivdb5yqfmqwdbg2mq51mrjpbkhz-etc.drv
/nix/store/bd25p7bsypxfi8w81x22rx3ay8yd8psl-activate.drv
/nix/store/rd6dbsrz993a32c4avk17ivi9rwnxhld-nixos-system-silver-26.05.20251130.e953753.drv
warning: unknown experimental feature 'recursive-nix'
warning: unknown experimental feature 'recursive-nix'
warning: unknown experimental feature 'recursive-nix'
warning: unknown setting 'eval-cores'
warning: unknown setting 'eval-cores'
warning: unknown setting 'lazy-trees'
warning: unknown setting 'lazy-trees'
warning: unknown setting 'upgrade-nix-store-path-url'
warning: unknown setting 'upgrade-nix-store-path-url'
warning: unknown setting 'eval-cores'
warning: unknown setting 'lazy-trees'
warning: unknown setting 'upgrade-nix-store-path-url'
building '/nix/store/c8d9qqg4a31whrxfyf06xvjxvhm22xj4-root-passage-identities-recipients-files.drv'...
building '/nix/store/sl54w5ha6h95s40910nvqlcjp4v4ffkq-syvlorg-passage-identities-recipients-files.drv'...
building '/nix/store/7z4s46f3kj8ly97l22wyndl2hsnkkyxn-syvlnet-passage-identities-recipients-files.drv'...
building '/nix/store/kqkqfhcflx16q3lafhwgspx1igd5a9n4-unit-root-passage-identities-recipients-files.service.drv'...
building '/nix/store/r1nn3l4shahl3wkc9z0ibz0jzwnpwlqv-unit-syvlorg-passage-identities-recipients-files.service.drv'...
building '/nix/store/q6zx43a461rljsby0fbvrbgx4xx6bcq5-unit-syvlnet-passage-identities-recipients-files.service.drv'...
building '/nix/store/34n4rb3frbvb3v5c56yij1i4sy4w4dw6-system-units.drv'...
building '/nix/store/ad3pa6bw038r54ij9sx7wpknmdnnp4dk-system-units.drv'...
building '/nix/store/11rpkivdb5yqfmqwdbg2mq51mrjpbkhz-etc.drv'...
building '/nix/store/qgrsxv4lmpdnra0f94mm9z2baa5bm3xm-etc.drv'...
building '/nix/store/bd25p7bsypxfi8w81x22rx3ay8yd8psl-activate.drv'...
building '/nix/store/nb1dzkw9g49n3kh82pm0dpcgq1dfhvjp-activate.drv'...
building '/nix/store/09lbyypci5an80dik3zv138qy575w30x-nixos-system-silver-26.05.20251130.e953753.drv'...
building '/nix/store/rd6dbsrz993a32c4avk17ivi9rwnxhld-nixos-system-silver-26.05.20251130.e953753.drv'...
warning: unknown experimental feature 'recursive-nix'
warning: unknown setting 'eval-cores'
warning: unknown setting 'lazy-trees'
warning: unknown setting 'upgrade-nix-store-path-url'
installing the boot loader...
install: cannot create directory '/mnt/etc/static': File exists
/nix/store/ngn2v00axgbp0bj3ik88qhgy3a2l8qyl-nixos-enter/bin/nixos-enter: failed to set up resolv.conf
[agenix] creating new generation in /run/agenix.d/1
[agenix] decrypting secrets...
[agenix] WARNING: config.age.identityPaths entry /persist//root/.age/id not present!
[agenix] WARNING: config.age.identityPaths entry /root/.age/akd not present!
[agenix] WARNING: config.age.identityPaths entry /persist//root/.age/akd not present!
[agenix] WARNING: config.age.identityPaths entry /persist//root/.ssh/id_rsa not present!
[agenix] WARNING: config.age.identityPaths entry /persist//root/.ssh/id_ed25519 not present!
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/hashedPassword.age' to '/run/agenix.d/1/hashedPassword'...
age: error: yubikey plugin: Could not open YubiKey with serial 12392016
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/hashedPassword.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/hashedPassword.tmp': No such file or directory
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/password.age' to '/run/agenix.d/1/password'...
age: error: yubikey plugin: Could not open YubiKey with serial 12392016
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/password.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/password.tmp': No such file or directory
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/sha256HashedPassword.age' to '/run/agenix.d/1/sha256HashedPassword'...
age: error: yubikey plugin: Could not open YubiKey with serial 12392016
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/sha256HashedPassword.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/sha256HashedPassword.tmp': No such file or directory
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/tailscale/caddy.age' to '/run/agenix.d/1/tailscaleCaddy'...
age: error: yubikey plugin: Could not open YubiKey with serial 12392016
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/tailscaleCaddy.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/tailscaleCaddy.tmp': No such file or directory
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/tailscale/caddy2.age' to '/run/agenix.d/1/tailscaleCaddy2'...
age: error: yubikey plugin: Could not open YubiKey with serial 12392016
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/tailscaleCaddy2.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/tailscaleCaddy2.tmp': No such file or directory
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/tailscale/client.age' to '/run/agenix.d/1/tailscaleClient'...
age: error: yubikey plugin: Could not open YubiKey with serial 12392016
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/tailscaleClient.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/tailscaleClient.tmp': No such file or directory
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/wallpaper.age' to '/run/agenix.d/1/wallpaper'...
age: error: yubikey plugin: Could not open YubiKey with serial 12392016
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/wallpaper.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/wallpaper.tmp': No such file or directory
decrypting '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/wireless.age' to '/run/agenix.d/1/wireless'...
age: error: yubikey plugin: Could not open YubiKey with serial 12392016
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/1/wireless.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/wireless.tmp': No such file or directory
[agenix] symlinking new secrets to /run/agenix (generation 1)...
Activation script snippet 'agenixInstall' failed (1)
warning: not applying GID change of group ‘syvlnet’ (993 -> 80085) in /etc/group
warning: not applying GID change of group ‘syvlorg’ (992 -> 43628) in /etc/group
[agenix] chowning...
chown: cannot access '/run/agenix.d/1/hashedPassword': No such file or directory
chown: cannot access '/run/agenix.d/1/password': No such file or directory
chown: cannot access '/run/agenix.d/1/sha256HashedPassword': No such file or directory
chown: cannot access '/run/agenix.d/1/tailscaleCaddy': No such file or directory
chown: cannot access '/run/agenix.d/1/tailscaleCaddy2': No such file or directory
chown: cannot access '/run/agenix.d/1/tailscaleClient': No such file or directory
chown: cannot access '/run/agenix.d/1/wallpaper': No such file or directory
chown: cannot access '/run/agenix.d/1/wireless': No such file or directory
Activation script snippet 'agenixChown' failed (1)
setting up /etc...
Not checking switch inhibitors (action = boot)
Running in a chroot, enabling --graceful.
Created directory "/boot/EFI".
Created directory "/boot/EFI/systemd".
Created directory "/boot/EFI/BOOT".
Created directory "/boot/loader".
Created directory "/boot/loader/keys".
Created directory "/boot/loader".
Created directory "/boot/loader/entries".
Created directory "/boot/EFI".
Created directory "/boot/EFI/Linux".
Copied "/nix/store/9rpism89x6lyjcwzzkp6kana25rs03nn-systemd-260.1/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/EFI/systemd/systemd-bootx64.efi".
Copied "/nix/store/9rpism89x6lyjcwzzkp6kana25rs03nn-systemd-260.1/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/EFI/BOOT/BOOTX64.EFI".
Random seed file /boot/loader/random-seed successfully refreshed (32 bytes).
Created EFI boot entry "Linux Boot Manager".
installation finished!
Should I patch agenix myself with a similar fix, or open a new issue? Or both?
Both is fine, the latter seems essential. You can even upstream your patch if it works.
I don’t see any reason secrets should be available at installation time, so it’s worth bringing this discussion upstream.
Got it. Soon as it works, I’ll open a pull request. I’m not quite sure how to write tests and documentation, though.
Alright, does not seem to work; I wrapped the newGeneration, installSecrets, and chownSecrets blocks in the following:
if [ ! -e /run/current-system ]; then
...
fi
And the secrets are still being decrypted. Did I misunderstand the check? Or maybe I need to manually exit after checking?
Switching to [ -e /run/current-system ] worked, but now it seems that sops-nix was always trying to decrypt secrets as well. I’ll patch that as well and see what happens.
UPDATE: Checking if /run/current-system exists for both agenix and sops-nix seems to work. Now to check whether my secrets are available on the new system.
Unfortunately, my secrets are not on the new system, which means I can’t use hashedPasswordFile or NetworkManager profiles. Additionally, sops-nix is having the following error:
May 09 04:00:11 silver systemd[1]: Starting sops-install-secrets.service...
May 09 04:00:12 silver sops-install-secrets[1000]: /nix/store/1qflvz8vsw2pq23s5xgf2y06xwdgdsvh-sops-install-secrets-0.0.1/bin/sops-install-secrets: failed to decrypt '/nix/store/w7c121n0b72pbmhh4b95ayxwa48clarx-dirs/root/.passage/store/common/password.sops': Error getting data key: 0 successful groups required, got 0
May 09 04:00:12 silver systemd[1]: sops-install-secrets.service: Main process exited, code=exited, status=1/FAILURE
May 09 04:00:12 silver systemd[1]: sops-install-secrets.service: Failed with result 'exit-code'.
May 09 04:00:12 silver systemd[1]: Failed to start sops-install-secrets.service.
May 09 04:00:12 silver systemd[1]: sops-install-secrets.service: Consumed 73ms CPU time over 536ms wall clock time, 51.7M memory peak, 39.9M read from disk.
This seems to occur regardless of whether I run sops updatekeys on the password.sops file.