Ended up here while trying to figure out how to properly use agenix for users.users.<name>.passwordFile on a fresh install — does anyone have a working example? I’m using flakes and starting the bootstrap process with custom live media built from minimalIso as a base, but seem to be running into a chicken-and-egg problem with the password and the ssh keys. I’ll prune down to a minimal example to share here (or start a new thread, if that’s preferred).
Yeah, the docs for passwordFile were limited in my experience. You can check out how I handled it here: https://github.com/samuela/nixos-up/blob/525a5cefd676d8686adf08bb4a49294f8a1df7c5/nixos-up.py#L237-L259. Not sure if it necessarily helps in your situation, but it’s all I’ve got…
Thanks. I did get both hashedPassword & passwordFile working earlier, without agenix, and it ended up looking similar to your approach.
I’ve pruned and sanitized my example config and posted it on github. The main branch uses passwordFile without agenix and is a rough equivalent of your (much more polished) nixos-up, but with LUKS, and implemented in shell scripts instead of python.
Now I’m working on adding agenix in another branch, step-by-step. I’ve started a post in “Learn” if anyone wants to follow along or offer advice. My goal is to get to a (fairly) minimal example on how to bootstrap a new system using agenix for secret management.
1 Like