11 Dec 2022 |
acire | Hi! First wanna say thanks for happy years using agenix ^^
I just upgraded a NixOS host to 22.11 and in so doing updated the agenix flake input from rev. 7e5e58 (committed May 16). The result is unexpected: secrets are properly decrypted to the secrets mount point (i.e., to /run/agenix.d/<agenix generation>/<name> ), but they are not properly symlinked to the secrets directory (/run/agenix ) or to a custom path when specified. Instead, only a single symlink to the generation directory containing all the decrypted secrets (/run/agenix.d/<agenix generation> ) is created in the secrets directory.
For example, with the following configuration (unchanged for several NixOS releases):
age.secrets."passwordFile".file = ./. + "/../../secrets/passwordFile.age";
users.users.me = {
isNormalUser = true;
passwordFile = config.age.secrets.passwordFile.path;
};
a rebuild generates the following output:
[agenix] creating new generation in /run/agenix.d/1
[agenix] decrypting secrets...
decrypting '/nix/store/<hash redacted>-passwordFile.age' to '/run/agenix.d/1/passwordFile'...
[agenix] symlinking new secrets to /run/agenix (generation 1)...
warning: password file ‘/run/agenix/passwordFile’ does not exist
[agenix] chowning...
and a listing of the resulting secrets directory is as follows:
$ ll /run/agenix
lrwxrwxrwx root root 1 -> /run/agenix.d/1
Since I haven't updated this host in a while, maybe there's a setting I missed? Thanks!
| 09:20:09 |
ryantm | acire: glad you've been happy with agenix up to this point! Do you want code that is doing anything with activation scripts in your config? | 12:51:17 |
ryantm | * acire: glad you've been happy with agenix up to this point! Do you have any code that is doing anything with activation scripts in your config? | 12:51:40 |
ryantm | Can you show the dir listing for the /run/agenix.d/1 folder too? | 12:54:47 |
ryantm | Are you doing anything in your config with config.age.secretsDir? | 12:56:45 |
acire | ryantm: thanks for your reply!
-
I have one activation script in the configuration that ensures some directories exist, but nothing related to secrets.
-
/run/agenix.d/1 contains the decrypted secrets. E.g.:
drwxr-x--x root keys .
drwxr-x--x root keys ..
-r-------- root root passwordFile
-
I'm using the default value of config.age.secretsDir .
| 13:42:36 |
acire | Redacted or Malformed Event | 15:40:39 |
acire | whoops | 15:45:08 |
acire | I think I found the cause. This host is also using Impermanence with an ephemeral root, and there is one secret that was being decrypted by agenix and symlinked to a user-owned directory by Impermanence in the user's home-manager service. The configuration for that secret was as follows:
age.secrets."userSecret" = {
file = ./. + "/../../secrets/userSecret.age";
path = "${config.age.secretsDir}/.user-secrets/userSecret";
mode = "0600";
owner = "1000";
group = "100";
};
Here is the home-manager configuration for symlinking the agenix-decrypted secret:
# Paths are relative to user's home directory
home.persistence."${nixosConfig.age.secretsDir}".files = [ ".user-secrets/userSecret" ];
Removing these blocks from the configuration and rebuilding (and rebooting) resulted in the creation of /run/agenix not as a directory but as a symlink itself to /run/agenix/<agenix generation> . This behavior in agenix is new to me and clearly incompatible with the above configuration. By selecting a custom path for the user secret outside of ${age.secretsDir} , everything now seems to work as expected.
In lieu of an agenix home-manager module, is there a best (or better) practice for linking decrypted secrets into user-owned directories? | 15:54:55 |
acire | * I think I found the cause. This host is also using Impermanence with an ephemeral root, and there is one secret that was being decrypted by agenix and symlinked to a user-owned directory by Impermanence in the user's home-manager service. The configuration for that secret was as follows:
age.secrets."userSecret" = {
file = ./. + "/../../secrets/userSecret.age";
path = "${config.age.secretsDir}/.user-secrets/userSecret";
mode = "0600";
owner = "1000";
group = "100";
};
Here is the home-manager configuration for symlinking the agenix-decrypted secret:
# Paths are relative to user's home directory
home.persistence."${nixosConfig.age.secretsDir}".files = [ ".user-secrets/userSecret" ];
Removing these blocks from the configuration and rebuilding (and rebooting) resulted in the creation of /run/agenix not as a directory but as a symlink itself to /run/agenix/<agenix generation> . This behavior in agenix is new to me and clearly incompatible with the above configuration. By selecting a custom path for the user secret outside of age.secretsDir , everything now seems to work as expected.
In lieu of an agenix home-manager module, is there a best (or better) practice for linking decrypted secrets into user-owned directories?
| 15:57:46 |
acire |
By selecting a custom path for the user secret outside of age.secretsDir, everything now seems to work as expected.
...except that now the secret with the custom path exists both in /run/agenix (because it's just a symlink to /run/agenix.d/1 ) as well as at the custom path. It isn't a problem but potentially misleading.
| 16:04:37 |
12 Dec 2022 |
| id changed their profile picture. | 05:03:28 |
14 Dec 2022 |
| @fsx:matrix.org left the room. | 10:30:44 |
| Herman changed their display name from NAHFE to Herman. | 10:53:57 |
| Herman changed their display name from Herman to NAHFE. | 11:30:54 |
| Herman changed their display name from NAHFE to Herman. | 11:33:02 |
| id left the room. | 17:34:20 |
| id joined the room. | 17:35:08 |
15 Dec 2022 |
kraem | hi, i can't seem to provision keys to a new system. getting this while switching to a new generation:
cp: cannot stat '/run/agenix/ssh_lb1_initrd_ed25519': No such file or directory
failed to create initrd secrets: No such file or directory
/run/agenix is empty as the generation hasn't been switched to, but it's needed to create the initrd secrets (if i understand correctly). is this a known issue? can't find it being discussed in the issues of the repo
| 21:54:47 |
kraem | sudo mkdir -p /run/agenix && sudo touch /run/agenix/ssh_lb1_initrd_ed25519 && switch_generation
# /run/agenix/1 and /run/agenix.d/1/ssh_lb1_initrd_ed25519 gets created
# but /run/agenix/ssh_lb1_initrd_ed25519 is still my empty file and i get the same error if switching generation after deleting it
note that i have no idea what i'm doing at this point 🙃
| 22:06:52 |
kraem | ok i think i solved it by nix-collect-garbage -d && /run/current-system/bin/switch-to-configuration switch . it seems some old initrd secrets was the culprit? | 22:44:53 |
16 Dec 2022 |
ryantm | I haven't really thought much about early boot secrets. What is this secret for? | 05:25:31 |
kraem | that particular secret is an ssh key used in initrd | 07:38:40 |
kraem | it works sometimes after collecting garbage but still fails sometimes | 07:40:06 |
17 Dec 2022 |
| Dandellion joined the room. | 22:20:49 |
18 Dec 2022 |
| mlyx joined the room. | 03:27:07 |
| dasj19 joined the room. | 20:40:20 |
dasj19 | Hi, I am first time user of agenix and I am trying to get nixos to read user password file encrypted by agenix. In the code below the system can read the value of "description" just fine, but the value of passwordFile is not applied to the user account. Any advice is greatly appreciated.
users.users.daniel = {
isNormalUser = true;
description = lib.strings.fileContents config.age.secrets.daniel-fullname.path;
passwordFile = config.age.secrets.daniel-password.path; # Value created with mkpasswd.
extraGroups = [ "networkmanager" "wheel" ];
};
| 20:45:30 |
ryantm | Do you have the .file config option for that secret also specified? | 21:38:43 |
ryantm | dasj19: ☝️ | 21:39:28 |