| 18 Dec 2022 |
|  dasj19 joined the room. | 20:40:20 |
| dasj19 | Hi, I am first time user of agenix and I am trying to get nixos to read user password file encrypted by agenix. In the code below the system can read the value of "description" just fine, but the value of passwordFile is not applied to the user account. Any advice is greatly appreciated.
users.users.daniel = {
isNormalUser = true;
description = lib.strings.fileContents config.age.secrets.daniel-fullname.path;
passwordFile = config.age.secrets.daniel-password.path; # Value created with mkpasswd.
extraGroups = [ "networkmanager" "wheel" ];
};
| 20:45:30 |
 ryantm | Do you have the .file config option for that secret also specified? | 21:38:43 |
| ryantm | dasj19: ☝️ | 21:39:28 |
| dasj19 | Yes, I tried with just the .file then I added owners and groups:
age.secrets.daniel-fullname = {
file = /etc/nixos/secrets/daniel-fullname.age;
owner = "daniel";
group = "users";
};
age.secrets.daniel-password = {
file = /etc/nixos/secrets/daniel-password.age;
owner = "daniel";
group = "users";
}; | 21:40:20 |
| ryantm | What you are doing with description is an antipattern because it leaks the secret into the nix store and has bootstrapping issues. | 21:42:08 |
| dasj19 | yes, i noticed but the goal there is just to hide it from a future git commit | 21:42:47 |
| ryantm | Okay. I guess it's fine for that. | 21:43:10 |
| dasj19 | the description part works, but just the passwordFile part does not | 21:43:44 |
| ryantm | Are you using flakes? | 21:43:44 |
| ryantm | And is your flake.nix in /etc? | 21:43:57 |
| dasj19 | no, just plain configuration.nix | 21:44:09 |
| ryantm | I don't think it matters but I think you can leave those secrets as owned by root since the user activation script runs as root. | 21:45:10 |
| ryantm | Do you see any warnings during activation? | 21:45:34 |
| dasj19 | okay, the secrets were owned by root to begin with, i changed them to see if it made a difference. no warnings during agenix generation change | 21:46:56 |
| ryantm | Double check the decrypted files are in /run/agenix/... | 21:48:52 |
| dasj19 | yes, both files appear there:
[root@xps13:/etc/nixos/secrets]# ls -lisah /run/agenix
2990 0 lrwxrwxrwx 1 root root 16 Dec 18 22:48 /run/agenix -> /run/agenix.d/11
[root@xps13:/etc/nixos/secrets]# ls -lisah /run/agenix/
total 8.0K
52111 0 drwxr-x--x 2 root keys 0 Dec 18 22:48 .
15392 0 drwxr-x--x 3 root keys 0 Dec 18 22:48 ..
64750 4.0K -r-------- 1 root root 20 Dec 18 22:48 daniel-fullname
52115 4.0K -r-------- 1 root root 107 Dec 18 22:48 daniel-password
| 21:50:00 |
| dasj19 | (i just ran a nixos-rebuid switch without owning the files to user daniel) | 21:50:46 |
| ryantm | Hmmm. The only thing left I can think of is the format of your password file is wrong. | 21:51:37 |
| dasj19 | I noticed that the editor adds a new EOL at the end by default, I also tried removing it and made no difference | 21:52:49 |
| dasj19 | I tried method 2 from here: https://unix.stackexchange.com/questions/81240/manually-generate-password-for-etc-shadow | 21:53:14 |
| dasj19 | as the password format | 21:53:25 |
| dasj19 | then I encrypted "123456" as a test password then tried to switch user with "su daniel" then typed "123456" as password and fails to authenticate | 21:56:44 |
| dasj19 | I can share the resulting hash if needed | 21:58:16 |
| ryantm | Method 2 looks good to me. It looks like what is in my in agenix passwordFile. I also do not have the newline at the end. | 21:58:31 |
| ryantm | Sure share the hash just in case | 21:59:36 |
| ryantm | $6$PPqQ5oQv7DeX2yCT$Hqq1Qu7FxvPK07k.ntrclLFJTRj159zZoITgrA1P7mdzrVhtdp7zmLxVE2BY3Hz1OghPH7JaeGVMO//acIV3k1 | 22:00:00 |
| ryantm | Also double check the contents at /run/agenix look good | 22:00:38 |
| dasj19 | ok, to avoid a newline I have to prepend EDITOR="/run/current-system/sw/bin/nano -L " to the agenix command, or is there a better way? | 22:01:25 |
| dasj19 | now i encounter the following:
[root@xps13:/etc/nixos/secrets]# EDITOR="/run/current-system/sw/bin/nano -L " agenix -e daniel-password.age
Error: No matching keys found
[ Did rage not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/rage/report | 22:03:12 |
