| 18 Dec 2022 |
 dasj19 | Yes, I tried with just the .file then I added owners and groups:
age.secrets.daniel-fullname = {
file = /etc/nixos/secrets/daniel-fullname.age;
owner = "daniel";
group = "users";
};
age.secrets.daniel-password = {
file = /etc/nixos/secrets/daniel-password.age;
owner = "daniel";
group = "users";
}; | 21:40:20 |
 ryantm | What you are doing with description is an antipattern because it leaks the secret into the nix store and has bootstrapping issues. | 21:42:08 |
| dasj19 | yes, i noticed but the goal there is just to hide it from a future git commit | 21:42:47 |
| ryantm | Okay. I guess it's fine for that. | 21:43:10 |
| dasj19 | the description part works, but just the passwordFile part does not | 21:43:44 |
| ryantm | Are you using flakes? | 21:43:44 |
| ryantm | And is your flake.nix in /etc? | 21:43:57 |
| dasj19 | no, just plain configuration.nix | 21:44:09 |
| ryantm | I don't think it matters but I think you can leave those secrets as owned by root since the user activation script runs as root. | 21:45:10 |
| ryantm | Do you see any warnings during activation? | 21:45:34 |
| dasj19 | okay, the secrets were owned by root to begin with, i changed them to see if it made a difference. no warnings during agenix generation change | 21:46:56 |
| ryantm | Double check the decrypted files are in /run/agenix/... | 21:48:52 |
| dasj19 | yes, both files appear there:
[root@xps13:/etc/nixos/secrets]# ls -lisah /run/agenix
2990 0 lrwxrwxrwx 1 root root 16 Dec 18 22:48 /run/agenix -> /run/agenix.d/11
[root@xps13:/etc/nixos/secrets]# ls -lisah /run/agenix/
total 8.0K
52111 0 drwxr-x--x 2 root keys 0 Dec 18 22:48 .
15392 0 drwxr-x--x 3 root keys 0 Dec 18 22:48 ..
64750 4.0K -r-------- 1 root root 20 Dec 18 22:48 daniel-fullname
52115 4.0K -r-------- 1 root root 107 Dec 18 22:48 daniel-password
| 21:50:00 |
| dasj19 | (i just ran a nixos-rebuid switch without owning the files to user daniel) | 21:50:46 |
| ryantm | Hmmm. The only thing left I can think of is the format of your password file is wrong. | 21:51:37 |
| dasj19 | I noticed that the editor adds a new EOL at the end by default, I also tried removing it and made no difference | 21:52:49 |
| dasj19 | I tried method 2 from here: https://unix.stackexchange.com/questions/81240/manually-generate-password-for-etc-shadow | 21:53:14 |
| dasj19 | as the password format | 21:53:25 |
| dasj19 | then I encrypted "123456" as a test password then tried to switch user with "su daniel" then typed "123456" as password and fails to authenticate | 21:56:44 |
| dasj19 | I can share the resulting hash if needed | 21:58:16 |
| ryantm | Method 2 looks good to me. It looks like what is in my in agenix passwordFile. I also do not have the newline at the end. | 21:58:31 |
| ryantm | Sure share the hash just in case | 21:59:36 |
| ryantm | $6$PPqQ5oQv7DeX2yCT$Hqq1Qu7FxvPK07k.ntrclLFJTRj159zZoITgrA1P7mdzrVhtdp7zmLxVE2BY3Hz1OghPH7JaeGVMO//acIV3k1 | 22:00:00 |
| ryantm | Also double check the contents at /run/agenix look good | 22:00:38 |
| dasj19 | ok, to avoid a newline I have to prepend EDITOR="/run/current-system/sw/bin/nano -L " to the agenix command, or is there a better way? | 22:01:25 |
| dasj19 | now i encounter the following:
[root@xps13:/etc/nixos/secrets]# EDITOR="/run/current-system/sw/bin/nano -L " agenix -e daniel-password.age
Error: No matching keys found
[ Did rage not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/rage/report | 22:03:12 |
| ryantm | What's in your secrets.nix file? | 22:04:11 |
| dasj19 | let
daniel = "ssh-rsa <redacted1>";
root = "ssh-rsa <redacted2>";
users = [ daniel root ];
xps13 = "ssh-ed25519 <redacted3>";
systems = [ xps13 ];
in
{
"daniel-fullname.age".publicKeys = [ daniel xps13 ];
"daniel-password.age".publicKeys = [ daniel xps13 ];
} | 22:05:25 |
| ryantm | That looks good! Strange that you can't decrypt your own secret to edit it. Does daniel's key match your user public ssh key? | 22:06:22 |
| dasj19 | it is taken from /home/daniel/.ssh/id_rsa.pub | 22:07:38 |
