!XLCFfvFhUkYwOMLbVx:nixos.org

agenix

329 Members
age-encrypted secrets for NixOS https://github.com/ryantm/agenix/95 Servers

Load older messages


SenderMessageTime
18 Dec 2022
@dasj19:matrix.orgdasj19Yes, I tried with just the .file then I added owners and groups: age.secrets.daniel-fullname = { file = /etc/nixos/secrets/daniel-fullname.age; owner = "daniel"; group = "users"; }; age.secrets.daniel-password = { file = /etc/nixos/secrets/daniel-password.age; owner = "daniel"; group = "users"; };21:40:20
@ryantm:matrix.orgryantmWhat you are doing with description is an antipattern because it leaks the secret into the nix store and has bootstrapping issues.21:42:08
@dasj19:matrix.orgdasj19yes, i noticed but the goal there is just to hide it from a future git commit21:42:47
@ryantm:matrix.orgryantmOkay. I guess it's fine for that.21:43:10
@dasj19:matrix.orgdasj19the description part works, but just the passwordFile part does not21:43:44
@ryantm:matrix.orgryantmAre you using flakes?21:43:44
@ryantm:matrix.orgryantmAnd is your flake.nix in /etc?21:43:57
@dasj19:matrix.orgdasj19no, just plain configuration.nix21:44:09
@ryantm:matrix.orgryantmI don't think it matters but I think you can leave those secrets as owned by root since the user activation script runs as root.21:45:10
@ryantm:matrix.orgryantmDo you see any warnings during activation?21:45:34
@dasj19:matrix.orgdasj19okay, the secrets were owned by root to begin with, i changed them to see if it made a difference. no warnings during agenix generation change21:46:56
@ryantm:matrix.orgryantmDouble check the decrypted files are in /run/agenix/...21:48:52
@dasj19:matrix.orgdasj19yes, both files appear there: [root@xps13:/etc/nixos/secrets]# ls -lisah /run/agenix 2990 0 lrwxrwxrwx 1 root root 16 Dec 18 22:48 /run/agenix -> /run/agenix.d/11 [root@xps13:/etc/nixos/secrets]# ls -lisah /run/agenix/ total 8.0K 52111 0 drwxr-x--x 2 root keys 0 Dec 18 22:48 . 15392 0 drwxr-x--x 3 root keys 0 Dec 18 22:48 .. 64750 4.0K -r-------- 1 root root 20 Dec 18 22:48 daniel-fullname 52115 4.0K -r-------- 1 root root 107 Dec 18 22:48 daniel-password 21:50:00
@dasj19:matrix.orgdasj19(i just ran a nixos-rebuid switch without owning the files to user daniel)21:50:46
@ryantm:matrix.orgryantmHmmm. The only thing left I can think of is the format of your password file is wrong.21:51:37
@dasj19:matrix.orgdasj19I noticed that the editor adds a new EOL at the end by default, I also tried removing it and made no difference21:52:49
@dasj19:matrix.orgdasj19I tried method 2 from here: https://unix.stackexchange.com/questions/81240/manually-generate-password-for-etc-shadow21:53:14
@dasj19:matrix.orgdasj19as the password format21:53:25
@dasj19:matrix.orgdasj19then I encrypted "123456" as a test password then tried to switch user with "su daniel" then typed "123456" as password and fails to authenticate21:56:44
@dasj19:matrix.orgdasj19I can share the resulting hash if needed21:58:16
@ryantm:matrix.orgryantmMethod 2 looks good to me. It looks like what is in my in agenix passwordFile. I also do not have the newline at the end.21:58:31
@ryantm:matrix.orgryantmSure share the hash just in case21:59:36
@ryantm:matrix.orgryantm $6$PPqQ5oQv7DeX2yCT$Hqq1Qu7FxvPK07k.ntrclLFJTRj159zZoITgrA1P7mdzrVhtdp7zmLxVE2BY3Hz1OghPH7JaeGVMO//acIV3k1 22:00:00
@ryantm:matrix.orgryantmAlso double check the contents at /run/agenix look good22:00:38
@dasj19:matrix.orgdasj19ok, to avoid a newline I have to prepend EDITOR="/run/current-system/sw/bin/nano -L " to the agenix command, or is there a better way?22:01:25
@dasj19:matrix.orgdasj19now i encounter the following: [root@xps13:/etc/nixos/secrets]# EDITOR="/run/current-system/sw/bin/nano -L " agenix -e daniel-password.age Error: No matching keys found [ Did rage not do what you expected? Could an error be more useful? ] [ Tell us: https://str4d.xyz/rage/report 22:03:12
@ryantm:matrix.orgryantmWhat's in your secrets.nix file?22:04:11
@dasj19:matrix.orgdasj19let daniel = "ssh-rsa <redacted1>"; root = "ssh-rsa <redacted2>"; users = [ daniel root ]; xps13 = "ssh-ed25519 <redacted3>"; systems = [ xps13 ]; in { "daniel-fullname.age".publicKeys = [ daniel xps13 ]; "daniel-password.age".publicKeys = [ daniel xps13 ]; }22:05:25
@ryantm:matrix.orgryantmThat looks good! Strange that you can't decrypt your own secret to edit it. Does daniel's key match your user public ssh key?22:06:22
@dasj19:matrix.orgdasj19it is taken from /home/daniel/.ssh/id_rsa.pub22:07:38

Show newer messages


Back to Room ListRoom Version: 6