| 18 Dec 2022 |
 ryantm | Double check the decrypted files are in /run/agenix/... | 21:48:52 |
 dasj19 | yes, both files appear there:
[root@xps13:/etc/nixos/secrets]# ls -lisah /run/agenix
2990 0 lrwxrwxrwx 1 root root 16 Dec 18 22:48 /run/agenix -> /run/agenix.d/11
[root@xps13:/etc/nixos/secrets]# ls -lisah /run/agenix/
total 8.0K
52111 0 drwxr-x--x 2 root keys 0 Dec 18 22:48 .
15392 0 drwxr-x--x 3 root keys 0 Dec 18 22:48 ..
64750 4.0K -r-------- 1 root root 20 Dec 18 22:48 daniel-fullname
52115 4.0K -r-------- 1 root root 107 Dec 18 22:48 daniel-password
| 21:50:00 |
| dasj19 | (i just ran a nixos-rebuid switch without owning the files to user daniel) | 21:50:46 |
| ryantm | Hmmm. The only thing left I can think of is the format of your password file is wrong. | 21:51:37 |
| dasj19 | I noticed that the editor adds a new EOL at the end by default, I also tried removing it and made no difference | 21:52:49 |
| dasj19 | I tried method 2 from here: https://unix.stackexchange.com/questions/81240/manually-generate-password-for-etc-shadow | 21:53:14 |
| dasj19 | as the password format | 21:53:25 |
| dasj19 | then I encrypted "123456" as a test password then tried to switch user with "su daniel" then typed "123456" as password and fails to authenticate | 21:56:44 |
| dasj19 | I can share the resulting hash if needed | 21:58:16 |
| ryantm | Method 2 looks good to me. It looks like what is in my in agenix passwordFile. I also do not have the newline at the end. | 21:58:31 |
| ryantm | Sure share the hash just in case | 21:59:36 |
| ryantm | $6$PPqQ5oQv7DeX2yCT$Hqq1Qu7FxvPK07k.ntrclLFJTRj159zZoITgrA1P7mdzrVhtdp7zmLxVE2BY3Hz1OghPH7JaeGVMO//acIV3k1 | 22:00:00 |
| ryantm | Also double check the contents at /run/agenix look good | 22:00:38 |
| dasj19 | ok, to avoid a newline I have to prepend EDITOR="/run/current-system/sw/bin/nano -L " to the agenix command, or is there a better way? | 22:01:25 |
| dasj19 | now i encounter the following:
[root@xps13:/etc/nixos/secrets]# EDITOR="/run/current-system/sw/bin/nano -L " agenix -e daniel-password.age
Error: No matching keys found
[ Did rage not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/rage/report | 22:03:12 |
| ryantm | What's in your secrets.nix file? | 22:04:11 |
| dasj19 | let
daniel = "ssh-rsa <redacted1>";
root = "ssh-rsa <redacted2>";
users = [ daniel root ];
xps13 = "ssh-ed25519 <redacted3>";
systems = [ xps13 ];
in
{
"daniel-fullname.age".publicKeys = [ daniel xps13 ];
"daniel-password.age".publicKeys = [ daniel xps13 ];
} | 22:05:25 |
| ryantm | That looks good! Strange that you can't decrypt your own secret to edit it. Does daniel's key match your user public ssh key? | 22:06:22 |
| dasj19 | it is taken from /home/daniel/.ssh/id_rsa.pub | 22:07:38 |
| dasj19 | and i checked and they match | 22:07:47 |
| ryantm | You can also look at the top of the encrypted file in a text editor and see if it has the same public key. | 22:08:28 |
| dasj19 | ok, i'll try that | 22:08:54 |
| ryantm | oh, perhaps it is in some weird format that is hard to compare though. | 22:09:18 |
| ryantm | You can also pass -i to agenix to specify which key to try to decrypt with. | 22:10:02 |
| dasj19 | this works (at least gets me in nano with the secret editable) "agenix -i /home/daniel/.ssh/id_rsa -e daniel-password.age" | 22:11:38 |
| ryantm | Maybe your key is not at $HOME/.ssh/id_rsa | 22:14:09 |
| ryantm | Oh, you just said the path sorry. | 22:14:55 |
| dasj19 | can you hash 123456 for me to try? | 22:15:17 |
| ryantm | It will be different every time: | 22:15:53 |
| ryantm | [ryantm@laptop3:~/p/nixfiles/secrets]$ mkpasswd --method=SHA-512 --stdin
Password: 123456
$6$HgyUnbDcnnfRn4Ox$Ttzd6kxqrt2ZoutO.kfEXWzc4zCDCXYwHKN5X4NyB/scHOrWKoYbHQhuxtjI1tq8BRHn5Avxcgim5FHoNv90R1
[ryantm@laptop3:~/p/nixfiles/secrets]$ mkpasswd --method=SHA-512 --stdin
Password: 123456
$6$ozbzwc1zWLDAaUQz$8zbOKHCGzQsJPZDkmm74hvH0lIupK3u0gAum2jp/JVmiKhF6RgWtVHyojBg2C7JbsZjxqolLFWtxR/aFEuqNP.
| 22:15:59 |
