| 18 Dec 2022 |
 ryantm | What's in your secrets.nix file? | 22:04:11 |
 dasj19 | let
daniel = "ssh-rsa <redacted1>";
root = "ssh-rsa <redacted2>";
users = [ daniel root ];
xps13 = "ssh-ed25519 <redacted3>";
systems = [ xps13 ];
in
{
"daniel-fullname.age".publicKeys = [ daniel xps13 ];
"daniel-password.age".publicKeys = [ daniel xps13 ];
} | 22:05:25 |
| ryantm | That looks good! Strange that you can't decrypt your own secret to edit it. Does daniel's key match your user public ssh key? | 22:06:22 |
| dasj19 | it is taken from /home/daniel/.ssh/id_rsa.pub | 22:07:38 |
| dasj19 | and i checked and they match | 22:07:47 |
| ryantm | You can also look at the top of the encrypted file in a text editor and see if it has the same public key. | 22:08:28 |
| dasj19 | ok, i'll try that | 22:08:54 |
| ryantm | oh, perhaps it is in some weird format that is hard to compare though. | 22:09:18 |
| ryantm | You can also pass -i to agenix to specify which key to try to decrypt with. | 22:10:02 |
| dasj19 | this works (at least gets me in nano with the secret editable) "agenix -i /home/daniel/.ssh/id_rsa -e daniel-password.age" | 22:11:38 |
| ryantm | Maybe your key is not at $HOME/.ssh/id_rsa | 22:14:09 |
| ryantm | Oh, you just said the path sorry. | 22:14:55 |
| dasj19 | can you hash 123456 for me to try? | 22:15:17 |
| ryantm | It will be different every time: | 22:15:53 |
| ryantm | [ryantm@laptop3:~/p/nixfiles/secrets]$ mkpasswd --method=SHA-512 --stdin
Password: 123456
$6$HgyUnbDcnnfRn4Ox$Ttzd6kxqrt2ZoutO.kfEXWzc4zCDCXYwHKN5X4NyB/scHOrWKoYbHQhuxtjI1tq8BRHn5Avxcgim5FHoNv90R1
[ryantm@laptop3:~/p/nixfiles/secrets]$ mkpasswd --method=SHA-512 --stdin
Password: 123456
$6$ozbzwc1zWLDAaUQz$8zbOKHCGzQsJPZDkmm74hvH0lIupK3u0gAum2jp/JVmiKhF6RgWtVHyojBg2C7JbsZjxqolLFWtxR/aFEuqNP.
| 22:15:59 |
| ryantm | It has a salt | 22:16:08 |
| dasj19 | yes, i'll try the first one | 22:16:22 |
| dasj19 | weird, still does not work. tried both with EOL and without EOL | 22:18:58 |
| ryantm | If the correct hash file is showing up in /run/agenix, then it seems like the problem lies elsewhere, like maybe the user setup activation script is not using that file for some reason, or some other configuration you have is changing the activation script order. | 22:20:22 |
| ryantm | You can also look in /etc/shadow to see what the user's password hash is currently. | 22:20:41 |
| dasj19 | [root@xps13:/etc/nixos/secrets]# cat /run/agenix/daniel-password
$6$HgyUnbDcnnfRn4Ox$Ttzd6kxqrt2ZoutO.kfEXWzc4zCDCXYwHKN5X4NyB/scHOrWKoYbHQhuxtjI1tq8BRHn5Avxcgim5FHoNv90R1 | 22:21:01 |
| dasj19 | the hash is not in /etc/shadow | 22:21:36 |
| ryantm | system.activationScripts.debug.text = "set -x";
system.activationScripts.users.deps = [ "debug" ];
| 22:23:45 |
| ryantm | That should at least let you see the bash aspect of the users activation script. | 22:24:12 |
| ryantm | There is also a Perl script involved. | 22:24:19 |
| ryantm | Here's the Perl script https://github.com/NixOS/nixpkgs/blob/ba46d30d1f9a636f46fb7877008140984f5e7b75/nixos/modules/config/update-users-groups.pl | 22:25:46 |
| dasj19 | hmm does not seem to be any warnings or errors | 22:28:16 |
| dasj19 | but there is quite a lot of output | 22:28:27 |
| ryantm | every activation script that follows the set -x gets its commands output :) | 22:29:31 |
| dasj19 | do you want to take a look? i can post on pastebin or something | 22:30:38 |
