!XLCFfvFhUkYwOMLbVx:nixos.org

agenix

329 Members
age-encrypted secrets for NixOS https://github.com/ryantm/agenix/95 Servers

Load older messages

SenderMessageTime
4 Dec 2024
@lordkekz:matrix.orgLordKekz
In reply to @bjrnmrtns:matrix.org
You might be correct my ssh private key is in ~/.ssh, so that might not be available yet.
Ob what filesystem is your ssh key? 		12:35:56
@lordkekz:matrix.orgLordKekz* In reply to @bjrnmrtns:matrix.org You might be correct my ssh private key is in ~/.ssh, so that might not be available yet. On what filesystem is your ssh key?12:36:03
@bjrnmrtns:matrix.orgbjrnmrtnsit is all in one partition in the root filesystem12:37:22
@bjrnmrtns:matrix.orgbjrnmrtnsso it should be accessible 12:37:43
@lordkekz:matrix.orgLordKekzWeird. Can you show me your `mount` output? Maybe there's some shenanigans going on anyway.12:38:38
@bjrnmrtns:matrix.orgbjrnmrtns
In reply to @lordkekz:matrix.org
Weird. Can you show me your `mount` output? Maybe there's some shenanigans going on anyway.
devtmpfs on /dev type devtmpfs (rw,nosuid,size=1576200k,nr_inodes=3938055,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=3,mode=620,ptmxmode=666)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run type tmpfs (rw,nosuid,nodev,size=7880984k,mode=755)
ramfs on /run/keys type ramfs (rw,nosuid,nodev,relatime,mode=750)
tmpfs on /run/wrappers type tmpfs (rw,nodev,relatime,mode=755)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
/dev/nvme0n1p2 on / type btrfs (rw,relatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=259,subvol=/rootfs)
/dev/nvme0n1p2 on /nix type btrfs (rw,noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=258,subvol=/nix)
/dev/nvme0n1p2 on /nix/store type btrfs (ro,noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=258,subvol=/nix)
none on /run/agenix.d type ramfs (rw,nosuid,nodev,relatime,mode=751)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=65,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=2765)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,nosuid,nodev,relatime,pagesize=2M)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
/dev/nvme0n1p2 on /disk-vdb-root type btrfs (rw,relatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=5,subvol=/)
/dev/nvme0n1p2 on /home type btrfs (rw,relatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=256,subvol=/home)
/dev/nvme0n1p1 on /boot type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=3152392k,nr_inodes=788098,mode=700,uid=1000,gid=100)
portal on /run/user/1000/doc type fuse.portal (rw,nosuid,nodev,relatime,user_id=1000,group_id=100)
12:39:12
@bjrnmrtns:matrix.orgbjrnmrtnsoh so there is a separate boot partition12:39:52
@lordkekz:matrix.orgLordKekzYeah that's always there.12:40:09
@bjrnmrtns:matrix.orgbjrnmrtns
In reply to @lordkekz:matrix.org

In reply to @bjrnmrtns:matrix.org
You might be correct my ssh private key is in ~/.ssh, so that might not be available yet.

On what filesystem is your ssh key?

So this might give a better clue:

[bjorn@jennifer:~/projects/config]$ journalctl -b | grep agenix
Dec 04 13:27:17 jennifer stage-2-init: [agenix] creating new generation in /run/agenix.d/1
Dec 04 13:27:17 jennifer stage-2-init: [agenix] decrypting secrets...
Dec 04 13:27:17 jennifer stage-2-init: [agenix] WARNING: config.age.identityPaths entry /home/bjorn/.ssh/id_25519_jennifer_agenix not present!
Dec 04 13:27:17 jennifer stage-2-init: decrypting '/nix/store/n5f84dj2ywrb4rnflyj5q3mpdm4scksl-bjorn-password.age' to '/run/agenix.d/1/bjorn-password'...
Dec 04 13:27:17 jennifer stage-2-init: [agenix] WARNING: no readable identities found!
Dec 04 13:27:17 jennifer stage-2-init: chmod: cannot access '/run/agenix.d/1/bjorn-password.tmp': No such file or directory
Dec 04 13:27:17 jennifer stage-2-init: mv: cannot stat '/run/agenix.d/1/bjorn-password.tmp': No such file or directory
Dec 04 13:27:17 jennifer stage-2-init: decrypting '/nix/store/bbmvbg3cvw1bfkhfn2a97636bkyf4f88-wg-iphone-private.age' to '/run/agenix.d/1/wg-iphone-private'...
Dec 04 13:27:17 jennifer stage-2-init: [agenix] WARNING: no readable identities found!
Dec 04 13:27:17 jennifer stage-2-init: chmod: cannot access '/run/agenix.d/1/wg-iphone-private.tmp': No such file or directory
Dec 04 13:27:17 jennifer stage-2-init: mv: cannot stat '/run/agenix.d/1/wg-iphone-private.tmp': No such file or directory
Dec 04 13:27:17 jennifer stage-2-init: decrypting '/nix/store/qfirm84mal87ib77pw7v1a1kg436x0qj-wg-jennifer-private.age' to '/run/agenix.d/1/wg-jennifer-private'...
Dec 04 13:27:17 jennifer stage-2-init: [agenix] WARNING: no readable identities found!
Dec 04 13:27:17 jennifer stage-2-init: chmod: cannot access '/run/agenix.d/1/wg-jennifer-private.tmp': No such file or directory
Dec 04 13:27:17 jennifer stage-2-init: mv: cannot stat '/run/agenix.d/1/wg-jennifer-private.tmp': No such file or directory
Dec 04 13:27:17 jennifer stage-2-init: decrypting '/nix/store/y1ybkk5w0ys4zslr1z7k9ql3366qjrfq-wg-server-private.age' to '/run/agenix.d/1/wg-server-private'...
Dec 04 13:27:17 jennifer stage-2-init: [agenix] WARNING: no readable identities found!
Dec 04 13:27:17 jennifer stage-2-init: chmod: cannot access '/run/agenix.d/1/wg-server-private.tmp': No such file or directory
Dec 04 13:27:17 jennifer stage-2-init: mv: cannot stat '/run/agenix.d/1/wg-server-private.tmp': No such file or directory
Dec 04 13:27:17 jennifer stage-2-init: [agenix] symlinking new secrets to /run/agenix (generation 1)...
Dec 04 13:27:17 jennifer stage-2-init: Activation script snippet 'agenixInstall' failed (1)
Dec 04 13:27:17 jennifer stage-2-init: warning: password file ‘/run/agenix/bjorn-password’ does not exist
Dec 04 13:27:17 jennifer stage-2-init: [agenix] chowning...
Dec 04 13:27:17 jennifer stage-2-init: chown: cannot access '/run/agenix.d/1/bjorn-password': No such file or directory
Dec 04 13:27:17 jennifer stage-2-init: chown: cannot access '/run/agenix.d/1/wg-iphone-private': No such file or directory
Dec 04 13:27:17 jennifer stage-2-init: chown: cannot access '/run/agenix.d/1/wg-jennifer-private': No such file or directory
Dec 04 13:27:17 jennifer stage-2-init: chown: cannot access '/run/agenix.d/1/wg-server-private': No such file or directory
Dec 04 13:27:17 jennifer stage-2-init: Activation script snippet 'agenixChown' failed (1)
Dec 04 13:27:27 jennifer wg-quick-wg0-start[2188]: cat: /run/agenix/wg-jennifer-private: No such file or directory
12:41:48
@bjrnmrtns:matrix.orgbjrnmrtnsso it is because of the private key12:42:05
@bjrnmrtns:matrix.orgbjrnmrtns
In reply to @bjrnmrtns:matrix.org
so it is because of the private key
Line 4 ;-) 		12:42:54
@lordkekz:matrix.orgLordKekzYour /home is on a separate btrfs subvolume. I think it should be fine but maybe it gets mounted too late. Make sure to set `filesystems."/home".neededForBoot = true;` in your config, maybe that can help ensure it gets mounted early.12:44:24
@lordkekz:matrix.orgLordKekz
In reply to @bjrnmrtns:matrix.org
Line 4 ;-)
Just as suspected! 		12:45:29
@lordkekz:matrix.orgLordKekz
In reply to @lordkekz:matrix.org
Your /home is on a separate btrfs subvolume. I think it should be fine but maybe it gets mounted too late. Make sure to set filesystems."/home".neededForBoot = true; in your config, maybe that can help ensure it gets mounted early.
Beware typos tho 		12:46:32
@lordkekz:matrix.orgLordKekz* In reply to @lordkekz:matrix.org Your /home is on a separate btrfs subvolume. I think it should be fine but maybe it gets mounted too late. Make sure to set filesystems."/home".neededForBoot = true; in your config, maybe that can help ensure it gets mounted early. Beware typos tho, since I'm on my phone and just doing it from memory12:47:02
@bjrnmrtns:matrix.orgbjrnmrtns
In reply to @lordkekz:matrix.org

In reply to @lordkekz:matrix.org
Your /home is on a separate btrfs subvolume. I think it should be fine but maybe it gets mounted too late. Make sure to set filesystems."/home".neededForBoot = true; in your config, maybe that can help ensure it gets mounted early.

Beware typos tho, since I'm on my phone and just doing it from memory

That makes a lot of sense. I'm going to try it and report back. Thanks a lot so far! 		12:48:34
@bjrnmrtns:matrix.orgbjrnmrtns
In reply to @lordkekz:matrix.org

In reply to @lordkekz:matrix.org
Your /home is on a separate btrfs subvolume. I think it should be fine but maybe it gets mounted too late. Make sure to set filesystems."/home".neededForBoot = true; in your config, maybe that can help ensure it gets mounted early.

Beware typos tho, since I'm on my phone and just doing it from memory

fileSystems."/home".neededForBoot = true; did the trick.
Thanks a lot for the help with debugging. I was fighting this problem already a few times, but couldn't find the issue. 		12:57:05
@lordkekz:matrix.orgLordKekzNice! I'm glad I could help :)12:59:27
@orfeasz:matrix.orgOrfeasZ joined the room.17:36:44
@orfeasz:matrix.orgOrfeasZ Hello, I'm having an issue with agenix and was wondering if anybody has any solutions: I have an OCI container that uses an environment file that's decrypted by agenix. However, agenix seems to always use the same path for that file (/run/agenix/whatever.env) even when its contents change. This makes it so when I update the env file and rebuild my system, the container doesn't get rebuilt since the path hasn't changed. 17:38:31
@orfeasz:matrix.orgOrfeasZ * Hello, I'm having an issue with agenix and was wondering if anybody has any solutions: I have an OCI container that uses an environment file that's decrypted by agenix. However, agenix seems to always use the same path for that file (/run/agenix/whatever.env) even when its contents change. This makes it so when I update the env file and rebuild my system, the container doesn't get recreated since the path hasn't changed. 17:42:54
@orfeasz:matrix.orgOrfeasZ

Alright, looks like I was able to work around this by making agenix use a hash of the encrypted file as the file name:

age.secrets."my-secret" = {
  file = ./my-secret.age;
  name = builtins.hashFile "sha256" ./my-secret.age;
};
19:30:57
@orfeasz:matrix.orgOrfeasZnot ideal, but seems to do the job for now!19:31:09
@lordkekz:matrix.orgLordKekzYeah.. but why do you need the container to rebuild? If it's just to make it restart on system activation, it should be possible to reload the systemd unit on activation somehow. Not sure which option you need tho.19:37:15
@orfeasz:matrix.orgOrfeasZRestarting the container doesn't make it pick up new environment variables. It needs to be re-created.19:40:13
@lordkekz:matrix.orgLordKekzAh, I see. Then you the hash thing is probably as good as it gets19:43:42
@lordkekz:matrix.orgLordKekz * Ah, I see. Then the hash thing is probably as good as it gets19:43:51
@orfeasz:matrix.orgOrfeasZYeah should be fine for now19:44:23
@orfeasz:matrix.orgOrfeasZOnly "real issue" is that it's based on the hash of the encrypted contents and not the plain text contents, which means that the same source file re-encrypted without any changes will cause a re-creation.19:45:27
@orfeasz:matrix.orgOrfeasZBut making it based on the plain text content also reveals that they haven't changed, which is also not great.19:45:52

Show newer messages

Back to Room ListRoom Version: 6