| 30 Nov 2024 |
 ySomic | * Reading this github issue, I imagine my reasoning is flawed about how home-manager integration works?
Is there some resources I could learn from, because this does not seem to work, the file is not present on my activation script nor does agenix ask for my passphrase before switching
{
self,
config,
lib,
pkgs,
...
}: let
secretsDir = "${self}/data/secrets";
commonPub = "${secretsDir}/common/pub.gpg";
mkGpgImportsWithFunc = keys: let
importStatements =
lib.concatMapStrings (key: ''
echo "Attempting to import key: ${key}"
import_gpg_key "${config.age.secrets.${key}.path}"
'')
keys;
in ''
import_gpg_key() {
local key_path="$1"
if [ -f "$key_path" ]; then
local gpg_output
gpg_output=$(run ${pkgs.gnupg}/bin/gpg --import "$key_path" 2>&1)
local gpg_exit_code=$?
if echo "$gpg_output" | grep -q "not changed"; then
echo "Warning: Key $key_name already exists and wasn't modified"
elif echo "$gpg_output" | grep -q "secret key already exists"; then
echo "Warning: Secret key $key_name already exists"
fi
if [ $gpg_exit_code -ne 0 ]; then
echo "Error: Failed to import GPG key: $key_path"
echo "GPG output: $gpg_output"
failed=1
else
echo "GPG imported: $key_path"
fi
echo "Will shred GPG Key: $key_path"
run ${pkgs.coreutils}/bin/shred -u "$key_path"
[ "$failed" = "1" ] && return 1
else
echo "Path not found: $key_path"
fi
}
${importStatements}
'';
gpgKeys = [
"common/gpg"
];
assertions = [
{
assertion = lib.all (key: lib.hasAttr key config.age.secrets) gpgKeys;
message = let
# Find which keys are missing
missingKeys = lib.filter (key: !(lib.hasAttr key config.age.secrets)) gpgKeys;
in "The following GPG keys are in gpgKeys but not in age.secrets: ${toString missingKeys}";
}
];
in {
inherit assertions;
age.secrets = {
"common/gpg" = {
file = "${secretsDir}/common/gpg.age";
path = "${config.home.homeDirectory}/secrets/gpg/common.gpg.temp";
};
};
programs.gpg = {
enable = true;
publicKeys = [
{
source = commonPub;
trust = "ultimate";
}
];
};
services.gpg-agent = {
enable = true;
enableBashIntegration = true;
pinentryPackage = pkgs.pinentry-curses;
};
home.activation = {
importPrivateGpgKeys =
lib.hm.dag.entryAfter ["writeBoundary"]
(mkGpgImportsWithFunc gpgKeys);
};
}
Like to me, it looks like agenix doesn't even run at all
I do have these in my output though
/nix/store/5qpmkj6682nzs2w4176c0fsvsfbqhddg-agenix-home-manager-mount-secrets.drv
/nix/store/kpzmmrm5jibxc0rb8f7fg1acky8bf3b2-agenix.service.drv
The service is dead because it's asking for the passphrase. I thought it would've worked like nixos rebuild where it asks you during build time.
| 01:48:49 |
|  Soliprem joined the room. | 08:08:30 |
| ySomic | I've changed it to this
{
self,
config,
lib,
pkgs,
...
}: let
secretsDir = "${self}/data/secrets";
commonPub = "${secretsDir}/common/pub.gpg";
# We create a trigger file on activation to make sure we only run once per activation
# triggerFile = "${config.home.homeDirectory}/.local/state/gpg-import-needed";
versionFile = "${config.home.homeDirectory}/.local/state/gpg-import-version";
# We create a version using a manual version and a hash
# The manual version forces to reimport on key changes with the same name
# Note, private keys will still not be imported, that's how GPG import works.
manualVersion = "1";
gpgKeys = ["common/gpg"];
gpgKeysHash = builtins.hashString "sha256" (builtins.toString gpgKeys);
combinedVersion = "${manualVersion}-${gpgKeysHash}";
# Cleanup script, that will be ran in a separate systemd service
# The reason it's in a separate one is, that we guarantee the run onSuccess or OnFailure.
# If we don't do this, we need to jump around hoops and trap exits to make sure we shred the decrypted keys
cleanupScriptFunc = keys:
lib.concatMapStrings (key: ''
if [ -f "${config.age.secrets."${key}".path}" ]; then
echo "Will shred GPG Key: ${config.age.secrets."${key}".path}"
${pkgs.coreutils}/bin/shred -u "${config.age.secrets."${key}".path}"
else
echo "Key not found: ${config.age.secrets."${key}".path}"
fi
'')
keys;
cleanupScript = pkgs.writeShellScriptBin "cleanup-gpg-keys" ''
${cleanupScriptFunc gpgKeys}
'';
# Trigger keys, a list of strings.
# Uses systemd condition path exists with an 'or' prefix.
# More info: https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Conditions%20and%20Asserts
triggerPaths = keys:
map (key: "|${config.age.secrets.${key}.path}") keys;
# Main script + import script
mkGpgImportsWithFunc = keys:
lib.concatMapStrings (key: ''
echo "Attempting to import key: ${key}"
import_gpg_key "${config.age.secrets.${key}.path}"
'')
keys;
importScript = pkgs.writeShellScriptBin "import-gpg-keys" ''
# First check version
if [ -f "${versionFile}" ]; then
current_version=$(cat "${versionFile}")
if [ "$current_version" = "${combinedVersion}" ]; then
echo "GPG keys already imported at version ${manualVersion} with current keys"
exit 0
else
echo "Version mismatch:"
echo "Current: $current_version"
echo "New: ${combinedVersion}"
fi
else
echo "No version file found, will import keys"
fi
# Import function
import_gpg_key() {
local key_path="$1"
if [ -f "$key_path" ]; then
local gpg_output
gpg_output=$(run ${pkgs.gnupg}/bin/gpg --import "$key_path" 2>&1)
local gpg_exit_code=$?
if echo "$gpg_output" | grep -q "not changed"; then
echo "Warning: Key $key_name already exists and wasn't modified"
elif echo "$gpg_output" | grep -q "secret key already exists"; then
echo "Warning: Secret key $key_name already exists"
fi
if [ $gpg_exit_code -ne 0 ]; then
echo "Error: Failed to import GPG key: $key_path"
echo "GPG output: $gpg_output"
return 1
else
echo "GPG imported: $key_path"
fi
else
echo "Path not found: $key_path"
return 1
fi
}
# Import statements for each key
${mkGpgImportsWithFunc gpgKeys}
# Create new version
mkdir -p "$(dirname "${versionFile}")"
echo "${combinedVersion}" > "${versionFile}"
echo "Updated version to ${combinedVersion}"
'';
assertions = [
{
assertion = lib.all (key: lib.hasAttr key config.age.secrets) gpgKeys;
message = let
# Find which keys are missing
missingKeys = lib.filter (key: !(lib.hasAttr key config.age.secrets)) gpgKeys;
in "The following GPG keys are in gpgKeys but not in age.secrets: ${toString missingKeys}";
}
];
in {
inherit assertions;
age.secrets = {
"common/gpg" = {
file = "${secretsDir}/common/gpg.age";
path = "${config.home.homeDirectory}/secrets/gpg/common.gpg.temp";
};
};
programs.gpg = {
enable = true;
publicKeys = [
{
source = commonPub;
trust = "ultimate";
}
];
};
services.gpg-agent = {
enable = true;
enableBashIntegration = true;
pinentryPackage = pkgs.pinentry-curses;
};
# Systemd services
systemd.user.services = {
# Main import service
import-gpg-keys = {
Unit = {
Description = "Import GPG keys (v${manualVersion})";
After = ["agenix.service"];
ConditionPathExists = triggerPaths gpgKeys;
};
Install = {
WantedBy = ["default.target"];
};
Service = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${importScript}/bin/import-gpg-keys";
ExecStopPost = "${cleanupScript}/bin/cleanup-gpg-keys";
# # Isolate the service's /tmp directory
# PrivateTmp = true;
# # Prevent privilege escalation
# NoNewPrivileges = true;
# # Make the root filesystem read-only except /var, /run, etc
# ProtectSystem = "strict";
# # Allow writing to home for the version file
# # ProtectHome = "read-write";
# # Restrict network access since we don't need it
# RestrictAddressFamilies = "AF_UNIX";
# # Prevent memory exploits
# MemoryDenyWriteExecute = true;
};
};
};
}
I'm just wondering, is there still a way to use agenix for home with an ssh key that has a passphrase?
| 15:05:30 |
| 1 Dec 2024 |
|  @vengmark2:matrix.org left the room. | 00:10:17 |
| 2 Dec 2024 |
|  dish [Fox/It/She] changed their profile picture. | 19:59:14 |
| 4 Dec 2024 |
 bjrnmrtns | I a bit lost for a while using agenix with wg-quick (wireguard)
While it is working when I rebuilt my system, it fails on boot.
While booting the encrypted age key is not present. After booting I need to rebuild the system to make sure my key is in the /run/agenix.d/ folder. I assume I'm making some obvious mistake, but my nix skills are not there yet to spot it :-).
age = {
secrets = {
wg-server-private = {
file = secrets/wg-server-private.age;
owner = "bjorn";
};
};
identityPaths = [ "/home/bjorn/.ssh/id_25519_jennifer_agenix" ];
};
networking.wg-quick.interfaces = {
wg0 = {
address = [
"10.0.0.2/24"
"fdc9:281f:04d7:9ee9::2/64"
];
dns = [
"10.0.0.1"
"fdc9:281f:04d7:9ee9::1"
];
# client private key
privateKeyFile = config.age.secrets.wg-jennifer-private.path;
The error I get on startup is the following:
Nov 12 18:58:38 jennifer systemd[1]: Starting wg-quick WireGuard Tunnel - wg0...
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: Warning: `/nix/store/l0s69wazn7c1s91pkfqmynpm9x1fvq0s-config-wg0/wg0.conf' is world accessible
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip link add wg0 type wireguard
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] wg setconf wg0 /dev/fd/63
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 address add 10.0.0.2/24 dev wg0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 address add fdc9:281f:04d7:9ee9::2/64 dev wg0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip link set mtu 1420 up dev wg0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162481]: [#] resolvconf -a wg0 -m 0 -x
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] wg set wg0 fwmark 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 route add ::/0 dev wg0 table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 rule add not fwmark 51820 table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 rule add table main suppress_prefixlength 0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162592]: [#] ip6tables-restore -n
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 rule add not fwmark 51820 table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 rule add table main suppress_prefixlength 0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162612]: [#] iptables-restore -n
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] /nix/store/p0l2c0h0j0sd0x5kx069jq88hpwrsb98-postUp.sh/bin/postUp.sh
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162619]: cat: 'aKBA0vfKjkKIiRjhF8W0GEvM0afdYp6jZsLSI981L1Y=': No such file or directory
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162620]: Invalid length key in key file
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] resolvconf -d wg0 -f
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162685]: [#] iptables-restore -n
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162704]: [#] ip6tables-restore -n
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 rule delete table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 rule delete table main suppress_prefixlength 0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 rule delete table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 rule delete table main suppress_prefixlength 0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip link delete dev wg0
Nov 12 18:58:38 jennifer systemd[1]: wg-quick-wg0.service: Main process exited, code=exited, status=1/FAILURE
Nov 12 18:58:38 jennifer systemd[1]: wg-quick-wg0.service: Failed with result 'exit-code'.
Nov 12 18:58:38 jennifer systemd[1]: Failed to start wg-quick WireGuard Tunnel - wg0.
| 12:22:39 |
| bjrnmrtns | * I am bit lost for a while using agenix with wg-quick (wireguard)
While it is working when I rebuilt my system, it fails on boot.
While booting the encrypted age key is not present. After booting I need to rebuild the system to make sure my key is in the /run/agenix.d/ folder. I assume I'm making some obvious mistake, but my nix skills are not there yet to spot it :-).
age = {
secrets = {
wg-server-private = {
file = secrets/wg-server-private.age;
owner = "bjorn";
};
};
identityPaths = [ "/home/bjorn/.ssh/id_25519_jennifer_agenix" ];
};
networking.wg-quick.interfaces = {
wg0 = {
address = [
"10.0.0.2/24"
"fdc9:281f:04d7:9ee9::2/64"
];
dns = [
"10.0.0.1"
"fdc9:281f:04d7:9ee9::1"
];
# client private key
privateKeyFile = config.age.secrets.wg-jennifer-private.path;
The error I get on startup is the following:
Nov 12 18:58:38 jennifer systemd[1]: Starting wg-quick WireGuard Tunnel - wg0...
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: Warning: `/nix/store/l0s69wazn7c1s91pkfqmynpm9x1fvq0s-config-wg0/wg0.conf' is world accessible
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip link add wg0 type wireguard
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] wg setconf wg0 /dev/fd/63
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 address add 10.0.0.2/24 dev wg0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 address add fdc9:281f:04d7:9ee9::2/64 dev wg0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip link set mtu 1420 up dev wg0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162481]: [#] resolvconf -a wg0 -m 0 -x
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] wg set wg0 fwmark 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 route add ::/0 dev wg0 table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 rule add not fwmark 51820 table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 rule add table main suppress_prefixlength 0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162592]: [#] ip6tables-restore -n
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 rule add not fwmark 51820 table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 rule add table main suppress_prefixlength 0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162612]: [#] iptables-restore -n
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] /nix/store/p0l2c0h0j0sd0x5kx069jq88hpwrsb98-postUp.sh/bin/postUp.sh
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162619]: cat: 'aKBA0vfKjkKIiRjhF8W0GEvM0afdYp6jZsLSI981L1Y=': No such file or directory
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162620]: Invalid length key in key file
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] resolvconf -d wg0 -f
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162685]: [#] iptables-restore -n
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162704]: [#] ip6tables-restore -n
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 rule delete table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 rule delete table main suppress_prefixlength 0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 rule delete table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 rule delete table main suppress_prefixlength 0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip link delete dev wg0
Nov 12 18:58:38 jennifer systemd[1]: wg-quick-wg0.service: Main process exited, code=exited, status=1/FAILURE
Nov 12 18:58:38 jennifer systemd[1]: wg-quick-wg0.service: Failed with result 'exit-code'.
Nov 12 18:58:38 jennifer systemd[1]: Failed to start wg-quick WireGuard Tunnel - wg0.
| 12:22:57 |
| bjrnmrtns | * I am a bit lost for a while using agenix with wg-quick (wireguard)
While it is working when I rebuilt my system, it fails on boot.
While booting the encrypted age key is not present. After booting I need to rebuild the system to make sure my key is in the /run/agenix.d/ folder. I assume I'm making some obvious mistake, but my nix skills are not there yet to spot it :-).
age = {
secrets = {
wg-server-private = {
file = secrets/wg-server-private.age;
owner = "bjorn";
};
};
identityPaths = [ "/home/bjorn/.ssh/id_25519_jennifer_agenix" ];
};
networking.wg-quick.interfaces = {
wg0 = {
address = [
"10.0.0.2/24"
"fdc9:281f:04d7:9ee9::2/64"
];
dns = [
"10.0.0.1"
"fdc9:281f:04d7:9ee9::1"
];
# client private key
privateKeyFile = config.age.secrets.wg-jennifer-private.path;
The error I get on startup is the following:
Nov 12 18:58:38 jennifer systemd[1]: Starting wg-quick WireGuard Tunnel - wg0...
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: Warning: `/nix/store/l0s69wazn7c1s91pkfqmynpm9x1fvq0s-config-wg0/wg0.conf' is world accessible
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip link add wg0 type wireguard
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] wg setconf wg0 /dev/fd/63
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 address add 10.0.0.2/24 dev wg0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 address add fdc9:281f:04d7:9ee9::2/64 dev wg0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip link set mtu 1420 up dev wg0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162481]: [#] resolvconf -a wg0 -m 0 -x
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] wg set wg0 fwmark 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 route add ::/0 dev wg0 table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 rule add not fwmark 51820 table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 rule add table main suppress_prefixlength 0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162592]: [#] ip6tables-restore -n
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 rule add not fwmark 51820 table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 rule add table main suppress_prefixlength 0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162612]: [#] iptables-restore -n
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] /nix/store/p0l2c0h0j0sd0x5kx069jq88hpwrsb98-postUp.sh/bin/postUp.sh
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162619]: cat: 'aKBA0vfKjkKIiRjhF8W0GEvM0afdYp6jZsLSI981L1Y=': No such file or directory
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162620]: Invalid length key in key file
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] resolvconf -d wg0 -f
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162685]: [#] iptables-restore -n
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162704]: [#] ip6tables-restore -n
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 rule delete table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 rule delete table main suppress_prefixlength 0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 rule delete table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 rule delete table main suppress_prefixlength 0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip link delete dev wg0
Nov 12 18:58:38 jennifer systemd[1]: wg-quick-wg0.service: Main process exited, code=exited, status=1/FAILURE
Nov 12 18:58:38 jennifer systemd[1]: wg-quick-wg0.service: Failed with result 'exit-code'.
Nov 12 18:58:38 jennifer systemd[1]: Failed to start wg-quick WireGuard Tunnel - wg0.
| 12:23:12 |
| bjrnmrtns | * I am a bit lost for a while using agenix with wg-quick (wireguard)
While it is working when I rebuilt my system, it fails on boot.
While booting the encrypted age key is not present. After booting I need to rebuild the system to make sure my key is in the /run/agenix.d/ folder. I assume I'm making some obvious mistake, but my nix skills are not there yet to spot it :-).
age = {
secrets = {
wg-server-private = {
file = secrets/wg-server-private.age;
owner = "bjorn";
};
};
identityPaths = [ "/home/bjorn/.ssh/id_25519_jennifer_agenix" ];
};
networking.wg-quick.interfaces = {
wg0 = {
address = [
"10.0.0.2/24"
"fdc9:281f:04d7:9ee9::2/64"
];
dns = [
"10.0.0.1"
"fdc9:281f:04d7:9ee9::1"
];
# client private key
privateKeyFile = config.age.secrets.wg-jennifer-private.path;
The key I'm talking about is config.age.secrets.wg-jennifer-private
The error I get on startup is the following:
Nov 12 18:58:38 jennifer systemd[1]: Starting wg-quick WireGuard Tunnel - wg0...
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: Warning: `/nix/store/l0s69wazn7c1s91pkfqmynpm9x1fvq0s-config-wg0/wg0.conf' is world accessible
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip link add wg0 type wireguard
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] wg setconf wg0 /dev/fd/63
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 address add 10.0.0.2/24 dev wg0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 address add fdc9:281f:04d7:9ee9::2/64 dev wg0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip link set mtu 1420 up dev wg0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162481]: [#] resolvconf -a wg0 -m 0 -x
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] wg set wg0 fwmark 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 route add ::/0 dev wg0 table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 rule add not fwmark 51820 table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 rule add table main suppress_prefixlength 0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162592]: [#] ip6tables-restore -n
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 rule add not fwmark 51820 table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 rule add table main suppress_prefixlength 0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162612]: [#] iptables-restore -n
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] /nix/store/p0l2c0h0j0sd0x5kx069jq88hpwrsb98-postUp.sh/bin/postUp.sh
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162619]: cat: 'aKBA0vfKjkKIiRjhF8W0GEvM0afdYp6jZsLSI981L1Y=': No such file or directory
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162620]: Invalid length key in key file
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] resolvconf -d wg0 -f
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162685]: [#] iptables-restore -n
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162704]: [#] ip6tables-restore -n
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 rule delete table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 rule delete table main suppress_prefixlength 0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 rule delete table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 rule delete table main suppress_prefixlength 0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip link delete dev wg0
Nov 12 18:58:38 jennifer systemd[1]: wg-quick-wg0.service: Main process exited, code=exited, status=1/FAILURE
Nov 12 18:58:38 jennifer systemd[1]: wg-quick-wg0.service: Failed with result 'exit-code'.
Nov 12 18:58:38 jennifer systemd[1]: Failed to start wg-quick WireGuard Tunnel - wg0.
| 12:24:23 |
| bjrnmrtns | * I am a bit lost for a while using agenix with wg-quick (wireguard)
While it is working when I rebuilt my system, it fails on boot.
While booting the encrypted age key is not present. After booting I need to rebuild the system to make sure my key is in the /run/agenix.d/ folder. I assume I'm making some obvious mistake, but my nix skills are not there yet to spot it :-).
age = {
secrets = {
wg-server-private = {
file = secrets/wg-server-private.age;
owner = "bjorn";
};
};
identityPaths = [ "/home/bjorn/.ssh/id_25519_jennifer_agenix" ];
};
networking.wg-quick.interfaces = {
wg0 = {
address = [
"10.0.0.2/24"
"fdc9:281f:04d7:9ee9::2/64"
];
dns = [
"10.0.0.1"
"fdc9:281f:04d7:9ee9::1"
];
# client private key
privateKeyFile = config.age.secrets.wg-jennifer-private.path;
The key I'm talking about is config.age.secrets.wg-jennifer-private
The error I get on startup is the following:
Nov 12 18:58:38 jennifer systemd[1]: Starting wg-quick WireGuard Tunnel - wg0...
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: Warning: `/nix/store/l0s69wazn7c1s91pkfqmynpm9x1fvq0s-config-wg0/wg0.conf' is world accessible
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip link add wg0 type wireguard
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] wg setconf wg0 /dev/fd/63
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 address add 10.0.0.2/24 dev wg0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 address add fdc9:281f:04d7:9ee9::2/64 dev wg0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip link set mtu 1420 up dev wg0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162481]: [#] resolvconf -a wg0 -m 0 -x
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] wg set wg0 fwmark 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 route add ::/0 dev wg0 table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 rule add not fwmark 51820 table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 rule add table main suppress_prefixlength 0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162592]: [#] ip6tables-restore -n
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 rule add not fwmark 51820 table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 rule add table main suppress_prefixlength 0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162612]: [#] iptables-restore -n
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] /nix/store/p0l2c0h0j0sd0x5kx069jq88hpwrsb98-postUp.sh/bin/postUp.sh
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162619]: cat: 'aKBA0vfKjkKIiRjhF8W0GEvM0afdYp6jZsLSI981L1Y=': No such file or directory
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162620]: Invalid length key in key file
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] resolvconf -d wg0 -f
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162685]: [#] iptables-restore -n
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162704]: [#] ip6tables-restore -n
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 rule delete table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -4 rule delete table main suppress_prefixlength 0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 rule delete table 51820
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip -6 rule delete table main suppress_prefixlength 0
Nov 12 18:58:38 jennifer wg-quick-wg0-start[162446]: [#] ip link delete dev wg0
Nov 12 18:58:38 jennifer systemd[1]: wg-quick-wg0.service: Main process exited, code=exited, status=1/FAILURE
Nov 12 18:58:38 jennifer systemd[1]: wg-quick-wg0.service: Failed with result 'exit-code'.
Nov 12 18:58:38 jennifer systemd[1]: Failed to start wg-quick WireGuard Tunnel - wg0.
Is somebody able to help me? Somewhere I read an issue where somebody did not have the dependency to the file being created. I thought my configuration makes sure this dependency exists.
| 12:25:56 |
 LordKekz | Are you maybe using a master identity that isn't yet available (e.g. mounted or linked) in the boot stage when agenix first runs?
I also had decryption problems when I tried using a SSH private key from my home folder which only gets mounted after boot by an impermanence systemd unit.
I was able to resolve my issue by pointing agenix to the persistent directory which was already available in early boot. | 12:30:34 |
| bjrnmrtns | In reply to @lordkekz:matrix.org
Are you maybe using a master identity that isn't yet available (e.g. mounted or linked) in the boot stage when agenix first runs?
I also had decryption problems when I tried using a SSH private key from my home folder which only gets mounted after boot by an impermanence systemd unit.
I was able to resolve my issue by pointing agenix to the persistent directory which was already available in early boot. You might be correct my ssh private key is in ~/.ssh, so that might not be available yet. | 12:32:33 |
