| 13 May 2024 |
 simonwjackson | * Solved: I ran agenix --rekey`, but then synced them to the server in the wrong directory.
I'm getting this on a new machine:
activating the configuration...
[agenix] creating new generation in /run/agenix.d/3
[agenix] decrypting secrets...
decrypting '/nix/store/vavmhf0jfvflmy9v0rny4hxj7lvv2zl0-tailscale.age' to '/run/agenix.d/3/tailscale'...
age: error: no identity matched any of the recipients
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/3/tailscale.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/3/tailscale.tmp': No such file or directory
For context, i am able to use agenix -e file.age without any issue
| 16:55:28 |
| 14 May 2024 |
|  azahi joined the room. | 10:31:56 |
| 15 May 2024 |
|  jacekpoz changed their profile picture. | 14:48:46 |
| 14 May 2024 |
|  chrillefkrr joined the room. | 15:43:32 |
| 15 May 2024 |
| jacekpoz changed their profile picture. | 14:48:55 |
| 18 May 2024 |
|  tchab left the room. | 14:28:11 |
| 19 May 2024 |
|  @edrzmr:matrix.org left the room. | 17:28:27 |
| 20 May 2024 |
|  @daschw:matrix.org left the room. | 20:52:02 |
| 21 May 2024 |
 hexa | # ls -lah /run/agenix
total 4.0K
drwxr-xr-x 2 root root 80 May 21 11:38 .
drwxr-xr-x 27 root root 680 May 21 11:38 ..
lrwxrwxrwx 1 root root 15 May 21 11:38 1 -> /run/agenix.d/1
-rw------- 1 root root 399 May 21 11:38 initrd-ssh-hostkey
| 11:39:37 |
| hexa | localhost initrd-nixos-activation-start[546]: [agenix] creating new generation in /run/agenix.d/1
localhost initrd-nixos-activation-start[546]: [agenix] decrypting secrets...
localhost initrd-nixos-activation-start[546]: decrypting '/nix/store/fdlckxz252c1h9w8sxk0jz95ij7kyz10-eris-acme-env.age' to '/run/agenix.d/1/acme-env'...
localhost initrd-nixos-activation-start[546]: decrypting '/nix/store/6l5hpmgjqiv9l4vm145axk321kpjwycq-eris-borg-password.age' to '/run/agenix.d/1/borg-password'...
localhost initrd-nixos-activation-start[546]: decrypting '/nix/store/q2xjgg7hj68man0ybhwa9y3lkbsy9n84-eris-borg-ssh-key.age' to '/run/agenix.d/1/borg-ssh-key'...
localhost initrd-nixos-activation-start[546]: decrypting '/nix/store/z82sgd160y9lapdnpnjy5zdljb0hqc6z-forgejo-mail-password.age' to '/run/agenix.d/1/forgejo-mail-password'...
localhost initrd-nixos-activation-start[546]: decrypting '/nix/store/5hl65ll8wi79a6yikc1ya2vn8pbd2fzp-forgejo-secrets-env.age' to '/run/agenix.d/1/forgejo-secrets-env'...
localhost initrd-nixos-activation-start[546]: decrypting '/nix/store/71ywwjyivfyyyqhv26npd83x5d6n3vgs-eris-initrd-ssh-hostkey.age' to '/run/agenix.d/1/initrd-ssh-hostkey'...
localhost initrd-nixos-activation-start[546]: decrypting '/nix/store/13qbli5mplldjspr2la07cxpc3h59mff-eris-wg-private-key.age' to '/run/agenix.d/1/wg-private-key'...
localhost initrd-nixos-activation-start[546]: [agenix] symlinking new secrets to /run/agenix (generation 1)...
localhost initrd-nixos-activation-start[546]: [agenix] chowning...
localhost initrd-nixos-activation-start[546]: [agenix] creating new generation in /run/agenix.d/1
localhost initrd-nixos-activation-start[546]: [agenix] decrypting secrets...
localhost initrd-nixos-activation-start[546]: decrypting '/nix/store/fdlckxz252c1h9w8sxk0jz95ij7kyz10-eris-acme-env.age' to '/run/agenix.d/1/acme-env'...
localhost initrd-nixos-activation-start[546]: decrypting '/nix/store/6l5hpmgjqiv9l4vm145axk321kpjwycq-eris-borg-password.age' to '/run/agenix.d/1/borg-password'...
localhost initrd-nixos-activation-start[546]: decrypting '/nix/store/q2xjgg7hj68man0ybhwa9y3lkbsy9n84-eris-borg-ssh-key.age' to '/run/agenix.d/1/borg-ssh-key'...
localhost initrd-nixos-activation-start[546]: decrypting '/nix/store/z82sgd160y9lapdnpnjy5zdljb0hqc6z-forgejo-mail-password.age' to '/run/agenix.d/1/forgejo-mail-password'...
localhost initrd-nixos-activation-start[546]: decrypting '/nix/store/5hl65ll8wi79a6yikc1ya2vn8pbd2fzp-forgejo-secrets-env.age' to '/run/agenix.d/1/forgejo-secrets-env'...
localhost initrd-nixos-activation-start[546]: decrypting '/nix/store/71ywwjyivfyyyqhv26npd83x5d6n3vgs-eris-initrd-ssh-hostkey.age' to '/run/agenix.d/1/initrd-ssh-hostkey'...
localhost initrd-nixos-activation-start[546]: decrypting '/nix/store/13qbli5mplldjspr2la07cxpc3h59mff-eris-wg-private-key.age' to '/run/agenix.d/1/wg-private-key'...
localhost initrd-nixos-activation-start[546]: [agenix] symlinking new secrets to /run/agenix (generation 1)...
localhost initrd-nixos-activation-start[546]: [agenix] chowning...
| 11:40:00 |
| hexa | I'm not quite sure where /run/agenix/initrd-ssh-hostkey comes from | 11:40:14 |
| hexa | but due to the file existing the agenix generation folder lands at the wrong location | 11:40:43 |
| hexa | * # ls -lah /run/agenix
total 4.0K
drwxr-xr-x 2 root root 80 May 21 11:38 .
drwxr-xr-x 27 root root 680 May 21 11:38 ..
lrwxrwxrwx 1 root root 15 May 21 11:38 1 -> /run/agenix.d/1
-rw------- 1 root root 399 May 21 11:38 initrd-ssh-hostkey <--- The problem
| 11:41:56 |
| hexa | # journalctl -b0 | grep initrd-ssh-hostkey
May 21 11:38:22 localhost initrd-nixos-activation-start[546]: decrypting '/nix/store/71ywwjyivfyyyqhv26npd83x5d6n3vgs-eris-initrd-ssh-hostkey.age' to '/run/agenix.d/1/initrd-ssh-hostkey'...
May 21 11:38:22 localhost initrd-nixos-activation-start[546]: decrypting '/nix/store/71ywwjyivfyyyqhv26npd83x5d6n3vgs-eris-initrd-ssh-hostkey.age' to '/run/agenix.d/1/initrd-ssh-hostkey'...
| 11:42:41 |
| hexa | whatever puts the file there … doesn't log anything about it | 11:42:57 |
| hexa | but initrd-ssh-hostkey is in fact one of the secrets it decrypts | 12:49:35 |
 oddlama | There a long standing PR by me that would fix this: https://github.com/ryantm/agenix/pull/187 | 12:57:33 |
| oddlama | In my case it's the initrd that includes the file when it is generated | 12:57:58 |
| oddlama | currently the PR only makes agenix emit an error, but i guess one could argue that it should replace the directory | 13:07:55 |
| hexa | ryantm: can we get your eyes on PR 187? | 13:24:14 |
| hexa | In reply to @oddlama:matrix.org
In my case it's the initrd that includes the file when it is generated Disabling initrd ssh does indeed make the problem go away. | 13:26:54 |
| oddlama | Since I require this in my config I opted to just add an activation script that removes the directory (https://github.com/oddlama/nix-config/blob/7bb25e5d7a1f66dce2f50389bb3ce9bdc5eaab38/modules/config/secrets.nix#L48-L58) | 13:29:49 |
| hexa | haha ok 😄 | 13:31:57 |
| hexa | I also think that this started happening when I switched to systemd-initrd, does that make sense? | 13:32:42 |
| hexa | works for me, thank you | 13:34:17 |
| oddlama | In reply to @hexa:lossy.network
I also think that this started happening when I switched to systemd-initrd, does that make sense? yup, if i recall correctly the other initrd implementation has no secret support and ignores the option | 13:43:00 |
| oddlama | or was it tied to the bootloader? 🤔 | 13:44:11 |
| hexa | oh, that could explain why that one machine with grub is fine and the ones with systemd-boot failed | 14:48:37 |
| 22 May 2024 |
|  NixOS Moderation Bot banned  @5m5z3q888q5prxkg:chat.lightnovel-dungeon.de (Suspended until 2024-05-29). | 11:45:54 |
| NixOS Moderation Botchanged room power levels. | 15:25:58 |
