| 14 Dec 2022 |
|  id joined the room. | 17:35:08 |
| 15 Dec 2022 |
 kraem | hi, i can't seem to provision keys to a new system. getting this while switching to a new generation:
cp: cannot stat '/run/agenix/ssh_lb1_initrd_ed25519': No such file or directory
failed to create initrd secrets: No such file or directory
/run/agenix is empty as the generation hasn't been switched to, but it's needed to create the initrd secrets (if i understand correctly). is this a known issue? can't find it being discussed in the issues of the repo
| 21:54:47 |
| kraem | sudo mkdir -p /run/agenix && sudo touch /run/agenix/ssh_lb1_initrd_ed25519 && switch_generation
# /run/agenix/1 and /run/agenix.d/1/ssh_lb1_initrd_ed25519 gets created
# but /run/agenix/ssh_lb1_initrd_ed25519 is still my empty file and i get the same error if switching generation after deleting it
note that i have no idea what i'm doing at this point 🙃
| 22:06:52 |
| kraem | ok i think i solved it by nix-collect-garbage -d && /run/current-system/bin/switch-to-configuration switch. it seems some old initrd secrets was the culprit? | 22:44:53 |
| 16 Dec 2022 |
 ryantm | I haven't really thought much about early boot secrets. What is this secret for? | 05:25:31 |
| kraem | that particular secret is an ssh key used in initrd | 07:38:40 |
| kraem | it works sometimes after collecting garbage but still fails sometimes | 07:40:06 |
| 17 Dec 2022 |
|  Dandellion joined the room. | 22:20:49 |
| 18 Dec 2022 |
|  mlyx joined the room. | 03:27:07 |
|  dasj19 joined the room. | 20:40:20 |
| dasj19 | Hi, I am first time user of agenix and I am trying to get nixos to read user password file encrypted by agenix. In the code below the system can read the value of "description" just fine, but the value of passwordFile is not applied to the user account. Any advice is greatly appreciated.
users.users.daniel = {
isNormalUser = true;
description = lib.strings.fileContents config.age.secrets.daniel-fullname.path;
passwordFile = config.age.secrets.daniel-password.path; # Value created with mkpasswd.
extraGroups = [ "networkmanager" "wheel" ];
};
| 20:45:30 |
| ryantm | Do you have the .file config option for that secret also specified? | 21:38:43 |
| ryantm | dasj19: ☝️ | 21:39:28 |
| dasj19 | Yes, I tried with just the .file then I added owners and groups:
age.secrets.daniel-fullname = {
file = /etc/nixos/secrets/daniel-fullname.age;
owner = "daniel";
group = "users";
};
age.secrets.daniel-password = {
file = /etc/nixos/secrets/daniel-password.age;
owner = "daniel";
group = "users";
}; | 21:40:20 |
| ryantm | What you are doing with description is an antipattern because it leaks the secret into the nix store and has bootstrapping issues. | 21:42:08 |
| dasj19 | yes, i noticed but the goal there is just to hide it from a future git commit | 21:42:47 |
| ryantm | Okay. I guess it's fine for that. | 21:43:10 |
| dasj19 | the description part works, but just the passwordFile part does not | 21:43:44 |
| ryantm | Are you using flakes? | 21:43:44 |
| ryantm | And is your flake.nix in /etc? | 21:43:57 |
| dasj19 | no, just plain configuration.nix | 21:44:09 |
| ryantm | I don't think it matters but I think you can leave those secrets as owned by root since the user activation script runs as root. | 21:45:10 |
| ryantm | Do you see any warnings during activation? | 21:45:34 |
| dasj19 | okay, the secrets were owned by root to begin with, i changed them to see if it made a difference. no warnings during agenix generation change | 21:46:56 |
| ryantm | Double check the decrypted files are in /run/agenix/... | 21:48:52 |
| dasj19 | yes, both files appear there:
[root@xps13:/etc/nixos/secrets]# ls -lisah /run/agenix
2990 0 lrwxrwxrwx 1 root root 16 Dec 18 22:48 /run/agenix -> /run/agenix.d/11
[root@xps13:/etc/nixos/secrets]# ls -lisah /run/agenix/
total 8.0K
52111 0 drwxr-x--x 2 root keys 0 Dec 18 22:48 .
15392 0 drwxr-x--x 3 root keys 0 Dec 18 22:48 ..
64750 4.0K -r-------- 1 root root 20 Dec 18 22:48 daniel-fullname
52115 4.0K -r-------- 1 root root 107 Dec 18 22:48 daniel-password
| 21:50:00 |
| dasj19 | (i just ran a nixos-rebuid switch without owning the files to user daniel) | 21:50:46 |
| ryantm | Hmmm. The only thing left I can think of is the format of your password file is wrong. | 21:51:37 |
| dasj19 | I noticed that the editor adds a new EOL at the end by default, I also tried removing it and made no difference | 21:52:49 |
| dasj19 | I tried method 2 from here: https://unix.stackexchange.com/questions/81240/manually-generate-password-for-etc-shadow | 21:53:14 |
