| 18 Dec 2022 |
 ryantm | oh, perhaps it is in some weird format that is hard to compare though. | 22:09:18 |
| ryantm | You can also pass -i to agenix to specify which key to try to decrypt with. | 22:10:02 |
 dasj19 | this works (at least gets me in nano with the secret editable) "agenix -i /home/daniel/.ssh/id_rsa -e daniel-password.age" | 22:11:38 |
| ryantm | Maybe your key is not at $HOME/.ssh/id_rsa | 22:14:09 |
| ryantm | Oh, you just said the path sorry. | 22:14:55 |
| dasj19 | can you hash 123456 for me to try? | 22:15:17 |
| ryantm | It will be different every time: | 22:15:53 |
| ryantm | [ryantm@laptop3:~/p/nixfiles/secrets]$ mkpasswd --method=SHA-512 --stdin
Password: 123456
$6$HgyUnbDcnnfRn4Ox$Ttzd6kxqrt2ZoutO.kfEXWzc4zCDCXYwHKN5X4NyB/scHOrWKoYbHQhuxtjI1tq8BRHn5Avxcgim5FHoNv90R1
[ryantm@laptop3:~/p/nixfiles/secrets]$ mkpasswd --method=SHA-512 --stdin
Password: 123456
$6$ozbzwc1zWLDAaUQz$8zbOKHCGzQsJPZDkmm74hvH0lIupK3u0gAum2jp/JVmiKhF6RgWtVHyojBg2C7JbsZjxqolLFWtxR/aFEuqNP.
| 22:15:59 |
| ryantm | It has a salt | 22:16:08 |
| dasj19 | yes, i'll try the first one | 22:16:22 |
| dasj19 | weird, still does not work. tried both with EOL and without EOL | 22:18:58 |
| ryantm | If the correct hash file is showing up in /run/agenix, then it seems like the problem lies elsewhere, like maybe the user setup activation script is not using that file for some reason, or some other configuration you have is changing the activation script order. | 22:20:22 |
| ryantm | You can also look in /etc/shadow to see what the user's password hash is currently. | 22:20:41 |
| dasj19 | [root@xps13:/etc/nixos/secrets]# cat /run/agenix/daniel-password
$6$HgyUnbDcnnfRn4Ox$Ttzd6kxqrt2ZoutO.kfEXWzc4zCDCXYwHKN5X4NyB/scHOrWKoYbHQhuxtjI1tq8BRHn5Avxcgim5FHoNv90R1 | 22:21:01 |
| dasj19 | the hash is not in /etc/shadow | 22:21:36 |
| ryantm | system.activationScripts.debug.text = "set -x";
system.activationScripts.users.deps = [ "debug" ];
| 22:23:45 |
| ryantm | That should at least let you see the bash aspect of the users activation script. | 22:24:12 |
| ryantm | There is also a Perl script involved. | 22:24:19 |
| ryantm | Here's the Perl script https://github.com/NixOS/nixpkgs/blob/ba46d30d1f9a636f46fb7877008140984f5e7b75/nixos/modules/config/update-users-groups.pl | 22:25:46 |
| dasj19 | hmm does not seem to be any warnings or errors | 22:28:16 |
| dasj19 | but there is quite a lot of output | 22:28:27 |
| ryantm | every activation script that follows the set -x gets its commands output :) | 22:29:31 |
| dasj19 | do you want to take a look? i can post on pastebin or something | 22:30:38 |
| ryantm | Looks like there is some json file that gets made https://github.com/NixOS/nixpkgs/blob/ba46d30d1f9a636f46fb7877008140984f5e7b75/nixos/modules/config/update-users-groups.pl#LL88C12-L88C45 | 22:30:42 |
| ryantm | That the Perl script reads. | 22:30:48 |
| ryantm | It would be interesting to know if that script contains the /run/agenix/... path | 22:31:09 |
| dasj19 | in the perl script? | 22:32:25 |
| ryantm | It's called users-groups.json. Maybe you can find it with ls /nix/store/*users-groups.json | 22:33:02 |
| ryantm | {"autoSubUidGidRange":true,"createHome":true,"description":"Ryan Mulligan","group":"users","hashedPassword":null,"home":"/home/ryantm","homeMode":"700","initialHashedPassword":null,"initialPassword":null,"isSystemUser":false,"name":"ryantm","password":null,"passwordFile":"/run/agenix/passwordfile-ryantm","shell":"/run/current-system/sw/bin/bash","subGidRanges":[],"subUidRanges":[],"uid":null} | 22:34:07 |
| dasj19 | yes, found it... and it has: {"autoSubUidGidRange":true,"createHome":true,"description":"Daniel AAA","group":"users","hashedPassword":null,"home":"/home/daniel","homeMode":"700","initialHashedPassword":null,"initialPassword":null,"isSystemUser":false,"name":"daniel","password":null,"passwordFile":"/run/agenix/daniel-password","shell":"/run/current-system/sw/bin/bash","subGidRanges":[],"subUidRanges":[],"uid":null} | 22:34:31 |
