!XLCFfvFhUkYwOMLbVx:nixos.org

agenix

383 Members
age-encrypted secrets for NixOS https://github.com/ryantm/agenix/102 Servers

Load older messages

SenderMessageTime
9 Nov 2023
@zonnebloem:matrix.orgzonnebloem

it probably has to do with this

  pubkey = hostname: pubkeyPath ./hosts/${hostname}/key.pub;
  pubkeyPath = pkp: if builtins.pathExists pkp then builtins.readFile pkp else "";

  servers = [
    (pubkey "my-server")
  ];
21:15:44
@zonnebloem:matrix.orgzonnebloemI have to filter the empty "" from the lists21:17:49
@zonnebloem:matrix.orgzonnebloemmy problem is that the key.pub file is not a single line21:33:35
@zonnebloem:matrix.orgzonnebloemis https://github.com/ryantm/agenix/pull/114 no longer the case?21:39:35
@uep:matrix.orguepI think you should just error if your config calls for a key that doesn't exist in the repo21:39:35
@uep:matrix.orguep * I think you should just error if your config calls for a key that doesn't exist in the repo, rather than return the else "" and have to deal with that 21:42:25
@zonnebloem:matrix.orgzonnebloemI does error when running agenix --rekey, after which I comment it out21:45:00
@zonnebloem:matrix.orgzonnebloemThis is ok for me21:45:04
@zonnebloem:matrix.orgzonnebloemI thought this was my problem, but it's actually the readFile which reads a newline 21:45:33
@zonnebloem:matrix.orgzonnebloem 
  pubkeyPath = pkp: if builtins.pathExists pkp then builtins.replaceStrings ["\n"] [""] (builtins.readFile pkp) else "";

this works

21:56:23
@uep:matrix.orguepoof23:17:36
10 Nov 2023
@mar.in:matrix.orgmarin

ryantm: is there any docs on how to correctly use agenix with the home-manager module? trying to do something like this:

  age.secrets.nixconf.file = ./secrets/nix.conf.age;
  xdg.configFile."nix/nix.conf".source = config.age.secrets.nixconf.path;

And getting this failure:

      error: A definition for option `home-manager.users.supermarin.xdg.configFile."nix/nix.conf".source' is not of type `path'. Definition values:
       - In `/nix/store/czifw4nlbci6fjly2sw0i5qjlph8c3sn-source/home.nix': "$XDG_RUNTIME_DIR/agenix/nixconf"

Seen above that someone had a similar issue, but haven't seen any resolution

14:03:24
@mar.in:matrix.orgmarin

I'm on a flake based system, and importing hm & agenix like this:

modules = [
  inputs.nixos-hardware.nixosModules.lenovo-thinkpad-x1-nano-gen1
  inputs.home-manager.nixosModules.home-manager
  ./nixos/configuration.nix
  ./nixos/hardware-x1.nix
  {
    home-manager.useGlobalPkgs = true;
    home-manager.useUserPackages = true;
    home-manager.users.supermarin = {
      home.stateVersion = "22.05";
      imports = [
        inputs.agenix.homeManagerModules.default
        ./home.nix
        ./home-services.nix
      ];
    };
  }
];
14:07:00
11 Nov 2023
@zonnebloem:matrix.orgzonnebloem

If I want to install nixos on a new system I have to install without age first and then switch. Is there a way to install the new system with age in 1 go?

  • my nixos config (flake) with multiple hosts
  • I use my custom live iso
  • In my config I disable agenix for the new system
  • And run a few commands (see below)
  • If I enable agenix from the start it asks for a passphrase?? I don't know which. I think /etc/ssh/ssh_host_ed25519_key': was set by the live iso, '/mnt/etc/ssh/ssh_host_ed25519_key': was set by the commands?
  > mynewdevice : NIXOS-INSTALL
installing the boot loader...
[agenix] creating new generation in /run/agenix.d/1
[agenix] decrypting secrets...
[agenix] WARNING: config.age.identityPaths entry /etc/ssh/ssh_host_rsa_key not present!
decrypting '/nix/store/xxxxxxx-mypass.age' to '/run/agenix.d/1/passwords/mypass'...
Type passphrase for OpenSSH key '/etc/ssh/ssh_host_ed25519_key':

commands:

FUTURE_USER="myuser"; FUTURE_HOSTNAME="mynewdevice"; DISKOTYPE="zfs"; DISKS='[ "/dev/nvme0n1" ]'; ZFS_ASHIFT='12'; ZFS_REFRESERVATION='5'
REMOTE_IP="my-nixos-live.local"; LOCAL_CONFIG_PATH="/nixcfg"; REMOTE_CONFIG_PATH="/tmp"
ssh-keygen -R $REMOTE_IP  -f /cache${HOME}/.ssh/known_hosts # Remove from known_hosts
echo "  > $FUTURE_HOSTNAME : EXTRACT hardware-configuration.nix" ; ssh -t root@$REMOTE_IP '( nixos-generate-config --no-filesystems --root /mnt --show-hardware-config  )' > ${LOCAL_CONFIG_PATH}/hosts/${FUTURE_HOSTNAME}/hardware-configuration.nix

echo "  > $FUTURE_HOSTNAME : RSYNC CONFIG" ; rsync --mkpath -ah --delete "${LOCAL_CONFIG_PATH}/diskos/disko_${DISKOTYPE}.nix" "root@${REMOTE_IP}:$REMOTE_CONFIG_PATH"
echo "  > $FUTURE_HOSTNAME : DISKO: PARTITION, FORMAT, MOUNT" ; ssh -t root@${REMOTE_IP} "( disko --mode disko ${REMOTE_CONFIG_PATH}/disko_${DISKOTYPE}.nix --arg disks '${DISKS}' --arg zfs_ashift '${ZFS_ASHIFT}' --arg zfs_refreservationInGB '${ZFS_REFRESERVATION}')"

echo "  > $FUTURE_HOSTNAME : SSH: MKDIR" ; ssh -t root@${REMOTE_IP} "( mkdir -p /mnt/etc/ssh )"
echo "  > $FUTURE_HOSTNAME : SSH: KEYGEN" ; ssh -t root@${REMOTE_IP} "( ssh-keygen -t ed25519 -f /mnt/etc/ssh/ssh_host_ed25519_key -N '\"\"' )"
echo "  > $FUTURE_HOSTNAME : EXTRACT ssh key.pub" ; rsync -ah root@${REMOTE_IP}:/mnt/etc/ssh/ssh_host_ed25519_key.pub /nixcfg/hosts/$FUTURE_HOSTNAME/key.pub
echo "  > $FUTURE_HOSTNAME : REKEY AGENIX" ; cd /nixcfg ; agenix --rekey ; git add /nixcfg/{secrets/,hosts/$FUTURE_HOSTNAME/}* ; git commit -m "add host $FUTURE_HOSTNAME"

echo "  > $FUTURE_HOSTNAME : NIX EVAL" ; sys="$(nix eval --raw ".#nixosConfigurations.${FUTURE_HOSTNAME}.config.system.build.toplevel")"
echo "  > $FUTURE_HOSTNAME : NIX BUILD" ; nix build ".#nixosConfigurations.${FUTURE_HOSTNAME}.config.system.build.toplevel" --out-link "$(mktemp -d)/result"
#TODO: nix copy gives the same error as nixos-anywhere, because they also use nix copy: "bash: line 1: started: command not found"
echo "  > $FUTURE_HOSTNAME : NIX COPY" ; nix run nixpkgs#nixVersions.nix_2_14 -- copy --to "ssh://root@${REMOTE_IP}?remote-store=local?root=/mnt" "$sys"
echo "  > $FUTURE_HOSTNAME : NIXOS-INSTALL" ; ssh -t root@${REMOTE_IP} "( nixos-install --no-root-passwd --no-channel-copy --system "$sys" )"

ssh root@${REMOTE_IP} umount -lR /mnt
ssh root@${REMOTE_IP} zpool export -a

echo "  > $FUTURE_HOSTNAME : REBOOT" ; ssh -t root@$REMOTE_IP '( reboot )'
17:53:53
@ryantm:matrix.orgryantmYou have to bootstrap the private key on there somehow.aybe you could put it in your ISO?17:55:24
@willpower3309:matrix.orgwillmckinnonI think you could keep the user public key in your NixOS config, and keep the private key secured on a USB stick or something, then you'd just need to plug another USB in containing the private key (which you'd copy over) upon installing a new system18:20:39
@willpower3309:matrix.orgwillmckinnonI also do this at the system level where I keep my system public keys in my public NixOS config repo, I just need a good way to store all those private keys on an external drive18:21:15
@willpower3309:matrix.orgwillmckinnon
In reply to @willpower3309:matrix.org
I also do this at the system level where I keep my system public keys in my public NixOS config repo, I just need a good way to store all those private keys on an external drive
If anyone does something similar and has any ideas please let me know, storing them on a regular old USB stick seems kinda archaic to me, but it's what has worked best 		18:22:51
@zonnebloem:matrix.orgzonnebloemI was under the impression that a device's keys should be generated on the device, and only the public key can leave the device.21:32:14
@ryantm:matrix.orgryantmThat's probably more secure.21:32:45
@zonnebloem:matrix.orgzonnebloemI just started trying to copy the key genereted by the iso to /mnt21:38:07
@zonnebloem:matrix.orgzonnebloemit worked21:59:12
@zonnebloem:matrix.orgzonnebloem:)21:59:16
@zonnebloem:matrix.orgzonnebloem 
echo "  > $FUTURE_HOSTNAME : COPY ssh keys from iso to mnt" ; ssh -t root@${REMOTE_IP} "( cp /etc/ssh/ssh_host_ed25519_key* /mnt/etc/ssh/ )"
22:00:49
@zonnebloem:matrix.orgzonnebloeminstead of the ssh-keygen22:01:04
13 Nov 2023
@mar.in:matrix.orgmarin

ryantm: is there any docs on how to correctly use agenix with the home-manager module? trying to do something like this:

  age.secrets.nixconf.file = ./secrets/nix.conf.age;
  xdg.configFile."nix/nix.conf".source = config.age.secrets.nixconf.path;

And getting this failure:

      error: A definition for option `home-manager.users.supermarin.xdg.configFile."nix/nix.conf".source' is not of type `path'. Definition values:
       - In `/nix/store/czifw4nlbci6fjly2sw0i5qjlph8c3sn-source/home.nix': "$XDG_RUNTIME_DIR/agenix/nixconf"

Seen above that someone had a similar issue, but haven't seen any resolution

ping on this one

14:16:07
14 Nov 2023
@ryantm:matrix.orgryantm marin: Nope. I'm still hoping someone who uses agenix for this will contribute them. I don't use agenix with home manager. 15:42:25
@jeroen:simonetti.nljeroen

I am not sure this is currently active, but at one time I used this:

{ config, pkgs, ... }:
{
  age.secrets.nix-access-tokens-github.file = ../../../secrets/nix.access-tokens-github.age;
  nix.extraOptions = ''
    !include ${config.age.secrets.nix-access-tokens-github.path}
  '';
  nix.package = pkgs.nix;
}
16:35:44
@jeroen:simonetti.nljeroenI con't verify this atm though16:36:00
@jeroen:simonetti.nljeroen * I can't verify this atm though16:36:07

Show newer messages

Back to Room ListRoom Version: 6