!XLCFfvFhUkYwOMLbVx:nixos.org

agenix

386 Members
age-encrypted secrets for NixOS https://github.com/ryantm/agenix/101 Servers

Load older messages

SenderMessageTime
3 Aug 2023
@cafkafk:nixos.devChristina Sørensen joined the room.06:11:56
5 Aug 2023
@maralorn:maralorn.demaralorn

When I do enable documentation.nixos.includeAllModules with agenix I get:

┃        error: attribute 'users' missing
┃ 
┃        at /nix/store/nwlhw7kzyyryssszhvw2as3gq4ncc1ai-source/modules/age.nix:15:11:
┃ 
┃            14|
┃            15|   users = config.users.users;
┃              |           ^
┃            16|
16:01:53
@maralorn:maralorn.demaralornIs it me or is it agenix?^^16:02:07
@ryantm:matrix.orgryantmWeird.18:40:16
@maralorn:maralorn.demaralornCan anyone else reproduce this? Is there anyone who has the scenic module imported and that docs option on in their system?21:41:07
@maralorn:maralorn.demaralorn* Can anyone else reproduce this? Is there anyone who has the agenix module imported and that docs option on in their system?21:41:23
10 Aug 2023
@metasyntactical:matrix.orgmetasyntactical joined the room.22:41:56
@metasyntactical:matrix.orgmetasyntactical

Hi, I'm trying to add agenix to my newish flakes nixos config and I created the secrets.nix and all the age files and added a reference to a secret as directed in the docs and I now get the following error:

warning: Git tree '/etc/nixos' is dirty
building the system configuration...
warning: Git tree '/etc/nixos' is dirty
error:
       Failed assertions:
       - age.identityPaths must be set.
(use '--show-trace' to show detailed location information)
22:43:30
@metasyntactical:matrix.orgmetasyntacticalI included all of the ssh host and user keys in the secrets.nix file. Does it not see them automatically? Do I have to manually point to each privkey file?22:44:13
@metasyntactical:matrix.orgmetasyntactical

If this helps, here's my flakes.nix:


  description = "my config";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05";
    home-manager = {
      url = "github:nix-community/home-manager/release-23.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    agenix = {
      url = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.darwin.follows = "";
    };
  };

  outputs = { self, nixpkgs, home-manager, agenix, ... }: 
    let 
        system = "x86_64-linux";
        agenixModule = { environment.systemPackages = [ agenix.packages.${system}.default nixpkgs.age-plugin-yubikey ]; };
    in {
      nixosConfigurations = {
        "theseus" = nixpkgs.lib.nixosSystem { inherit system; modules = [ ./machines/theseus.nix  agenix.nixosModules.default  agenixModule ]; };
      };
    };
}
22:45:42
@metasyntactical:matrix.orgmetasyntactical *

If this helps, here's my flakes.nix:


  description = "my config";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05";
    home-manager = {
      url = "github:nix-community/home-manager/release-23.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    agenix = {
      url = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.darwin.follows = "";
    };
  };

  outputs = { self, nixpkgs, home-manager, agenix, ... }: 
    let 
        system = "x86_64-linux";
        agenixModule = { environment.systemPackages = [ agenix.packages.${system}.default ]; };
    in {
      nixosConfigurations = {
        "theseus" = nixpkgs.lib.nixosSystem { inherit system; modules = [ ./machines/theseus.nix  agenix.nixosModules.default  agenixModule ]; };
      };
    };
}
22:59:40
@ryantm:matrix.orgryantm metasyntactical: probably what is happening is you haven't specified how to decrypt the secrets, and you have also not turned on openssh on the computer to make use of the system SSH keys for decryption. 23:28:26
11 Aug 2023
@metasyntactical:matrix.orgmetasyntactical
In reply to @ryantm:matrix.org
metasyntactical: probably what is happening is you haven't specified how to decrypt the secrets, and you have also not turned on openssh on the computer to make use of the system SSH keys for decryption.
all of that is in the ./machines/thesesus.nix file. it runs a ton of stuff including ssh. I set age.secret.secretname.file = ./secrets/secretname.age; and then I reference it as config.age.secrets.secretname.path and I get that error. If I comment out the age. and config.age lines, it builds fine 		00:41:21
@ryantm:matrix.orgryantm metasyntactical: do you have config.services.openssh.enable = true in your config? 00:44:01
@metasyntactical:matrix.orgmetasyntactical

I have a ./secrets/secrets.nix file with:

let
    connelly_headless = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMV3hxhcKHYCmTpl5wRMfibT4wgWKAuLE7nWvDbIoswg";

    theseus_host = "ssh-ed25519 AAAAC3Nza...(redacted)";
    fw_host = "ssh-ed25519 AAAAC3Nza...(redacted)";
    house_host = "ssh-ed25519 AAAAC3Nza...(redacted)";
    void_host = "ssh-ed25519 AAAAC3Nza...(redacted)";

    theseus = [ connelly_headless theseus_host ];
    fw = [ connelly_headless fw_host ];
    house = [ connelly_headless house_host ];
    void = [ connelly_headless void_host ];
    all = [ connelly_headless theseus_host fw_host void_host house_host ];
in {
    "restic-s3.age".publicKeys = all;
    "restic-theseus.age".publicKeys = theseus;
    "restic-fw.age".publicKeys = fw;
    "restic-house.age".publicKeys = house;
    "restic-void.age".publicKeys = void;
    "ssh-theseus-headless-priv.age".publicKeys = theseus;
   }
00:44:51
@metasyntactical:matrix.orgmetasyntactical
In reply to @ryantm:matrix.org
metasyntactical: do you have config.services.openssh.enable = true in your config?
yes. openssh is running great 		00:45:12
@ryantm:matrix.orgryantmOn the target machine, right?00:45:44
@metasyntactical:matrix.orgmetasyntacticaldo I need to indicate where the secrets.nix file is in the age config?00:45:50
@metasyntactical:matrix.orgmetasyntacticalyes00:45:52
@ryantm:matrix.orgryantmNo secrets.nix is only for the agenix cli tool.00:46:17
@metasyntactical:matrix.orgmetasyntacticalI grabbed the /etc/ssh/ pubkeys from all of the boxes in my config00:46:18
@metasyntactical:matrix.orgmetasyntacticalcould it be some flakes scoping thing? I declared the age module in the top level flake and then my config using age is in another module -- could that cause it?00:47:15
@ryantm:matrix.orgryantmShouldn't be a problem.00:47:48
@metasyntactical:matrix.orgmetasyntacticalalso, will agenix require --impure always?00:47:53
@ryantm:matrix.orgryantmAgenix doesn't require impure00:48:08
@metasyntactical:matrix.orgmetasyntactical

okay. so in ./machines/theseus.nix I add the line below

age.secrets.wg-theseus-home-privkey.file = ./secrets/wg-theseus-home-privkey.age;

and I get the error:

error:
       Failed assertions:
       - age.identityPaths must be set.
(use '--show-trace' to show detailed location information)
00:50:08
@metasyntactical:matrix.orgmetasyntacticalshould I run it with --show-trace for you?00:50:23
@metasyntactical:matrix.orgmetasyntacticalor maybe try to poke at something in the repl?00:52:53
@metasyntactical:matrix.orgmetasyntactical 
ssh_config  ssh_host_ed25519_key  ssh_host_ed25519_key.pub  ssh_host_rsa_key  ssh_host_rsa_key.pub  ssh_known_hosts
00:53:03
@ryantm:matrix.orgryantmSomething is going wrong here https://github.com/ryantm/agenix/blob/d8c973fd228949736dedf61b7f8cc1ece3236792/modules/age.nix#L22900:53:08

Show newer messages

Back to Room ListRoom Version: 6