Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User-specific secrets not working with erase-your-darlings configuration #263

Open
joncol opened this issue Jun 15, 2024 · 3 comments
Open

User-specific secrets not working with erase-your-darlings configuration #263

joncol opened this issue Jun 15, 2024 · 3 comments

Comments

@joncol
Copy link

joncol commented Jun 15, 2024

Hi!

I'm having problems doing nixos-rebuild switch when I have a secret that is encrypted for a specific user. This is on my system with erase-your-darlings enabled. I get the following error when trying sudo nixos-rebuild switch --flake .:

decrypting '/nix/store/231bhn0mp0a8vxm75va7agcja6khv87i-foo.age' to '/run/agenix.d/10/foo'...
age: error: no identity matched any of the recipients
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/10/foo.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/10/foo.tmp': No such file or directory

I've tried exactly the same on another system, without erase-your-darlings, and there it works fine. The error also goes away if I add the system itself to secrets.nix (in addition to the user).

I have tried adding neededForBoot = true; to my /home filesystem, so that it will be available "early enough", but it doesn't make a difference.

Does anyone know how I can solve this, or how I can enable more debug logs to maybe get better clues? Is the error happening because agenix cannot find the private key for the user?
@jcszymansk
Copy link

How have you configured age.identityPaths? I think it should point at the correct identities in the persistent storage.

@joncol
Copy link
Author

joncol commented Jun 18, 2024

How have you configured age.identityPaths? I think it should point at the correct identities in the persistent storage.

I've not made any modifications to that setting.

I have both /home and /etc/ssh on separate filesystems:

  fileSystems = {
    "/home" = {
      device = old;
      fsType = "btrfs";
      options = [ "subvol=home" ] ++ commonOptions;
    };

    "/etc/ssh" = {
      device = main;
      fsType = "btrfs";
      options = [ "subvol=ssh" ] ++ commonOptions;
      neededForBoot = true;
    };
    # ...
};

Would I still need to change age.identityPaths? Should it then point to my user's key? Note that it all works when putting a system as the "recipient" of the secret (in secret.nix), but not when putting an individual user as a secret's recipient...

@jcszymansk
Copy link

Host keys are default identities; if you need something else, you have to configure it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joncol @jcszymansk