User-specific secrets not working with erase-your-darlings configuration
Opened this issue · 4 comments
Hi!
I'm having problems doing nixos-rebuild switch
when I have a secret that is encrypted for a specific user. This is on my system with erase-your-darlings enabled. I get the following error when trying sudo nixos-rebuild switch --flake .
:
decrypting '/nix/store/231bhn0mp0a8vxm75va7agcja6khv87i-foo.age' to '/run/agenix.d/10/foo'...
age: error: no identity matched any of the recipients
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/10/foo.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/10/foo.tmp': No such file or directory
I've tried exactly the same on another system, without erase-your-darlings, and there it works fine. The error also goes away if I add the system itself to secrets.nix
(in addition to the user).
I have tried adding neededForBoot = true;
to my /home
filesystem, so that it will be available "early enough", but it doesn't make a difference.
Does anyone know how I can solve this, or how I can enable more debug logs to maybe get better clues? Is the error happening because agenix cannot find the private key for the user?
How have you configured age.identityPaths
? I think it should point at the correct identities in the persistent storage.
How have you configured
age.identityPaths
? I think it should point at the correct identities in the persistent storage.
I've not made any modifications to that setting.
I have both /home
and /etc/ssh
on separate filesystems:
fileSystems = {
"/home" = {
device = old;
fsType = "btrfs";
options = [ "subvol=home" ] ++ commonOptions;
};
"/etc/ssh" = {
device = main;
fsType = "btrfs";
options = [ "subvol=ssh" ] ++ commonOptions;
neededForBoot = true;
};
# ...
};
Would I still need to change age.identityPaths
? Should it then point to my user's key? Note that it all works when putting a system as the "recipient" of the secret (in secret.nix
), but not when putting an individual user as a secret's recipient...
Host keys are default identities; if you need something else, you have to configure it.
i have this error too, the first time i'm trying to push configs into a brand new vm. I know that my ssh keys are correct.