ryantm/agenix

User-specific secrets not working with erase-your-darlings configuration

Opened this issue · 4 comments

Hi!

I'm having problems doing nixos-rebuild switch when I have a secret that is encrypted for a specific user. This is on my system with erase-your-darlings enabled. I get the following error when trying sudo nixos-rebuild switch --flake .:

decrypting '/nix/store/231bhn0mp0a8vxm75va7agcja6khv87i-foo.age' to '/run/agenix.d/10/foo'...
age: error: no identity matched any of the recipients
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/10/foo.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/10/foo.tmp': No such file or directory

I've tried exactly the same on another system, without erase-your-darlings, and there it works fine. The error also goes away if I add the system itself to secrets.nix (in addition to the user).

I have tried adding neededForBoot = true; to my /home filesystem, so that it will be available "early enough", but it doesn't make a difference.

Does anyone know how I can solve this, or how I can enable more debug logs to maybe get better clues? Is the error happening because agenix cannot find the private key for the user?

How have you configured age.identityPaths? I think it should point at the correct identities in the persistent storage.

How have you configured age.identityPaths? I think it should point at the correct identities in the persistent storage.

I've not made any modifications to that setting.

I have both /home and /etc/ssh on separate filesystems:

  fileSystems = {
    "/home" = {
      device = old;
      fsType = "btrfs";
      options = [ "subvol=home" ] ++ commonOptions;
    };

    "/etc/ssh" = {
      device = main;
      fsType = "btrfs";
      options = [ "subvol=ssh" ] ++ commonOptions;
      neededForBoot = true;
    };
    # ...
};

Would I still need to change age.identityPaths? Should it then point to my user's key? Note that it all works when putting a system as the "recipient" of the secret (in secret.nix), but not when putting an individual user as a secret's recipient...

Host keys are default identities; if you need something else, you have to configure it.

i have this error too, the first time i'm trying to push configs into a brand new vm. I know that my ssh keys are correct.