Open lorenzleutgeb opened 1 year ago
Only problem is that just now we populate age.sshKeyPaths by default from sops and it might trigger false positives for folks that want to manage ssh host keys with sops-nix, but use than other sops decryption methods i.e. aws-kms/gpg/normal age keys.
I guess the warning could also have a message that tells users to explicitly unset sops.age.sshKeyPaths
in those cases.
While trying out sops-nix I configured:
That is, I tried to make the SSH host key both a secret, and the key to decrypt secrets. This even worked with
nixos-rebuild switch
since I did this step by step and first addedsecrets."ssh/key"
. However, I noticed my mistake, and if I understood sops-nix correctly, this configuration will not boot.sops-nix could be more helpful here, and check that the options referring to keys for secret decryption (
age.keyFile
,age.sshKeyPaths
,gnupg.home
,gnupg.sshKeyPaths
) are actually not secrets. For example, if any of those paths start with/run/secrets
, something is wrong, and probably worth at least a warning, maybe even failure.I understand that finding out whether a file is a secret can be tricky, but a simple heuristic like looking for
/run/secrets
might already be helpful to prevent stupid mistakes.