setupSecretsForUsers fails when only ssh_host_ed25519_key is provided through nixos-everywhere

[PaulGrandperrin]

I'm trying to provision a VM with nixos-everywhere.

The root password is set with sops-nix:

    sops.secrets.password-root.neededForUsers = true;

    users.users.root = {
      passwordFile = config.sops.secrets.password-root.path;
    };

and the sops key is derived from /etc/ssh/ssh_host_ed25519_key as an age key.

I know this setup works well because I already use this code on many machines.

To setup this new VM, I created a new /etc/ssh/ssh_host_ed25519_key for the VM and added the corresponding age key to my .sops.yaml as usual.

Then I launched nixos-everywhere with this command:

nix run github:numtide/nixos-anywhere -- --flake .#nixos-testvm --extra-files /tmp/tmp.Ese7hBI2bl root@vm

The extrafiles:

tree /tmp/tmp.Ese7hBI2bl                                                                                                 ✔  root@nixos-xps  14:14:33 
/tmp/tmp.Ese7hBI2bl
└── etc
    └── ssh
        ├── ssh_host_ed25519_key
        └── ssh_host_ed25519_key.pub

Then, when first activating the new VM conf, setupSecretsForUsers fails because it tries to read /etc/ssh/ssh_host_rsa_key which doesn't exist.

### Copying extra files ###
Warning: Permanently added '[localhost]:2222' (ED25519) to the list of known hosts.
sending incremental file list
./
etc/
etc/ssh/
etc/ssh/ssh_host_ed25519_key
etc/ssh/ssh_host_ed25519_key.pub

sent 763 bytes  received 69 bytes  554.67 bytes/sec
total size is 507  speedup is 0.61
Warning: Permanently added '[localhost]:2222' (ED25519) to the list of known hosts.
### Installing NixOS ###
Warning: Permanently added '[localhost]:2222' (ED25519) to the list of known hosts.
installing the boot loader...
setting up secrets for users...
/nix/store/909bd2m8bxl57s2xiqyrxq08yasnbk1v-sops-install-secrets-0.0.1/bin/sops-install-secrets: Error setting up gpg keyring: Cannot read ssh key '/etc/ssh/ssh_host_rsa_key': open /etc/ssh/ssh_host_rsa_key: no such file or directory
Activation script snippet 'setupSecretsForUsers' failed (1)
warning: password file ‘/run/secrets-for-users/password-paulg’ does not exist
warning: password file ‘/run/secrets-for-users/password-root’ does not exist
setting up /etc...
setting up secrets...
/nix/store/909bd2m8bxl57s2xiqyrxq08yasnbk1v-sops-install-secrets-0.0.1/bin/sops-install-secrets: Error setting up gpg keyring: Cannot read ssh key '/etc/ssh/ssh_host_rsa_key': open /etc/ssh/ssh_host_rsa_key: no such file or directory
Activation script snippet 'setupSecrets' failed (1)

/etc/ssh/ssh_host_rsa_key doesn't exist because the VM hasn't booted yet and so sshd didn't create it.

I don't see why it prevents sops from decrypting the secrets with the age key derived from /etc/ssh/ssh_host_ed25519_key.

I am not sure I have the correct understanding of the situation though because I'm basically following this guide https://github.com/nix-community/nixos-anywhere/blob/main/docs/howtos/secrets.md and so I suppose it should be working in this use case.

[PaulGrandperrin]

after reading https://github.com/Mic92/sops-nix/blob/master/modules/sops/default.nix I set

sops.gnupg.sshKeyPaths = [];

Then sops-install-secrets doesn't fail and correctly installs the age key and the rest of the installation works flawlessly.

So, maybe it would make sense to change sops-install-secrets to process the age key and the gpg key independently in case one of them fails?

[PaulGrandperrin]

I don't know Go but I guess changing this line to just print a warning would solve the issue: https://github.com/Mic92/sops-nix/blob/014e44d334a39481223a5d163530d4c4ca2e75cb/pkgs/sops-install-secrets/main.go#L944C34-L944C34

[eivibro]

sops.gnupg.sshKeyPaths = [];

Worked for me as well. Also found out that disabling the openssh service allowed user passwords to be installed correctly. Not interesting in a lot of cases, but maybe relevant for the problem.