Open PaulGrandperrin opened 10 months ago
after reading https://github.com/Mic92/sops-nix/blob/master/modules/sops/default.nix I set
sops.gnupg.sshKeyPaths = [];
Then sops-install-secrets
doesn't fail and correctly installs the age key and the rest of the installation works flawlessly.
So, maybe it would make sense to change sops-install-secrets
to process the age key and the gpg key independently in case one of them fails?
I don't know Go but I guess changing this line to just print a warning would solve the issue: https://github.com/Mic92/sops-nix/blob/014e44d334a39481223a5d163530d4c4ca2e75cb/pkgs/sops-install-secrets/main.go#L944C34-L944C34
sops.gnupg.sshKeyPaths = [];
Worked for me as well. Also found out that disabling the openssh service allowed user passwords to be installed correctly. Not interesting in a lot of cases, but maybe relevant for the problem.
I'm trying to provision a VM with
nixos-everywhere
.The root password is set with
sops-nix
:and the sops key is derived from
/etc/ssh/ssh_host_ed25519_key
as an age key.I know this setup works well because I already use this code on many machines.
To setup this new VM, I created a new
/etc/ssh/ssh_host_ed25519_key
for the VM and added the corresponding age key to my.sops.yaml
as usual.Then I launched
nixos-everywhere
with this command:The extrafiles:
Then, when first activating the new VM conf,
setupSecretsForUsers
fails because it tries to read/etc/ssh/ssh_host_rsa_key
which doesn't exist./etc/ssh/ssh_host_rsa_key
doesn't exist because the VM hasn't booted yet and sosshd
didn't create it.I don't see why it prevents sops from decrypting the secrets with the age key derived from
/etc/ssh/ssh_host_ed25519_key
.I am not sure I have the correct understanding of the situation though because I'm basically following this guide https://github.com/nix-community/nixos-anywhere/blob/main/docs/howtos/secrets.md and so I suppose it should be working in this use case.