User secrets not being symlinked to `/run/secrets-for-users`

[wesleyjrz]

I'm trying to set a user password using sops.secrets.<secret>.neededForUsers = true; and hashedPasswordFile = config.sops.secrets.<secret>.path.

When I try to rebuild my system I get the following error:

nixos-rebuild dry-activate --flake .#$(hostname) --use-remote-sudo --show-trace --verbose
building the system configuration...
Building in flake mode.
$ nix --extra-experimental-features nix-command flakes build .#nixosConfigurations."leviathan".config.system.build.toplevel --show-trace --verbose --out-link /tmp/nix-shell.Mb8Ok8/nixos-rebuild.FSAJNr/result
$ sudo systemd-run -E LOCALE_ARCHIVE -E NIXOS_INSTALL_BOOTLOADER= --collect --no-ask-password --pipe --quiet --same-dir --service-type=exec --unit=nixos-rebuild-switch-to-configuration --wait true
Using systemd-run to switch configuration.
$ sudo systemd-run -E LOCALE_ARCHIVE -E NIXOS_INSTALL_BOOTLOADER= --collect --no-ask-password --pipe --quiet --same-dir --service-type=exec --unit=nixos-rebuild-switch-to-configuration --wait /nix/store/yjhqvqd9xcyr31y8g95gdj2ppmx4hb5z-nixos-system-leviathan-24.05.20240918.dbebdd6/bin/switch-to-configuration dry-activate
would activate the configuration...
sops-install-secrets: Imported /etc/ssh/ssh_host_rsa_key as GPG key with fingerprint 2551d89670064b558012e9f5b47d2071a9563af4
sops-install-secrets: Imported /etc/ssh/ssh_host_ed25519_key as age key with fingerprint age19sen90jpf6t8u8yjd53jgrvrxu7metjjc2dw4fsuds2zugqyxvxs9c5eql
warning: password file ‘/run/secrets-for-users/leviathan-password’ does not exist
sops-install-secrets: Imported /etc/ssh/ssh_host_rsa_key as GPG key with fingerprint 2551d89670064b558012e9f5b47d2071a9563af4
sops-install-secrets: Imported /etc/ssh/ssh_host_ed25519_key as age key with fingerprint age19sen90jpf6t8u8yjd53jgrvrxu7metjjc2dw4fsuds2zugqyxvxs9c5eql
would restart the following units: home-manager-wesleyjrz.service

The secrets are being stored inside /run/secrets-for-users.d though. I tried using the absolute path for the secrets instead of config.sops.secrets.<secret>.path, but it doesn't work I can't login into the system anymore.

I've tried using the same plain hashed password with hashedPassword and it's working.

[CORAAL]

Hello, I have the same problem.

I might be wrong, but I think the issue is related to nix 2.24.

My unstable system hasn't been updated for about ten days (maybe more, maybe less).

I first updated all inputs except nixpkgs (unstable) without encountering any problems.

It was only when I updated nixpkgs that I noticed the issue.

Before updating my system today, nix was at version 2.18.

Since upgrading to version 2.24, I've been observing the same problem.

I've tried older versions of sops-nix and I still get the same error: warning: password file ‘/run/secrets-for-users/user-password’ does not exist, as mentioned before.

If I add nix.package = pkgs.nixVersions.nix_2_18; to my configurations, the previous error disappears.

Unfortunately, on reboot the user is still inaccessible.

[CORAAL]

I continued my research:

I assigned a password to root via hashedPassword (without sops) and used a sops for my user with hashedPasswordFile = config.sops....... ;

After rebuilding, if I open /etc/passwd I see my user and root. If I open /etc/shadow, I see that my user and root each have a line such as :

root:HASHEDPASSWORD:1::::::
alex:HASHEDPASSWORD:1::::::

I've replaced the real string with HASHEDPASSWORD in the lines above for the example, so the string that actually appears in the file is the one included in the configuration.

When I restart, the gnome login manager asks me to enter a full login (username and password) instead of presenting me with the default user. Here, alex doesn't work, but root does.

From here, I open a tty and connect via root.

If I do su alex, I can access my user. /home/alex still exists.

On the /etc/passwd side, alex is mentioned as it was before the reboot. On the /etc/shadow side, alex no longer contains a hash as before the reboot.

The line formerly alex:HASHEDPASSWORD:&:::::: has become alex:!:1::::::.

Whether I use sops or not, /etc/shadow (before reboot) seems to have the same hash, except that on reboot only the password defined without sops will persist.

I also note that if I try to authenticate with my user in gdm, the description associated with the user(users.users.<name>.description) is displayed.

EDIT : I observe the same symptoms when neededForUsers = true; is used.

I used this option to configure wi-fi, which became unavailable on reboot until this option was removed.