Closed ersinakinci closed 8 months ago
1. When running `agenix rekey`, `rage` gets stuck on the `Please insert YubiKey with serial` prompt. If I insert my YubiKey, it doesn't recognize it.
Unfortunately I have no idea what's going on there. That definitely sounds like a problem related to rage in some way, especially if age works. Do you have the pcsc-lite daemon running? Does it work outside of agenix-rekey? Maybe I can add an option in the future to choose between the two.
2. When running `agenix rekey`, for the longest time I kept bashing my head against the `At least one rekeyed secret is missing, please run agenix rekey again` error. In the end, I noticed that it kept printing a path: `rekeyed secret: /tmp/agenix-rekey.1000/...`. Hmm, the `1000` looks suspiciously like a user uid. The problem was that I was prefixing with `sudo`, as in `sudo agenix rekey`. The error went away when I stopped running the command with elevated privileges (after adding my user to `allowed_users` in my nix config).
Yes you should always rekey as yourself, sorry if that wasn't clear. Maybe a future change will remove the need for that. I chose to split the rekeyed secrets by UID to prevent other users from being able to hijack rekeyed secrets between rekey- and build-time.
Which leads me to my final problem that I can't get around:
3. When running `agenix rekey`, I keep seeing this error: `getting status of '/run/agenix/piknikHybridConfig': No such file or directory`. `piknikHybridConfig` is a secret that I've set up in my NixOS modules, which I'm trying to reference within Home Manager using `home.file.".config/piknik/piknik.toml".source = osConfig.age.secrets.piknikHybridConfig.path`.
This looks like a general issue with how you are using agenix. home.file.<something>.source
requires a path to a file that is available on your current system at build time. But agenix is decrypting files on your computer at activation time. So the path will only be available after you have added age.secrets.<something>
rebuilt your system once and activated it.
So you are trying to use the decrypted result of a secret at build time, which creates a chicken-egg problem. The secret is only created after building and switching, but building is only possible if the file is already in /run/agenix. Usually you would use agenix with options that are called passwordFile
or similar, which only access the given path at runtime.
A simple fix for this should be to create link to the decrypted file instead of referencing it directly:
home.file.".config/piknik/piknik.toml".source = config.lib.file.mkOutOfStoreSymlink age.secrets.piknikHybridConfig.path;
@oddlama thank you so much for all of your help!
Unfortunately I have no idea what's going on there. That definitely sounds like a problem related to rage in some way, especially if age works. Do you have the pcsc-lite daemon running? Does it work outside of agenix-rekey? Maybe I can add an option in the future to choose between the two.
pcsc-lite
daemon is running and I'm able to interact with age-plugin-yubikey
on the command line, pcsc_scan
shows my YubiKey just fine. rage
doesn't work outside of agenix-rekey
, it seems to be a rage
problem on my system. No idea why.
Adding an option to switch to age
would be much appreciated!
Yes you should always rekey as yourself, sorry if that wasn't clear.
A quick note in the docs would be appreciated for n00bies like me 😄
I chose to split the rekeyed secrets by UID to prevent other users from being able to hijack rekeyed secrets between rekey- and build-time.
How does agenix-rekey determine the UID? I'm a little confused here because I was running everything as sudo
or in a sudo -i
shell, I assumed that my UID was 0
for root
. And in fact, secrets were being generated in--or copied to? I'm actually not sure what's going on at this stage of the process--/tmp/agenix-rekey.0/...
. It seems that agenix-rekey is OK generating the secrets as root but expects them in a user dir.
This looks like a general issue with how you are using agenix.
home.file.<something>.source
requires a path to a file that is available on your current system at build time. But agenix is decrypting files on your computer at activation time. So the path will only be available after you have addedage.secrets.<something>
rebuilt your system once and activated it.So you are trying to use the decrypted result of a secret at build time, which creates a chicken-egg problem. The secret is only created after building and switching, but building is only possible if the file is already in /run/agenix. Usually you would use agenix with options that are called
passwordFile
or similar, which only access the given path at runtime.
So here's the weird thing. I got so carried away with the possibility of using your library that I never actually tried setting up vanilla agenix the "normal" way with SSH keys and so on, I went straight into using agenix-rekey.
Last night, after opening this issue, I decided to try a standard agenix setup. As I was looking through their repo, I noticed that home-manager (HM) integration is far from a stable thing, even though--as the first comment points out--merely passing agenix paths to HM modules shouldn't require any special integration. I also used --show-trace
on my nixos-rebuild switch
command and noticed deep in the stack that the home.file
call was somehow involved.
On a hunch, I tried generating the file in /etc
using enviornment.etc."piknik.toml"
instead of generating the file in my home directory using HM's home.file
and everything just worked!
The question is, why? When I use the environment.etc
method, the symlinks are as follows /etc/piknik.toml
-> /etc/static/piknik.toml
-> /run/agenix/piknikHybridConfig
. So I guess environment.etc
uses symlinking already and home.file
doesn't? This makes sense since one of HM's roles is to manage a user's personal dotfiles, which you often want to remain user-editable as opposed to being in the Nix store. Therefore, HM attempts to copy the files at build time as you suggested instead of symlinking to them in the store.
A simple fix for this should be to create link to the decrypted file instead of referencing it directly:
home.file.".config/piknik/piknik.toml".source = config.lib.file.mkOutOfStoreSymlink age.secrets.piknikHybridConfig.path;
I just tried it and it works, thank you so much for this hint. I only had to adjust the owner
and mode
attributes so that my user could access the file. For anyone stumbling upon this thread looking for help, here's how you do that:
age.secrets = {
my-secret = {
file = /path/to/my/secret; # Can also be a string
owner = "my-user";
mode = "0500"; # Makes it user-readable and writeable
};
};
And for good measure for those coming from the Internet: if you try to confirm the presence of your secret inside of /run/agenix
or whatever your agenix cache dir is by using ls /run/agenix
as your non-superuser user, you'll get a permissions error because you don't have read permissions on the directory itself. However, if you run ls /run/agenix/my-secret
, you'll see your secret is there after activation (i.e., after nixos-rebuild switch
, not just nixos-rebuild build
).
Hi there! Thank you so much for your work on this library, I'm stubbornly wedded to the idea of using it.
Unfortunately, I've been struggling to get it working on my NixOS machine. Here are the issues I've run into:
agenix rekey
,rage
gets stuck on thePlease insert YubiKey with serial
prompt. If I insert my YubiKey, it doesn't recognize it. Whether I press "y" or "n", doesn't matter, it just repeats the same prompt over and over again. The same problem doesn't happen withage
for some reason, so I got around this issue by forking your repo and replacing references torage
withage
. Kinda dumb but it works enough to get me to the next error...agenix rekey
, for the longest time I kept bashing my head against theAt least one rekeyed secret is missing, please run agenix rekey again
error. In the end, I noticed that it kept printing a path:rekeyed secret: /tmp/agenix-rekey.1000/...
. Hmm, the1000
looks suspiciously like a user uid. The problem was that I was prefixing withsudo
, as insudo agenix rekey
. The error went away when I stopped running the command with elevated privileges (after adding my user toallowed_users
in my nix config).Which leads me to my final problem that I can't get around:
agenix rekey
, I keep seeing this error:getting status of '/run/agenix/piknikHybridConfig': No such file or directory
.piknikHybridConfig
is a secret that I've set up in my NixOS modules, which I'm trying to reference within Home Manager usinghome.file.".config/piknik/piknik.toml".source = osConfig.age.secrets.piknikHybridConfig.path
.The relevant NixOS module looks like:
The full reference to my secret looks like this:
Any ideas what might be going wrong?