search

serokell / deploy-rs

A simple multi-profile Nix-flake deploy tool.
Other
1.41k stars 101 forks source link

cannot add path `'/nix/store/$HASH-system-path'` because it lacks a signature by a trusted key #293

Closed lenianiva closed 2 months ago

lenianiva commented 2 months ago

I have been getting this error since I disabled root login on the remote machine. The full log is

🚀 ℹ️ [deploy] [INFO] Running checks for flake in .
path '/home/aniva/Projects/Servers/nixos' does not contain a 'flake.nix', searching up
evaluation warning: config.services.gitea.database.password will be stored as plaintext in the Nix store. Use database.passwordFile instead.
warning: unknown flake output 'deploy'
warning: The check omitted these incompatible systems: aarch64-darwin, aarch64-linux, x86_64-darwin
Use '--all-systems' to check all.
🚀 ℹ️ [deploy] [INFO] Evaluating flake in .
path '/home/aniva/Projects/Servers/nixos' does not contain a 'flake.nix', searching up
🚀 ℹ️ [deploy] [INFO] The following profiles are going to be deployed:
[minimal.system]
user = "root"
ssh_user = "aniva"
path = "/nix/store/sbyxfyk8qmmj7rnypy0yjwgqjr0lsw2i-activatable-nixos-system-minimal-24.11.20240909.5775c25"
hostname = "minimal.mellite"
ssh_opts = ["-oControlMaster=no"]

🚀 ℹ️ [deploy] [INFO] Building profile `system` for node `minimal`
🚀 ℹ️ [deploy] [INFO] Copying profile `system` to node `minimal`
warning: error: unable to download 'https://cache.nixos.org/nix-cache-info': Timeout was reached (28); retrying in 308 ms
warning: error: unable to download 'https://cache.nixos.org/nix-cache-info': Timeout was reached (28); retrying in 578 ms
warning: error: unable to download 'https://cache.nixos.org/nix-cache-info': Timeout was reached (28); retrying in 1370 ms
warning: error: unable to download 'https://cache.nixos.org/nix-cache-info': Timeout was reached (28); retrying in 2817 ms
warning: unable to download 'https://cache.nixos.org/nix-cache-info': Timeout was reached (28)
[1/0/13 copied (4.5/4.9 MiB)] copying path '/nix/store/69hj1k86rpdhp9fw3vmmwyrdm1c33pxr-system-path' to 'ssh://aniva@minimal.mellite'error: cannot add path '/nix/store/69hj1k86rpdhp9fw3vmmwyrdm1c33pxr-system-path' because it lacks a signature by a trusted key
error (ignored): error: unexpected end-of-file
error: unexpected end-of-file
🚀 ❌ [deploy] [ERROR] Failed to push profile to node minimal: minimal

The problem did not happen before when I had root login and sshUser = "root".

My username, aniva, is in the wheel group, and I've set the nix.settings.trusted-users to ["root" "aniva" "@wheel"].

My deploy command is this:

deploy .#minimal

where I don't have --checksigs enabled.

The /etc/nix/nix.conf on my host machine has this line (following https://nixos.wiki/wiki/Nixos-rebuild):

trusted-users = aniva
exellentcoin26 commented 2 months ago

I fixed this by directly accessing the machine I was deploying to, setting the attribute and rebuilding. After this, everything should work as expected.

lenianiva commented 2 months ago

I fixed this by directly accessing the machine I was deploying to, setting the attribute and rebuilding. After this, everything should work as expected.

I solved it as well. I initially deployed my machines with nixos-anywhere and I didn't have trusted-users = ["root" "@wheel"] enabled. After re-deploying the machines with nixos-anywhere it went fine.

PhilTaken commented 2 months ago

Ah yeah, correctly configuring trusted users and the like is a common issue, we should probably improve documentation a bit there or at least mention it in the readme :/