I want to use agenix in my configuration.nix file. I followed the tutorial on the agenix repo, but when running nixos-rebuild switch I get the age error: no identity matched any of the recipients. I do use a public key in secrets.nix that is in /etc/ssh/ though. Do the actual values for user here have to correspond to system users?
let
user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
user2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILI6jSq53F/3hEmSs+oq9L4TwOo1PrDMAgcA1uo1CCV/";
users = [ user1 user2 ];
system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
system2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzxQgondgEYcLpcPdJLrTdNgZ2gznOHCAxMdaceTUT1";
systems = [ system1 system2 ];
in
{
"secret1.age".publicKeys = [ user1 system1 ];
"secret2.age".publicKeys = users ++ systems;
}
Does the secret1.age file need to have certain permissions?
What else could be going wrong here?
EDIT: when running nixos-rebuild switch I get the output setting up /etc... after the decryption attempt. Is it possible that the ssh keys aren’t yet available during the decryption? If so, how can I enforce that they are?