Agenix problems

rocky_revolutionary · January 2, 2022, 7:05pm

I’m trying to use agenix to manage encrypted secrets on my NixOS machine. I’m starting with my git signing key; I told agenix in my secrets.nix that I only wanted to sign this secret with both the system’s and user’s ed2115 SSH keys. Why is it that agenix -e git_signing_key.age asks me for my RSA key password?

veehaitch · January 2, 2022, 11:02pm

Sounds like something that shouldn’t happen. You mean something like this?

github.com

ryantm/agenix/blob/c5558c88b2941bf94886dfdede6926b1ba5f5629/example/secrets.nix#L6

    
      
          let
            user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
            system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
          in
          {
            "secret1.age".publicKeys = [ user1 system1 ];
            "secret2.age".publicKeys = [ user1 ];
            "passwordfile-user1.age".publicKeys = [ user1 system1 ];
          }

A full example would be helpful.

rocky_revolutionary · January 2, 2022, 11:24pm

Exactly like that. I will have a concrete example soon

rocky_revolutionary · January 3, 2022, 3:33am

Concrete example that fails with the same error

`secrets/secrets.nix`

let
  rocky = "ssh-ed25519";
  elaine = "ssh-ed25519";
in
{
  "secret1.age".publicKeys = [ rocky elaine ];
}

And the actual secret could be anything

rocky_revolutionary · January 3, 2022, 3:34am

Time to take it to GitHub?

veehaitch · January 3, 2022, 8:54am

Unfortunately, I cannot reproduce this. Maybe opening an upstream issue with detailed instructions about your setup and the steps you executed is the best way forward.

cc @ryantm