This actually compiles and yields no errors, but there’s no file in /root/.ssh/, so I think I specify the path wrong.
home-manager.users.root = {
home.stateVersion = "23.11";
sops = {
age.keyFile = "/home/b0ef/.config/sops/age/keys.txt";
defaultSopsFile = ./secrets.yaml ;
secrets = {
"root_ssh_key_bytesized" = {
mode = "0600";
path = "/root/.ssh/id_root_quasar";
};
};
};
I’ve also tried this
home-manager.users.root = {
home.stateVersion = "23.11";
sops = {
age.keyFile = "/home/b0ef/.config/sops/age/keys.txt";
defaultSopsFile = ./secrets.yaml ;
secrets = {
"root_ssh_key_bytesized" = {
mode = "0600";
path = "${config.home.homeDirectory}/.ssh/id_root_quasar";
};
};
};
};
, but no file appears in /root/.ssh
My sops secrets specifies root_ssh_key_bytesized
root_ssh_key_bytesized: ENC[AES256_GCM,data:913ZnDYOMCA2QnVYdSpxx54mT/Nl84MwFETkZXULnJw15MZUuAqeW83VHluFxPAd/auOni088/3EcXxIEhtyCFeRHgQ2u+ZjlTo/lSVP5lVkTGZQXaZDQRCtLidb5aD3zlYZfzBT4oovf73XgECWs8xPWp2Bji0MP7IFxAJLvC7o+aZUdpv7NCAF4qMDisjsqChdSr9C0d8EtGf308wBwQA4p49lvcxcVG60Scib12hjB/ZNIEbw2eHBXS+vCNHMpKUHR1FfEbDBwxP3wUawuOeLGObn37wxVVKK6IH0SEawCscUM64Yu8QddYGrGO54YWFvKzjl9XogzNX02Wg1oyuZVCh3TYKJcV4vKEmc2IEBuHnboNR+spnBla3uvCUnXgJ5bqwkpjeT0yC5fjFRqE4BEWhv5tL+0nu/gTza/S8JLimBLRknSLcgXtpfTB5rXpXE/UkGT9TrRfrtZgSdXbY26ZDQhErT8URo93lsyIz1p3q7mI/ashyOx7G2a0HWn51fgOHhmvC,iv:UdlXSa24N/7hP3YhzCp5n7Rc7AJvIW7dlcog5GL2Ha4=,tag:dQu9vpRoOMOYLMv6yO6X5g==,type:str]
try restarting the service after that
systemctl --user restart sops-nix.service
I always reboot; isn’t that enough?
I’m figthting some bugs, so I run the command like this:
NIX_SSHOPTS="-o RequestTTY=force" nixos-rebuild boot --flake .#pi --target-host b0ef@10.0.0.68 --use-remote-sudo --impure
oh sorry if you reboot it seems like a different problem from what I’ve experienced
ok, it seems as if home-manager should not be used if you want to place files in /root
So, what else do you use then?
NobbZ
February 17, 2024, 1:12pm
6
Do not place files in /root. Treat it inexistent.
Perhaps try to explain why you need the key there. Perhaps there are other ways to solve your problem, like configuring SSH to read the identityfile from elsewhere.
For sops-HM to work, your user needs to log in, in a way that systemds user services for that user get started. and that user has to stay logged in. The secrets will be removed once the last user session is terminated.
The reason is that fileSystems are mounted by root, so where should I place the SSH Key then? In /etc?
fileSystems."/mnt/foo" = {
device = "foo@bar/famadorian/";
fsType = "sshfs";
options =
[
"allow_other" # for non-root access
"_netdev" # this is a network fs
"x-systemd.automount" # mount on demand
# SSH options
"reconnect"
"ServerAliveInterval=15"
"IdentityFile=/root/.ssh/id_root_quasar"
];
};
NobbZ
February 17, 2024, 1:17pm
8
For what do you need it? Can’t you just leave it at its default location and use IdentityFile=${sops.secrets.root_ssh_key_bytesized.path}?
But actually as a system secret?
Do you know if that will work?
Cause it was aggressively wanting it to be a file with specific 400 permissions, but you know that solution of yours work?
NobbZ
February 17, 2024, 1:37pm
10
Set an appropriate mode and owner/group, and it should do.
1 Like
ok, I can set it like this;). Thanks.
sops.secrets.example-secret.mode = "0400";
