Agenix and sops-nix can’t seem to find my Yubikeys during a nixos-install. Mounting /run seems to help, but installed systems then don’t have the decrypted secrets and programs go missing from my $PATH. Which directories do I need specifically, aside from /run/pcscd?
Why is the yubikey relevant at installation? Installation doesn’t activate, and the secrets are only decrypted at activation time.
At least this is how it is supposed to work.
The problem that I see though is, that you can’t know the machines public hostkey before first boot, so none of the secrets are set up for that hostkey.
Maybe the Yubikey changes that, but I do not know the details about the Yubi-use with sops-nix/agenix, only heard that it is somehow possible.
1 Like
Strangely enough, nixos-install seems to activate the agenix and sops-nix decryption process, and since I use the Yubikey as a master key, it needs to be available while activating. I have a systemd script that generates the public keys upon config activation and reencrypts the secrets.
It’s worth figuring out why it does that. If that’s happening you’re doing something very weird.
2 Likes
Any way to determine why?
Not without having access to your configuration and/or the logs.
Though preferably and.
If you fear leaking sensible data, try to provide an sscce.
My configs are available at syvl.org/syvlorg at master ; I am trying to install the silver host under systems/x86_64-linux/silver. However, flake installs seem to have single line logs; should I just redirect the output to a file?
You can use -L to print build logs.
1 Like
Well, you can if you generate it in advance and specify it in your config, and if you’re rolling your own install ISO you can also have access to it at install time.
Normally they should just fail to activate but still actually install your system, and then you could just reboot into it and run switch the system one more time without failing credentials.
If that isn’t the case because of using yubikey, then perhaps the way that’s done should figure out a way to degrade gracefully to not lock up installation?
Yeah, last time I did that (about 2 or 3 years ago) I just ran nixos-install, copied the private keys after that, and rebooted.
No hints on the secrets being needed on install itself.
That was sops-nix though. Not sure if agenix would have been different
2 Likes
To be clear, I’m mostly commenting on possibility, not whether it is useful. Although, I do have a use for having host keys known at install time when provisioning certain types of hosts.
1 Like
I tried to build your configuration before trying to then nixos-install it on a throw-away.
Sadly not even building succeeds, due to some font build issues.
Besides that, you really should tackle the warnings and get rid of all the useless nixConfig.
1 Like
So at the moment, it’s completing the installation, but I can’t access the secrets once I boot into the new machine, which means I can’t use my hashedPasswordFile, for example. I’ll post the logs in a bit.
I second that. I do it exactly the same way. Tbh. I currently can’t come up with a reason why the secrets are needed during install because activation is only done after first reboot.
Oh, yeah; commercial fonts. If you’re willing to try again, you can try using the other fonts specified in common/stylix/default.nix instead of Cartograph-CF.
Are you using neededForUsers along with sops-nix? A grep on your flake shows a commented line.
common/users/default.nix: # sops.secrets.hashedPassword.neededForUsers = true;
1 Like
So here are the steps I do (using sops):
- Create new ssh host keys
- Reencrypt my sops secrets file with those keys
- Move the configuration and the ssh host keys in the correct folder in
/mnt - Install
- Reboot
The system should already be able to decrypt the secrets. I don’t use a Yubikey though so that might make a difference.
Unfortunately, both seem to be decrypting their secrets. The Yubikey is tripping up agenix, and sops-nix was failing on a secret needed for users, like the hashedPasswordFile.
That’s the one. It’s why I switched to agenix for that secret for the moment.
Yeah, the Yubikey is most likely the issue. Its supposed to act like the master key, whereupon booting for the first time, a systemd script creates new host keys and reencrypts the secrets.