I recently decided to switch to a short login password for my NixOS hosts. My config is public on Github and I’m a security professional so out of some kind of pride I decided I shouldn’t leave the raw hash of this password in public, and encrypted it via Agenix.
This went fine at first until I rebooted today and discovered I can’t log in. (Aside: isn’t NixOS fantastic? Booting into a non-functional system but having not even the slightest concern - “oh, well I’ll just boot into the previous generation” is extremely satisfying!)
Anyway after I peered at journalctl -b -1 for a couple of minutes the issue became clear:
Oct 14 21:18:42 chungito stage-2-init: [agenix] WARNING: config.age.identityPaths entry /etc/ssh/ssh_host_ed25519_key not present!
...
Oct 14 21:18:42 chungito stage-2-init: reviving user 'brendan' with UID 1000
Oct 14 21:18:42 chungito stage-2-init: warning: password file ‘/run/agenix/weak-local-password-hash’ does not exist
...
Oct 14 21:18:42 chungito stage-2-init: [agenix] chowning...
...
Oct 14 21:18:42 chungito stage-2-init: chown: cannot access '/run/agenix.d/1/weak-local-password-hash': No such file or directory
Oct 14 21:18:42 chungito stage-2-init: Activation script snippet 'agenixChown' failed (1)
...
Oct 14 21:18:42 chungito systemd[1]: Starting Bind mount or link /persistent/etc/ssh/ssh_host_ed25519_key to /etc/ssh/ssh_host_ed25519_key...
I am using impermanence so my SSH host keys are mounted by a bind-mount. The overall /persistent mount is configured with neededForBoot but that obviously doesn’t affect the bind mounts. There’s nothing tracking the dependency that would ensure the bind mount is created before agenix starts up and the user is created.
I feel like I can’t be the first one to have run into this issue. What am I missing here - is there an easy fix for this (besides just going back to my strong password that I don’t mind publishing the hash for).
I can’t speak to this exact issue, but I did have a similar issue where I needed to mount my password-encrypted media drive. I tried putting the password in an agenix file, but could never get it to boot, so I ended up giving up and putting it in plain text. Would love to know if there’s a way around this
I assume it has to do with the age files getting decrypted at the wrong point in the boot process.
Oct 14 21:18:42 chungito stage-2-init: [agenix] WARNING: config.age.identityPaths entry /etc/ssh/ssh_host_ed25519_key not present!
Systemd creates users (but doesn’t have my password hash):
Oct 14 21:18:42 chungito stage-2-init: reviving user 'brendan' with UID 1000
Oct 14 21:18:42 chungito stage-2-init: warning: password file ‘/run/agenix/weak-local-password-hash’ does not exist
Agenix does some other stuff (this isn’t really relevant to the story, now I think about it)
Oct 14 21:18:42 chungito stage-2-init: [agenix] chowning...
...
Oct 14 21:18:42 chungito stage-2-init: chown: cannot access '/run/agenix.d/1/weak-local-password-hash': No such file or directory
Oct 14 21:18:42 chungito stage-2-init: Activation script snippet 'agenixChown' failed (1)
The mount units created by the impermanence modules get set up:
Oct 14 21:18:42 chungito systemd[1]: Starting Bind mount or link /persistent/etc/ssh/ssh_host_ed25519_key to /etc/ssh/ssh_host_ed25519_key...
So yeah it’s just that part 4 needs to happen before part 1.
Or, maybe a simpler workaround would just be to get Agenix to use the host keys directly from the base persisting mount, in my case at /persistent, which is set up during early boot.
