Hi I’m having some trouble setting up sops-nix to setup the user password for my user.
I’m using pgp to encrypt my secrets and as far as I understood sops-nix will automatically generate a private pgp key based on the target hosts ssh key. I followed the documentation as close as possible.
But whenever I try to activate my configuration via:
sudo nixos-rebuild -v test --show-trace --flake /etc/nixos#nixvm
I get this:
activating the configuration...
sops-install-secrets: Imported /etc/ssh/ssh_host_rsa_key as GPG key with fingerprint fc5624a466cdf7729a4be7e41d407079412e01bc
sops-install-secrets: Imported /etc/ssh/ssh_host_ed25519_key as age key with fingerprint age1mhlx8c8xwkg4ae4awq6tmhhae4evwqwq5j7hwt4cqfp483cyz5hser9ef6
/nix/store/6kpwdjb1wa46cj9pc0ipvg7xd82vpy3j-sops-install-secrets-0.0.1/bin/sops-install-secrets: Failed to decrypt '/nix/store/fk9imaal42irdmbslvan3ddv2m3qzhx6-default.yaml': Error getting data key: 0 successful groups required, got 0
Activation script snippet 'setupSecretsForUsers' failed (1)
warning: password file ‘/run/secrets-for-users/password_manji’ does not exist
setting up /etc...
reloading user units for manji...
setting up tmpfiles
warning: error(s) occurred while switching to the new configuration
My .sops.yaml
looks like this:
keys:
- &admin_manji 5C3960F507DD4ACC468EE93FE6C10F242BF4141B
- &nixvm fc5624a466cdf7729a4be7e41d407079412e01bc
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *admin_manji
- *nixvm
My Git layout is like this:
.
├── flake.lock
├── flake.nix
├── home_pw
├── programs
│ └── shell.nix
├── README.md
├── secrets
│ ├── default.yaml
│ └── keys
│ ├── systems
│ │ └── nixvm.asc
│ └── user
│ └── manji.asc
├── shell.nix
├── ssh
│ └── authorized_keys
├── systems
│ ├── common.nix
│ ├── nixbook
│ │ ├── configuration.nix
│ │ └── disko-config.nix
│ └── nixvm
│ ├── configuration.nix
│ ├── disko-config.nix
│ └── hardware-configuration.nix
└── users
└── manji
├── default.nix
├── home
│ └── default.nix
I incuded the sops-nix inputs to my flake and the module import to the modules section for each system configuration.
Inside my configuration the secret is referenced like this:
In systems/common.nix
#sops integration
sops.defaultSopsFile = ../secrets/default.yaml;
In users/manji/default.nix
let
inherit (inputs) ssh-keys;
in
{
sops.secrets.password_manji.neededForUsers = true;
# Define a user account. Don't forget to set a password with ‘passwd’.
users.users.manji = {
isNormalUser = true;
description = "manji";
hashedPasswordFile = config.sops.secrets.password_manji.path;
openssh.authorizedKeys.keyFiles = [ ssh-keys.outPath ];
extraGroups = [ "networkmanager" "wheel" ];
packages = with pkgs; [];
};
}
The secret in unencrypted but censored form (secrets/default.yaml
):
password_manji: <somehashvalue>
So if I use the provided shell.nix from the documentation and manually generate the pgp private-key from the host key and import it manually with gpg --import
I am able to decrypt the secret. But as far as I can see in the nixos-switch
output, sops-nix did create and import the pgp key but the usage for decryption seems to fail.
Is there a way to debug this further? Or has someone an idea where I messed up, or as to why the sops generated and imported pgp key is not available for decryption?
I’m completely lost atm.