-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
setupSecretsForUsers fails when only ssh_host_ed25519_key is provided through nixos-everywhere #427
Comments
after reading https://github.com/Mic92/sops-nix/blob/master/modules/sops/default.nix I set sops.gnupg.sshKeyPaths = []; Then So, maybe it would make sense to change |
I don't know Go but I guess changing this line to just print a warning would solve the issue: |
Worked for me as well. Also found out that disabling the openssh service allowed user passwords to be installed correctly. Not interesting in a lot of cases, but maybe relevant for the problem. |
I'm trying to provision a VM with
nixos-everywhere
.The root password is set with
sops-nix
:and the sops key is derived from
/etc/ssh/ssh_host_ed25519_key
as an age key.I know this setup works well because I already use this code on many machines.
To setup this new VM, I created a new
/etc/ssh/ssh_host_ed25519_key
for the VM and added the corresponding age key to my.sops.yaml
as usual.Then I launched
nixos-everywhere
with this command:nix run github:numtide/nixos-anywhere -- --flake .#nixos-testvm --extra-files /tmp/tmp.Ese7hBI2bl root@vm
The extrafiles:
Then, when first activating the new VM conf,
setupSecretsForUsers
fails because it tries to read/etc/ssh/ssh_host_rsa_key
which doesn't exist./etc/ssh/ssh_host_rsa_key
doesn't exist because the VM hasn't booted yet and sosshd
didn't create it.I don't see why it prevents sops from decrypting the secrets with the age key derived from
/etc/ssh/ssh_host_ed25519_key
.I am not sure I have the correct understanding of the situation though because I'm basically following this guide https://github.com/nix-community/nixos-anywhere/blob/main/docs/howtos/secrets.md and so I suppose it should be working in this use case.
The text was updated successfully, but these errors were encountered: